Bug 1706805 (CVE-2019-5827) - CVE-2019-5827 sqlite: out-of-bounds access due to the use of 32-bit memory allocator interfaces
Summary: CVE-2019-5827 sqlite: out-of-bounds access due to the use of 32-bit memory al...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-5827
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1706806 1706807 1709803 1710183 1710184 1710212 1710213
Blocks: 1706809
TreeView+ depends on / blocked
 
Reported: 2019-05-06 10:36 UTC by Marian Rehak
Modified: 2022-02-21 05:57 UTC (History)
19 users (show)

Fixed In Version: chromium-browser 74.0.3729.131
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-13 23:28:33 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1243 0 None None None 2019-05-16 20:09:12 UTC
Red Hat Product Errata RHSA-2021:4396 0 None None None 2021-11-09 18:36:09 UTC

Description Marian Rehak 2019-05-06 10:36:50 UTC
Chrome could allow a remote malicious user to execute arbitrary code on the system, caused by an out-of-bounds access in SQLite. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.

External References:
https://exchange.xforce.ibmcloud.com/vulnerabilities/160450

Comment 1 Marian Rehak 2019-05-06 10:37:08 UTC
Created chromium tracking bugs for this issue:

Affects: epel-7 [bug 1706806]
Affects: fedora-all [bug 1706807]

Comment 5 Huzaifa S. Sidhpurwala 2019-05-15 04:30:58 UTC
The following upstream commits fix this issue:

https://www.sqlite.org/src/info/07ee06fd390bfebe
https://www.sqlite.org/src/info/0b6ae032c28e7fe3

Comment 7 Huzaifa S. Sidhpurwala 2019-05-15 04:41:49 UTC
Analysis:

This issue is caused by mismatch of data types between memory allocation functions. And is specially related to chromium browser:

chrome_sqlite3_malloc takes an int size argument, while memcpy takes a size_t size argument. On x86-64 this means that chrome_sqlite_3_malloc's size argument is width 32, while memcpy's is width 64. This can lead to potentially concerning wrapping behavior for extreme allocation sizes (depending on the compiler, optimizations, etc).

The patchset also includes the ability to restrict the size of virtual tables in sqlite. Though this is not directly related to standalone sqlite implementations it tends to prevent DoS via memory exhaustion.

https://www.sqlite.org/src/info/07ee06fd390bfebe is however related to the issue since it ensures that 64-bit allocations are used in the FTS3 extension. Because it is not possible to directly trigger the flaw in sqlite, it is rated as having moderate impact.

Comment 9 Huzaifa S. Sidhpurwala 2019-05-15 06:02:47 UTC
Created mingw-sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1710213]


Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1710212]

Comment 10 errata-xmlrpc 2019-05-16 20:09:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2019:1243 https://access.redhat.com/errata/RHSA-2019:1243

Comment 11 Chris Johnson 2020-11-13 22:27:13 UTC
Can you please elaborate on why this is not being fixed in RHEL 7 or 8?
https://access.redhat.com/security/cve/cve-2019-5827

This is being flagged in ubi8-minimal base image which is used by nearly all IBM products by 3rd party scanning tools such as Aquasecurity Trivy.

Comment 12 Product Security DevOps Team 2020-11-13 23:28:33 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-5827

Comment 13 Vít Ondruch 2020-11-25 10:10:57 UTC
(In reply to Chris Johnson from comment #11)
> Can you please elaborate on why this is not being fixed in RHEL 7 or 8?
> https://access.redhat.com/security/cve/cve-2019-5827
> 
> This is being flagged in ubi8-minimal base image which is used by nearly all
> IBM products by 3rd party scanning tools such as Aquasecurity Trivy.

Please note, that while this ticket is rated high, the related RHEL7 (bug 1710183) and RHEL8 (bug 1710184) trackers are rated medium. That means they were evaluated not severe enough to be fixed. If you think these bugs should be addressed, please contact Red Hat support to help to prioritize those appropriately.

Comment 14 Huzaifa S. Sidhpurwala 2021-02-23 04:23:20 UTC
Statement:

This flaw is not remotely exploitable for sqlite package shipped with Red Hat Enterprise Linux therefore it is rated as having moderate impact for  sqlite.

Comment 15 errata-xmlrpc 2021-11-09 18:36:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4396 https://access.redhat.com/errata/RHSA-2021:4396


Note You need to log in before you can comment on or make changes to this bug.