Bug 1659379 (CVE-2018-20346, CVE-2018-20505, CVE-2018-20506)
| Summary: | CVE-2018-20346 CVE-2018-20505 CVE-2018-20506 sqlite: Multiple flaws in sqlite which can be triggered via corrupted internal databases (Magellan) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abhgupta, agk, alex, databases-maint, dbaker, drizt72, erik-fedora, fedora, hhorak, huzaifas, itamar, jakub.dornak, jokerman, jshepherd, jstanek, justin, mschorm, nsl, omarandemad, pkubat, pmarciniak, praiskup, qguo, rjones, sthangav, trankin, wilmer5, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
Multiple flaws were found in sqlite. An attacker having the ability to run arbitrary SQL commands could use this flaw to execute arbitrary code with the permission of the user running the sqlite application.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-03-06 05:30:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1659677, 1659684, 1659907, 1659908 | ||
| Bug Blocks: | 1658968 | ||
|
Description
Huzaifa S. Sidhpurwala
2018-12-14 08:24:31 UTC
Created sqlite tracking bugs for this issue: Affects: fedora-all [bug 1659677] *** Bug 1659363 has been marked as a duplicate of this bug. *** Notes on exploitation: The attacker needs to be able to execute arbitrary SQL statements in order to corrupt the databases and run arbitrary code as the user running sqlite applications. This is uncommon in applications, normally only administrative users are allowed to run SQL statements. Chromium however exposes sqlite via WebSQL. This issue was address by Chromium 71.0.3578.80 via https://access.redhat.com/errata/RHSA-2018:3803 Mozilla firefox uses sqlite only to store internal profile information, browsing history etc, therefore should not be exploitable remotely. Also refer to: https://www.sqlite.org/security.html for sqlite >= 3.26.0 Created mingw-sqlite tracking bugs for this issue: Affects: epel-7 [bug 1659907] Affects: fedora-all [bug 1659908] External References: https://access.redhat.com/articles/3758321 https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html https://blade.tencent.com/magellan/index_en.html As a data point, the Magellan vulnerability may be applicable to the sqlite package in EL7 base too: sqlite-3.7.17-8.el7.x86_64 sqlite-devel-3.7.17-8.el7.x86_64 The "attacker having the ability to run arbitrary SQL commands" concept seems a bit short sighted. EL7 ships the sqlite-devel package, which means customers and users can build their own applications, which may or may not include the FTS3 module this bug occurs in. The safest bet for customers is probably to back port the (fairly simple) upstream patch which fixes the problem, and release a SQLite 3.7.17-9. :) https://www.sqlite.org/src/info/940f2adc8541a838 Note - I'm not aware if anyone has (yet) looked for the earliest affected SQLite version, so see where the bug was introduced. That would potentially be useful info too. Thoughts? (In reply to Justin Clift from comment #27) > As a data point, the Magellan vulnerability may be applicable to the sqlite > package in EL7 base too: > > sqlite-3.7.17-8.el7.x86_64 > sqlite-devel-3.7.17-8.el7.x86_64 > > The "attacker having the ability to run arbitrary SQL commands" concept > seems a bit short sighted. > Analysis of these kind of flaws, normally assumes that standard security practices are followed. For example if you look at browsers chromium/chrome is only affected because it exposes a vector ie WebSQL. > EL7 ships the sqlite-devel package, which means customers and users can > build their own applications, which may or may not include the FTS3 module > this bug occurs in. > Again we assume that these applications are doing the right thing security wise. If insecure programming practices are followed, the underlying libraries cannot be blamed :) > The safest bet for customers is probably to back port the (fairly simple) > upstream patch which fixes the problem, and release a SQLite 3.7.17-9. :) > See https://bugzilla.redhat.com/show_bug.cgi?id=1659379#c29 . RHEL-7 isnt really affected. Also if you look at the patch you mentioned below, it does not prevent corruption of internal databases, it just ensures that the corruption of databases cannot lead to arbitrary code execution. > https://www.sqlite.org/src/info/940f2adc8541a838 > > Note - I'm not aware if anyone has (yet) looked for the earliest affected > SQLite version, so see where the bug was introduced. That would potentially > be useful info too. > > Thoughts? I hope this answers your questions, feel free to open a support ticket if you are Red Hat customer! This was assigned CVE-2018-20346. Statement: This flaw does not affect the versions of sqlite package shipped with Red Hat Enterprise Linux 5, 6 and 7. This flaw in sqlite can be exploited by attackers only if they are able to run arbitrary SQL statements on the sqlite database. For more information please see https://bugzilla.redhat.com/show_bug.cgi?id=1659379#c12 |