Bug 1841223 (CVE-2020-13434)

Summary: CVE-2020-13434 sqlite: integer overflow in sqlite3_str_vappendf function in printf.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alex, databases-maint, drizt72, erik-fedora, fedora, itamar, mschorm, odubaj, pkubat, praiskup, rh-spice-bugs, rjones, wilmer5
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sqlite 3.32.1 Doc Type: If docs needed, set a value
Doc Text:
An integer overflow flaw was found in the SQLite implementation of the printf() function. This flaw allows an attacker who can control the precision of floating-point conversions, to crash the application, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 14:33:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1841224, 1841225, 1841226, 1841227, 1845843, 1845851    
Bug Blocks: 1841236    

Description Guilherme de Almeida Suckevicz 2020-05-28 16:41:33 UTC 
SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.

References and upstream commit:
https://www.sqlite.org/src/info/23439ea582241138
https://www.sqlite.org/src/info/d08d3405878d394e
Comment 1 Guilherme de Almeida Suckevicz 2020-05-28 16:42:06 UTC 
Created mingw-sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1841225]


Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1841227]


Created sqlite2 tracking bugs for this issue:

Affects: epel-all [bug 1841224]
Affects: fedora-all [bug 1841226]
Comment 5 Mauro Matteo Cascella 2020-06-10 09:05:10 UTC 
Statement:

This flaw did not affect the versions of SQLite as shipped with Red Hat Enterprise Linux 7 as they did not include support for the printf() function, which was introduced in a later version of the package.
Comment 6 Mauro Matteo Cascella 2020-06-10 09:07:22 UTC 
printf() was introduced in SQLite upstream version 3.8.3 via the following commit:
  -> https://github.com/sqlite/sqlite/commit/a5c1416d64b4b857721f085258b6ef1dcaeb6f5b
Comment 7 Mauro Matteo Cascella 2020-06-10 20:26:45 UTC 
Under some circumstances, when performing floating-point conversions it is possible to cause an integer overflow in the SQL printf() function, resulting in a stack-based buffer overflow. Consider the following excerpt from sqlite3_str_vappendf() in printf.c:

```
char *bufpt;               /* Pointer to the conversion buffer */
char buf[etBUFSIZE];       /* Conversion buffer, etBUFSIZE == 70 */
...
bufpt = buf;
...
if( exp<-4 || exp>precision ){
  xtype = etEXP;
}else{
  precision = precision - exp;
  xtype = etFLOAT;
}
...
/* Size of a temporary buffer needed */
szBufNeeded = MAX(e2,0)+(i64)precision+(i64)width+15;
if( szBufNeeded > etBUFSIZE ){
  ...
}
...
/* Significant digits after the decimal point */
while( (precision--)>0 ){
  *(bufpt++) = et_getdigit(&realvalue,&nsd);
}
```

A format string can be crafted so that precision == 2147483646 and exp == -2. This causes an integer overflow on the precision variable (due to 2147483646-(-2) = 2147483648 = 0x80000000) leading to the computation of a negative buffer size. In turn, this leads to the overflow of the conversion buffer. Note that the conversion buffer is incrementally populated with the ascii code of the digits after the decimal point (up to the 16th digit, after which '0' is always returned).
Comment 8 Mauro Matteo Cascella 2020-06-11 09:22:33 UTC 
SQLite provides the compile-time option SQLITE_PRINTF_PRECISION_LIMIT to protect against similar attacks. Note that the versions of SQLite as shipped with Red Hat Enterprise Linux 7 and 8 were *not* compiled with that preprocessor option.
Comment 9 errata-xmlrpc 2021-05-18 13:21:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1581 https://access.redhat.com/errata/RHSA-2021:1581
Comment 10 errata-xmlrpc 2021-05-18 13:27:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1581 https://access.redhat.com/errata/RHSA-2021:1581
Comment 11 Product Security DevOps Team 2021-05-18 14:33:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13434
Comment 12 errata-xmlrpc 2021-05-18 16:30:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1968 https://access.redhat.com/errata/RHSA-2021:1968