Bug 1659379 (CVE-2018-20346, CVE-2018-20505, CVE-2018-20506) - CVE-2018-20346 CVE-2018-20505 CVE-2018-20506 sqlite: Multiple flaws in sqlite which can be triggered via corrupted internal databases (Magellan)
Summary: CVE-2018-20346 CVE-2018-20505 CVE-2018-20506 sqlite: Multiple flaws in sqlite...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2018-20346, CVE-2018-20505, CVE-2018-20506
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20181204,repo...
: 1659363 (view as bug list)
Depends On: 1659907 1659677 1659684 1659908
Blocks: 1658968
TreeView+ depends on / blocked
 
Reported: 2018-12-14 08:24 UTC by Huzaifa S. Sidhpurwala
Modified: 2019-07-29 11:50 UTC (History)
28 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Multiple flaws were found in sqlite. An attacker having the ability to run arbitrary SQL commands could use this flaw to execute arbitrary code with the permission of the user running the sqlite application.
Clone Of:
Environment:
Last Closed: 2019-03-06 05:30:51 UTC


Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2018-12-14 08:24:31 UTC
Multiple flaws were found in sqlite. An attacker who is able to run arbitrary SQL statements could use this flaw to corrupt the internal databases, which can lead to arbitrary code execution as the user running sqlite.

This issue was fixed via sqlite-3.25.3 release at:
https://www.sqlite.org/releaselog/3_25_3.html

Also sqlite-3.36 introduced SQLITE_DBCONFIG_DEFENSIVE option which when added to the config file, could prevent attackers for corrupting the internal database files. This could however break applications which require users to write these database files.
https://www.sqlite.org/releaselog/3_26_0.html
https://www.sqlite.org/c3ref/c_dbconfig_defensive.html#sqlitedbconfigdefensive

Comment 8 Huzaifa S. Sidhpurwala 2018-12-15 03:25:09 UTC
Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1659677]

Comment 10 Huzaifa S. Sidhpurwala 2018-12-15 04:35:38 UTC
*** Bug 1659363 has been marked as a duplicate of this bug. ***

Comment 12 Huzaifa S. Sidhpurwala 2018-12-15 04:45:39 UTC
Notes on exploitation:

The attacker needs to be able to execute arbitrary SQL statements in order to corrupt the databases and run arbitrary code as the user running sqlite applications. This is uncommon in applications, normally only administrative users are allowed to run SQL statements.

Chromium however exposes sqlite via WebSQL. This issue was address by Chromium 71.0.3578.80 via https://access.redhat.com/errata/RHSA-2018:3803

Mozilla firefox uses sqlite only to store internal profile information, browsing history etc, therefore should not be exploitable remotely.

Also refer to: https://www.sqlite.org/security.html for sqlite >= 3.26.0

Comment 20 Huzaifa S. Sidhpurwala 2018-12-17 07:48:52 UTC
Created mingw-sqlite tracking bugs for this issue:

Affects: epel-7 [bug 1659907]
Affects: fedora-all [bug 1659908]

Comment 27 Justin Clift 2018-12-25 20:45:50 UTC
As a data point, the Magellan vulnerability may be applicable to the sqlite package in EL7 base too:

  sqlite-3.7.17-8.el7.x86_64
  sqlite-devel-3.7.17-8.el7.x86_64

The "attacker having the ability to run arbitrary SQL commands" concept seems a bit short sighted.

EL7 ships the sqlite-devel package, which means customers and users can build their own applications, which may or may not include the FTS3 module this bug occurs in.

The safest bet for customers is probably to back port the (fairly simple) upstream patch which fixes the problem, and release a SQLite 3.7.17-9. :)

  https://www.sqlite.org/src/info/940f2adc8541a838

Note - I'm not aware if anyone has (yet) looked for the earliest affected SQLite version, so see where the bug was introduced.  That would potentially be useful info too.

Thoughts?

Comment 30 Huzaifa S. Sidhpurwala 2019-01-02 15:22:08 UTC
(In reply to Justin Clift from comment #27)
> As a data point, the Magellan vulnerability may be applicable to the sqlite
> package in EL7 base too:
> 
>   sqlite-3.7.17-8.el7.x86_64
>   sqlite-devel-3.7.17-8.el7.x86_64
> 
> The "attacker having the ability to run arbitrary SQL commands" concept
> seems a bit short sighted.
> 
Analysis of these kind of flaws, normally assumes that standard security practices are followed. For example if you look at browsers chromium/chrome is only affected because it exposes a vector ie WebSQL.


> EL7 ships the sqlite-devel package, which means customers and users can
> build their own applications, which may or may not include the FTS3 module
> this bug occurs in.
> 
Again we assume that these applications are doing the right thing security wise. If insecure programming practices are followed, the underlying libraries cannot be blamed :)

> The safest bet for customers is probably to back port the (fairly simple)
> upstream patch which fixes the problem, and release a SQLite 3.7.17-9. :)
>
See https://bugzilla.redhat.com/show_bug.cgi?id=1659379#c29 . RHEL-7 isnt really affected.

Also if you look at the patch you mentioned below, it does not prevent corruption of internal databases, it just ensures that the corruption of databases cannot lead to arbitrary code execution.


>   https://www.sqlite.org/src/info/940f2adc8541a838
> 
> Note - I'm not aware if anyone has (yet) looked for the earliest affected
> SQLite version, so see where the bug was introduced.  That would potentially
> be useful info too.
> 
> Thoughts?

I hope this answers your questions, feel free to open a support ticket if you are Red Hat customer!

Comment 31 Nicholas Luedtke 2019-01-02 15:34:56 UTC
This was assigned CVE-2018-20346.

Comment 32 Huzaifa S. Sidhpurwala 2019-01-04 07:03:31 UTC
Statement:

This flaw does not affect the versions of sqlite package shipped with Red Hat Enterprise Linux 5, 6 and 7. This flaw in sqlite can be exploited by attackers only if they are able to run arbitrary SQL statements on the sqlite database. For more information please see https://bugzilla.redhat.com/show_bug.cgi?id=1659379#c12


Note You need to log in before you can comment on or make changes to this bug.