Bug 1924886 (CVE-2021-20227)
Summary: | CVE-2021-20227 sqlite: potential use-after-free bug when processing a subquery with both a correlated WHERE clause and a "HAVING 0" clause and where the parent query is an aggregate | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Todd Cullum <tcullum> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | databases-maint, drizt72, erik-fedora, fedora, itamar, mschorm, odubaj, pkubat, praiskup, rh-spice-bugs, rjones, wilmer5 |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | sqlite 3.34.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in SQLite's SELECT query functionality (src/select.c). This flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to cause a denial of service or possible code execution by triggering a use-after-free. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-27 17:32:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1924905, 1924906, 1924914, 1924915 | ||
Bug Blocks: | 1919824 |
Description
Todd Cullum
2021-02-03 20:10:19 UTC
Technical summary: From [1]: "The WHERE clause (a=2), uses an aggregate column from the outer query. If the HAVING term (0) is moved into the WHERE clause in this case, SQLite would at one point optimize (a=2 AND 0) to simply (0). Which is logically correct, but happened to cause problems in aggregate processing for the outer query." To ensure that the condition HAVING 0 is considered, the upstream patch adds the ExprAlwaysFalse(pExpr)==0 check to the if statement before the business logic in havingToWhereExprCb() in file src/select.c. This flaw could allow an attacker who has permission to run SQL queries on the sqlite database to cause a denial of service, or possibly code execution if they are able to control the re-used memory. This flaw has been marked Moderate because in order to run such a query, a user would need to already have access to query the data in the database. 1. https://sqlite.org/src/info/30a4c323650cc949 External References: https://www.sqlite.org/releaselog/3_34_1.html Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. Created mingw-sqlite tracking bugs for this issue: Affects: fedora-all [bug 1924915] Created sqlite tracking bugs for this issue: Affects: fedora-all [bug 1924914] Statement: SQLite as shipped in Red Hat Enterprise Linux 6, 7 and 8 is not affected by this flaw as the code was introduced in a newer version of SQLite than that shipped. This flaw has been marked Moderate because in order to run such a query, a user would need to already have access to query the data in the database. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20227 |