exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SQLite 22 Bugs

SQLite 22 Bugs
Posted Apr 14, 2015
Authored by Michal Zalewski

SQLite has had 22 security bugs reported including stack buffer overflow and uninitialized memory vulnerabilities. Version 3.8.9 addresses these issues.

tags | advisory, overflow, vulnerability
SHA-256 | dfcb47d73272992e7252b26d33b182b0375b26d2dbe341b5d13c61cb13af7742

SQLite 22 Bugs

Change Mirror Download
SQLite is probably the most popular embedded database in use today; it
is also known for being very well-tested and robust.

Because of its versatility, SQLite sometimes finds use as the
mechanism behind SQL-style query APIs that are exposed between
privileged execution contexts and less-trusted code. One example of
this is the WebDB / WebSQL mechanism available in some browsers; in
this setting, vulnerabilities in the SQLite parser can open up the
platform to attacks.

Anyway, long story short, I recently reported around 22 bugs in the
query parser, including the use of uninitialized memory when parsing
collation sequences:

https://www.sqlite.org/src/info/eddc05e7bb31fae7

...and bad free():

https://www.sqlite.org/src/info/02e3c88fbf6abdcf

...and a stack buffer overflow:

http://www.sqlite.org/src/info/c494171f77dc2e5e

Since all the fixes are already public and the issues are fixed in
3.8.9, but there's no upstream advisory, I figured I'd drop a note
here; if you're relying on SQLite in a way mentioned earlier on, you
may want to upgrade. There are no CVEs assigned for any of the above.

The aforementioned three bugs aside, the remaining 19 issues are
probably less interesting. They depend on "privileged" commands (e.g.,
ATTACH), only have DoS potential, or corrupt nominally boring areas of
memory (say, http://www.sqlite.org/src/info/0cdf502885ea7e58). Some of
them may matter for escalating SQL injection to RCE. If you are
curious, you can check out docs/vuln_samples/sqlite_* shipping with
afl-fuzz for a complete set.

All of the above bugs were found with http://lcamtuf.coredump.cx/afl/
after spending around 30 minutes to set up the job.

Peace out,
/mz

...

PS. Here's another, unrelated bug that may not have had a CVEs. It
affects browser <video> handling (H.264):

https://github.com/FFmpeg/FFmpeg/commit/e8714f6f93d1a32f4e4655209960afcf4c185214

PPS. I haven't posted about this before, but here are three
recently-fixed issues affect PNG, JXR, and TIFF handling in MSIE,
leaking values from browser memory:

http://lcamtuf.blogspot.com/2015/03/another-round-of-image-bugs-png-and.html
http://lcamtuf.blogspot.com/2015/02/bi-level-tiffs-and-tale-of-unexpectedly.html

PPPS. Since we're on the topic of catching up, I would strongly advise
against using jxrlib, a Microsoft-developed open source library for
parsing JXR / HDP / WDP files (JPEG XR), a new image format supported
in Internet Explorer and Adobe Flash. It appears to have many
exploitable memory corruption errors that are discoverable with AFL. I
pinged them in December, but the maintainers weren't very responsive.
The bugs do not affect MSIE, since the OSS implementation appears to
be completely separate (huh). That said, they will affect ImageMagick
and similar programs if they are built with jxrlib support compiled
in. Since the library has fairly minimal install base, this note is
about as much effort as I think it warrants.

/mz
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close