Bug 1708301 (CVE-2019-5018)

Summary: CVE-2019-5018 sqlite: Use-after-free in window function leading to remote code execution
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alex, databases-maint, drizt72, erik-fedora, fedora, itamar, jstanek, mschorm, nobody+pnasrat, odubaj, pahan, pkubat, praiskup, rh-spice-bugs, rjones, wilmer5
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sqlite 3.28.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:21:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1721509, 1784431    
Bug Blocks: 1720587    

Description Marian Rehak 2019-05-09 14:41:00 UTC 
An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.

External References:

https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777
Comment 3 Riccardo Schirone 2019-06-14 13:22:42 UTC 
According to https://www.sqlite.org/windowfunctions.html window functions was first added to SQLite with upstream release version 3.25.0 (2018-09-15).
Comment 4 Riccardo Schirone 2019-06-18 09:03:45 UTC 
Upstream patch:
https://www.sqlite.org/src/info/1e16d3e8fc60d39c
Comment 8 Riccardo Schirone 2019-06-18 10:21:48 UTC 
The expression Expr representing the Window function is deleted in selectWindowRewriteExprCb(), during the rewrite of the Window statement. During the deletion of a Window, which happens in sqlite3WindowDelete(), the pPartition list is deleted as well, but it is re-used shortly after, in function sqlite3WindowRewrite(). This causes a use-after-free, which could be abused by an attacker to execute code on the system.
Comment 9 Riccardo Schirone 2019-06-18 12:28:32 UTC 
Setting Impact to Moderate as this flaw requires the attacker to already have access to the database in such a way to perform custom queries (e.g. either directly or from a SQL injection in an application). This means the attacker could already extract data from the database or destroy them.
Comment 10 Riccardo Schirone 2019-06-18 12:30:36 UTC 
Statement:

This issue did not affect the versions of sqlite as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they did not include support for Window functions.
Comment 12 Tomas Hoger 2019-12-17 12:27:17 UTC 
Based on the tags on the upstream commit, this was fixed in the upstream version 3.28.0:

https://github.com/sqlite/sqlite/commit/4ded26a53c4df312e9fd06facbbf70377e969983
Comment 13 Tomas Hoger 2019-12-17 12:27:38 UTC 
Created sqlite tracking bugs for this issue:

Affects: fedora-30 [bug 1784431]
Comment 14 errata-xmlrpc 2020-11-04 00:59:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4442 https://access.redhat.com/errata/RHSA-2020:4442
Comment 15 Product Security DevOps Team 2020-11-04 02:21:21 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-5018