Bug 1469672 (CVE-2017-10989)

Summary: CVE-2017-10989 sqlite: Heap-buffer overflow in the getNodeSize function
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: alex, bmcclain, cfergeau, databases-maint, drizt72, eedri, erik-fedora, fedora-mingw, fedora, hhorak, jakub.dornak, lsurette, mgoldboi, michal.skrivanek, mschorm, pkubat, praiskup, rh-spice-bugs, rjones, sardella, srevivo, wilmer5, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 11:54:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1469677, 1469673, 1469674, 1469675, 1469676    
Bug Blocks: 1469678    

Description Andrej Nemec 2017-07-11 15:27:50 UTC
The getNodeSize function in ext/rtree/rtree.c in SQLite mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.

References:

https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937
http://marc.info/?l=sqlite-users&m=149933696214713&w=2

Upstream patch:

https://sqlite.org/src/info/66de6f4a

Comment 1 Andrej Nemec 2017-07-11 15:28:10 UTC
Created mingw-sqlite tracking bugs for this issue:

Affects: epel-7 [bug 1469674]
Affects: fedora-all [bug 1469676]


Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1469673]


Created sqlite2 tracking bugs for this issue:

Affects: epel-all [bug 1469677]
Affects: fedora-all [bug 1469675]

Comment 2 Petr Kubat 2017-07-12 07:09:36 UTC
This seems to only affect sqlite versions older than 3.17 as, according to the sqlite developers and the reporter of the Ubuntu bug, the issue has been indirectly fixed in version 3.17.

For later versions the patch serves only to detect the issue earlier and to provide the user with a more useful error message.