Bug 1778867 (CVE-2019-19242)

Summary: CVE-2019-19242 sqlite: SQL injection in sqlite3ExprCodeTarget in expr.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: databases-maint, drizt72, erik-fedora, fedora, itamar, mbenatto, mschorm, odubaj, pkubat, praiskup, rh-spice-bugs, rjones, wilmer5
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-13 08:33:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1778868, 1778869, 1778870, 1786655, 1787039    
Bug Blocks: 1778871    

Description Guilherme de Almeida Suckevicz 2019-12-02 17:09:27 UTC 
SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.

Reference and upstream commit:
https://github.com/sqlite/sqlite/commit/57f7ece78410a8aae86aa4625fb7556897db384c
Comment 1 Guilherme de Almeida Suckevicz 2019-12-02 17:09:50 UTC 
Created mingw-sqlite tracking bugs for this issue:

Affects: epel-7 [bug 1778870]
Affects: fedora-all [bug 1778869]


Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1778868]
Comment 7 Marco Benatto 2019-12-30 13:57:23 UTC 
There's an issue with SQLite when using a generated column which is evaluated to a constant value as index for a table. When evaluating the SQL expression containing a join clause referencing the generated column, an internal field representing the tables involved on the join is set to NULL. However, due to an error in the logic used during expression evaluation the same field is further dereferenced leading to an NULL pointer dereference. An attack may leverage this flaw to cause DoS.

The Attack Complexity may be considered high as the attack needs to triage the existance of a table with such schema, a query with the aspects mentioned above and a way to trigger it. The availability impact when an attack is successful may be considered High.
Comment 9 Ondrej Dubaj 2021-04-15 12:11:25 UTC 
Please, can you provide a reproducer for this issue ? There is a problem with backporting the fix.

Thank you
Comment 13 Product Security DevOps Team 2021-05-13 08:33:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19242
Comment 14 Product Security DevOps Team 2021-05-13 14:33:47 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19242