Bug 1768986 (CVE-2019-16168) - CVE-2019-16168 sqlite: Division by zero in whereLoopAddBtreeIndex in sqlite3.c
Summary: CVE-2019-16168 sqlite: Division by zero in whereLoopAddBtreeIndex in sqlite3.c
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-16168
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1768987 1768988 1768989 1826897 1826898
Blocks: 1768990
TreeView+ depends on / blocked
 
Reported: 2019-11-05 17:46 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-12-15 16:54 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-04 02:22:54 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4442 0 None None None 2020-11-04 00:59:38 UTC

Description Guilherme de Almeida Suckevicz 2019-11-05 17:46:27 UTC 
In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."

References:
https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html
https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62
Comment 1 Guilherme de Almeida Suckevicz 2019-11-05 17:46:48 UTC 
Created mingw-sqlite tracking bugs for this issue:

Affects: epel-7 [bug 1768989]
Affects: fedora-all [bug 1768988]


Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1768987]
Comment 2 Guilherme de Almeida Suckevicz 2019-11-05 17:48:27 UTC 
Created mingw-sqlite tracking bugs for this issue:

Affects: epel-7 [bug 1768989]
Affects: fedora-all [bug 1768988]


Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1768987]
Comment 4 Marco Benatto 2019-12-04 15:56:11 UTC 
Statement:

The SQLite package as shipped with Red Hat Enterprise Linux 7 and previous versions are not affected by this flaw. The bug was introduced on sqlite-3.8.5 while Red Hat Enterprise Linux 7 and previous releases ships sqlite <= 3.7.17.
Comment 8 Marco Benatto 2019-12-04 18:12:19 UTC 
There's a flaw on SQLite during query planning. SQLite allows the user to collect query statistics to be further used to optimize query planing via ANALYZE command. The ANALYZE command stores statistical information within a per-database internal table and one of that data stored is the estimated data size per row of the table being analyzed. The size value is further used during planing on a mathematical expression but is not previously validated. An attack may leverage this weakness by inserting a record into stats internal table setting the size to zero, leading to a division by zero exception causing DoS.

To an attack be completed successfully the end user needs to be tricked to run an INSERT command on the sqlite_state1 table in order to force the Division By Zero error on whereLoopAddBtreeIndex() function during query planing phase.
Comment 9 Marco Benatto 2019-12-04 18:13:53 UTC 
Mitigation:

An user can mitigate the risk of this vulnerability by:

1) Avoid using ANALYZE command on queries;
2) Disabling the PRAGMA optimize for affected SQLite instances;
Comment 12 errata-xmlrpc 2020-11-04 00:59:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4442 https://access.redhat.com/errata/RHSA-2020:4442
Comment 13 Product Security DevOps Team 2020-11-04 02:22:54 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16168
Comment 14 errata-xmlrpc 2021-05-18 16:30:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1968 https://access.redhat.com/errata/RHSA-2021:1968
Note You need to log in before you can comment on or make changes to this bug.