Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1212357 - (CVE-2015-3416) CVE-2015-3416 sqlite: stack buffer overflow in src/printf.c
CVE-2015-3416 sqlite: stack buffer overflow in src/printf.c
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150331,repor...
: Security
Depends On: 1212360 1244727 1244728 1244731 1244732
Blocks: 1212358
  Show dependency treegraph
 
Reported: 2015-04-16 05:17 EDT by Vasyl Kaigorodov
Modified: 2015-11-05 04:13 EST (History)
10 users (show)

See Also:
Fixed In Version: SQLite 3.8.9
Doc Type: Bug Fix
Doc Text:
It was found that SQLite's sqlite3VXPrintf() function did not properly handle precision and width values during floating-point conversions. A local attacker could submit a specially crafted SELECT statement that would crash the SQLite process, or have other unspecified impacts.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-17 08:36:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Backported upstream patch for RHEL7 (4.67 KB, patch)
2015-07-03 07:25 EDT, Jan Staněk
no flags Details | Diff
Backported upstream patch for RHEL6 (6.46 KB, patch)
2015-07-24 08:11 EDT, Viktor Jancik
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1634 normal SHIPPED_LIVE Moderate: sqlite security update 2015-08-17 10:14:29 EDT
Red Hat Product Errata RHSA-2015:1635 normal SHIPPED_LIVE Moderate: sqlite security update 2015-08-17 11:44:43 EDT

  None (edit)
Description Vasyl Kaigorodov 2015-04-16 05:17:40 EDT
Stack buffer overflow was fixed in SQLite 3.8.9:

http://www.sqlite.org/src/info/c494171f77dc2e5e

More information about this issue can be found in the links below:
http://www.securityfocus.com/archive/1/535269
http://lcamtuf.blogspot.fr/2015/04/finding-bugs-in-sqlite-easy-way.html
Comment 1 Vasyl Kaigorodov 2015-04-16 05:20:45 EDT
Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1212360]
Comment 2 Fedora Update System 2015-04-22 18:46:09 EDT
spatialite-tools-4.2.0-10.fc21, sqlite-3.8.9-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2015-04-23 12:09:11 EDT
spatialite-tools-4.2.0-10.fc22, sqlite-3.8.9-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-04-26 08:56:50 EDT
spatialite-tools-4.1.1-12.fc20, sqlite-3.8.9-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Vasyl Kaigorodov 2015-04-28 09:38:03 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2015-3416 to
the following vulnerability:

Name: CVE-2015-3416
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3416
Assigned: 20150424
Reference: http://www.sqlite.org/src/info/c494171f77dc2e5e04cb6d865e688448f04e5920

The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does
not properly handle precision and width values during floating-point
conversions, which allows context-dependent attackers to cause a
denial of service (integer overflow and stack-based buffer overflow)
or possibly have unspecified other impact via large integers in a
crafted printf function call in a SELECT statement.
Comment 7 Jan Staněk 2015-07-03 07:25:45 EDT
Created attachment 1045827 [details]
Backported upstream patch for RHEL7

Backported compound patch from upstream [1], including new automated tests for the issues.

[1] https://www.sqlite.org/src/info/aeca95ac77f6f320
Comment 12 Viktor Jancik 2015-07-24 08:11:26 EDT
Created attachment 1055707 [details]
Backported upstream patch for RHEL6
Comment 13 Viktor Jancik 2015-07-24 08:20:35 EDT
Comment on attachment 1055707 [details]
Backported upstream patch for RHEL6

Backport of upstream patch: https://www.sqlite.org/src/info/aeca95ac77f6f320

The added tests had to be modified, because the expected values weren't in line with the functionality of sqlite-3.6.20.

However, the memory buffer overflows do get fixed. Without the patch, the tests don't finish or end with a segmentation fault. After the patch, the tests always produce an output.

After communication with upstream on sqlite-users@mailinglists.sqlite.org, these changes were justified by their response.

Quote:
On 7/24/15, Viktor Jancik <vjancik@redhat.com> wrote:
> What about these tests?
>
> do_test printf-1.17.1 {
>   sqlite3_mprintf_int {abd: %2147483647d %2147483647x %2147483647o} 1 1 1
> } {}
> do_test printf-1.17.2 {
>   sqlite3_mprintf_int {abd: %*d %x} 2147483647 1 1
> } {}
> do_test printf-1.17.3 {
>   sqlite3_mprintf_int {abd: %*d %x} -2147483648 1 1
> } {abd: 1 1}
> do_test printf-2.1.2.10 {
>   sqlite3_mprintf_double {abc: %*.*f}  2000000000 1000000000 1.0e-20
> } {abc: }
> do_test printf-3.7 {
>   sqlite3_mprintf_str {%d A String: (%*s)} 1 2147483647 {This is the
> string}
> } []
> do_test printf-3.8 {
>   sqlite3_mprintf_str {%d A String: (%*s)} 1 -2147483648 {This is the
> string}
> } {1 A String: (This is the string)}
> do_test printf-3.9 {
>   sqlite3_mprintf_str {%d A String: (%.*s)} 1 -2147483648 {This is the
> string}
> } {1 A String: (This is the string)}
> do_test printf-13.7 {
>   sqlite3_mprintf_hexdouble %2147483648.10000f 4693b8b5b5056e17
> } {/100000000000000000000000000000000.00/}
>
> Why are 1.17.3, 3.8, 3.9, 13.7 not getting shot down, while the rest are?
>

The behavior with oversized precisions and widths is arbitrary.  I
think the point of the tests is to show that there are no memory
errors or assertion faults.
-- 
D. Richard Hipp
drh@sqlite.org
Comment 14 errata-xmlrpc 2015-08-17 06:14:40 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1634 https://rhn.redhat.com/errata/RHSA-2015-1634.html
Comment 15 errata-xmlrpc 2015-08-17 07:45:18 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1635 https://rhn.redhat.com/errata/RHSA-2015-1635.html

Note You need to log in before you can comment on or make changes to this bug.