Bug 1706805 (CVE-2019-5827) - CVE-2019-5827 chromium-browser: out-of-bounds access in SQLite
Summary: CVE-2019-5827 chromium-browser: out-of-bounds access in SQLite
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-5827
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190430,repo...
Depends On: 1706806 1710183 1710184 1710213 1706807 1709803 1710212
Blocks: 1706809
TreeView+ depends on / blocked
 
Reported: 2019-05-06 10:36 UTC by Marian Rehak
Modified: 2019-06-10 10:55 UTC (History)
18 users (show)

Fixed In Version: chromium-browser 74.0.3729.131
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:55:06 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1243 None None None 2019-05-16 20:09:12 UTC

Description Marian Rehak 2019-05-06 10:36:50 UTC
Chrome could allow a remote malicious user to execute arbitrary code on the system, caused by an out-of-bounds access in SQLite. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.

External References:
https://exchange.xforce.ibmcloud.com/vulnerabilities/160450

Comment 1 Marian Rehak 2019-05-06 10:37:08 UTC
Created chromium tracking bugs for this issue:

Affects: epel-7 [bug 1706806]
Affects: fedora-all [bug 1706807]

Comment 5 Huzaifa S. Sidhpurwala 2019-05-15 04:30:58 UTC
The following upstream commits fix this issue:

https://www.sqlite.org/src/info/07ee06fd390bfebe
https://www.sqlite.org/src/info/0b6ae032c28e7fe3

Comment 7 Huzaifa S. Sidhpurwala 2019-05-15 04:41:49 UTC
Analysis:

This issue is caused by mismatch of data types between memory allocation functions. And is specially related to chromium browser:

chrome_sqlite3_malloc takes an int size argument, while memcpy takes a size_t size argument. On x86-64 this means that chrome_sqlite_3_malloc's size argument is width 32, while memcpy's is width 64. This can lead to potentially concerning wrapping behavior for extreme allocation sizes (depending on the compiler, optimizations, etc).

The patchset also includes the ability to restrict the size of virtual tables in sqlite. Though this is not directly related to standalone sqlite implementations it tends to prevent DoS via memory exhaustion.

https://www.sqlite.org/src/info/07ee06fd390bfebe is however related to the issue since it ensures that 64-bit allocations are used in the FTS3 extension. Because it is not possible to directly trigger the flaw in sqlite, it is rated as having moderate impact.

Comment 9 Huzaifa S. Sidhpurwala 2019-05-15 06:02:47 UTC
Created mingw-sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1710213]


Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1710212]

Comment 10 errata-xmlrpc 2019-05-16 20:09:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2019:1243 https://access.redhat.com/errata/RHSA-2019:1243


Note You need to log in before you can comment on or make changes to this bug.