Chrome could allow a remote malicious user to execute arbitrary code on the system, caused by an out-of-bounds access in SQLite. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
Created chromium tracking bugs for this issue:
Affects: epel-7 [bug 1706806]
Affects: fedora-all [bug 1706807]
The following upstream commits fix this issue:
This issue is caused by mismatch of data types between memory allocation functions. And is specially related to chromium browser:
chrome_sqlite3_malloc takes an int size argument, while memcpy takes a size_t size argument. On x86-64 this means that chrome_sqlite_3_malloc's size argument is width 32, while memcpy's is width 64. This can lead to potentially concerning wrapping behavior for extreme allocation sizes (depending on the compiler, optimizations, etc).
The patchset also includes the ability to restrict the size of virtual tables in sqlite. Though this is not directly related to standalone sqlite implementations it tends to prevent DoS via memory exhaustion.
https://www.sqlite.org/src/info/07ee06fd390bfebe is however related to the issue since it ensures that 64-bit allocations are used in the FTS3 extension. Because it is not possible to directly trigger the flaw in sqlite, it is rated as having moderate impact.
Created mingw-sqlite tracking bugs for this issue:
Affects: fedora-all [bug 1710213]
Created sqlite tracking bugs for this issue:
Affects: fedora-all [bug 1710212]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6 Supplementary
Via RHSA-2019:1243 https://access.redhat.com/errata/RHSA-2019:1243