In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner." References: https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62
Created mingw-sqlite tracking bugs for this issue: Affects: epel-7 [bug 1768989] Affects: fedora-all [bug 1768988] Created sqlite tracking bugs for this issue: Affects: fedora-all [bug 1768987]
Statement: The SQLite package as shipped with Red Hat Enterprise Linux 7 and previous versions are not affected by this flaw. The bug was introduced on sqlite-3.8.5 while Red Hat Enterprise Linux 7 and previous releases ships sqlite <= 3.7.17.
There's a flaw on SQLite during query planning. SQLite allows the user to collect query statistics to be further used to optimize query planing via ANALYZE command. The ANALYZE command stores statistical information within a per-database internal table and one of that data stored is the estimated data size per row of the table being analyzed. The size value is further used during planing on a mathematical expression but is not previously validated. An attack may leverage this weakness by inserting a record into stats internal table setting the size to zero, leading to a division by zero exception causing DoS. To an attack be completed successfully the end user needs to be tricked to run an INSERT command on the sqlite_state1 table in order to force the Division By Zero error on whereLoopAddBtreeIndex() function during query planing phase.
Mitigation: An user can mitigate the risk of this vulnerability by: 1) Avoid using ANALYZE command on queries; 2) Disabling the PRAGMA optimize for affected SQLite instances;
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4442 https://access.redhat.com/errata/RHSA-2020:4442
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16168
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1968 https://access.redhat.com/errata/RHSA-2021:1968