Bug 1469672 - (CVE-2017-10989) CVE-2017-10989 sqlite: Heap-buffer overflow in the getNodeSize function
CVE-2017-10989 sqlite: Heap-buffer overflow in the getNodeSize function
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20170706,reported=2...
: Security
Depends On: 1469674 1469675 1469676 1469677 1469673
Blocks: 1469678
  Show dependency treegraph
 
Reported: 2017-07-11 11:27 EDT by Andrej Nemec
Modified: 2017-09-12 11:33 EDT (History)
30 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrej Nemec 2017-07-11 11:27:50 EDT
The getNodeSize function in ext/rtree/rtree.c in SQLite mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.

References:

https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937
http://marc.info/?l=sqlite-users&m=149933696214713&w=2

Upstream patch:

https://sqlite.org/src/info/66de6f4a
Comment 1 Andrej Nemec 2017-07-11 11:28:10 EDT
Created mingw-sqlite tracking bugs for this issue:

Affects: epel-7 [bug 1469674]
Affects: fedora-all [bug 1469676]


Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1469673]


Created sqlite2 tracking bugs for this issue:

Affects: epel-all [bug 1469677]
Affects: fedora-all [bug 1469675]
Comment 2 Petr Kubat 2017-07-12 03:09:36 EDT
This seems to only affect sqlite versions older than 3.17 as, according to the sqlite developers and the reporter of the Ubuntu bug, the issue has been indirectly fixed in version 3.17.

For later versions the patch serves only to detect the issue earlier and to provide the user with a more useful error message.

Note You need to log in before you can comment on or make changes to this bug.