Bug 1809315 (CVE-2020-9327)

Summary: CVE-2020-9327 sqlite: NULL pointer dereference and segmentation fault because of generated column optimizations
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alex, databases-maint, drizt72, erik-fedora, fedora, itamar, jstanek, mschorm, nobody+pnasrat, odubaj, pkubat, praiskup, rh-spice-bugs, rjones, wilmer5
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference was found in SQLite in the way it executes select statements with column optimizations. An attacker who is able to execute SQL statements can use this flaw to crash the application.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:24:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1809316, 1809317, 1816572, 1840141    
Bug Blocks: 1809318    

Description Guilherme de Almeida Suckevicz 2020-03-02 20:24:10 UTC 
In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.

References:
https://www.sqlite.org/cgi/src/info/4374860b29383380
https://www.sqlite.org/cgi/src/info/9d0d4ab95dc0c56e
https://www.sqlite.org/cgi/src/info/abc473fb8fb99900
Comment 1 Guilherme de Almeida Suckevicz 2020-03-02 20:24:34 UTC 
Created mingw-sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1809316]


Created sqlite3 tracking bugs for this issue:

Affects: fedora-all [bug 1809317]
Comment 2 Riccardo Schirone 2020-03-24 09:33:31 UTC 
In some cases it is possible for a SQL expression to cause a NULL pointer dereference in impliesNotNullRow() in expr.c, when the pTab field of a  pLeft(or pRight) expression of a node is set to 0. This may happen in functions whereIndexExprTransColumn() and whereIndexExprTransNode() in wherecode.c. An attacker would need to have a level of access that allows him to write particular SQL expressions to trigger this flaw, leading to a denial of service.
Comment 5 Riccardo Schirone 2020-03-24 09:57:36 UTC 
The version of SQLite as shipped in Red Hat Enterprise Linux 7 has different code compared to the vulnerable versions and the same flaw does not seem to be present there. In particular, there is no function impliesNotNullRow() or similar.
Comment 6 Guilherme de Almeida Suckevicz 2020-05-26 13:05:23 UTC 
Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1840141]
Comment 7 errata-xmlrpc 2020-11-04 01:00:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4442 https://access.redhat.com/errata/RHSA-2020:4442
Comment 8 Product Security DevOps Team 2020-11-04 02:24:33 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-9327