Bug 1708301 (CVE-2019-5018)
Summary: | CVE-2019-5018 sqlite: Use-after-free in window function leading to remote code execution | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | alex, databases-maint, drizt72, erik-fedora, fedora, itamar, jstanek, mschorm, nobody+pnasrat, odubaj, pahan, pkubat, praiskup, rh-spice-bugs, rjones, wilmer5 |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | sqlite 3.28.0 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-04 02:21:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1721509, 1784431 | ||
Bug Blocks: | 1720587 |
Description
Marian Rehak
2019-05-09 14:41:00 UTC
According to https://www.sqlite.org/windowfunctions.html window functions was first added to SQLite with upstream release version 3.25.0 (2018-09-15). Upstream patch: https://www.sqlite.org/src/info/1e16d3e8fc60d39c The expression Expr representing the Window function is deleted in selectWindowRewriteExprCb(), during the rewrite of the Window statement. During the deletion of a Window, which happens in sqlite3WindowDelete(), the pPartition list is deleted as well, but it is re-used shortly after, in function sqlite3WindowRewrite(). This causes a use-after-free, which could be abused by an attacker to execute code on the system. Setting Impact to Moderate as this flaw requires the attacker to already have access to the database in such a way to perform custom queries (e.g. either directly or from a SQL injection in an application). This means the attacker could already extract data from the database or destroy them. Statement: This issue did not affect the versions of sqlite as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they did not include support for Window functions. Based on the tags on the upstream commit, this was fixed in the upstream version 3.28.0: https://github.com/sqlite/sqlite/commit/4ded26a53c4df312e9fd06facbbf70377e969983 Created sqlite tracking bugs for this issue: Affects: fedora-30 [bug 1784431] This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4442 https://access.redhat.com/errata/RHSA-2020:4442 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-5018 |