Bug 1824185 (CVE-2020-11656)

Summary: CVE-2020-11656 sqlite: use-after-free in the ALTER TABLE implementation
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alex, bazanluis20, databases-maint, drizt72, erik-fedora, fedora, itamar, jstanek, mschorm, nobody+pnasrat, odubaj, pkubat, praiskup, rh-spice-bugs, rjones, tcallawa, wilmer5
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-17 05:16:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1824186, 1824187, 1824188, 1824189, 1840138    
Bug Blocks: 1824191    

Description Guilherme de Almeida Suckevicz 2020-04-15 14:00:24 UTC 
In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.

Reference and upstream commit:
https://www.sqlite.org/src/info/d09f8c3621d5f7f8
https://www3.sqlite.org/cgi/src/info/b64674919f673602
Comment 1 Guilherme de Almeida Suckevicz 2020-04-15 14:01:01 UTC 
Created mingw-sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1824187]


Created sqlite2 tracking bugs for this issue:

Affects: epel-all [bug 1824186]
Affects: fedora-all [bug 1824188]


Created sqlite3 tracking bugs for this issue:

Affects: fedora-all [bug 1824189]
Comment 2 Huzaifa S. Sidhpurwala 2020-04-17 05:15:14 UTC 
Statement:

As per the upstream bug at https://www.sqlite.org/src/info/4722bdab08cb1 the flaw is in the error checking routine which is triggered only in debug builds. In release builds this is a no-op and therefore release builds are non-vulnerable. Red Hat packages are not vulnerable to this flaw (because we dont ship debug builds)
Comment 3 Guilherme de Almeida Suckevicz 2020-05-26 13:00:11 UTC 
Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1840138]