1841223 – (CVE-2020-13434) CVE-2020-13434 sqlite: integer overflow in sqlite3_str_vappendf function in printf.c

Bug 1841223 (CVE-2020-13434) - CVE-2020-13434 sqlite: integer overflow in sqlite3_str_vappendf function in printf.c

Summary: CVE-2020-13434 sqlite: integer overflow in sqlite3_str_vappendf function in p...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-13434
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1841224 1841225 1841226 1841227 1845843 1845851
Blocks:	1841236
TreeView+	depends on / blocked

Reported:	2020-05-28 16:41 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-05-18 16:30 UTC (History)
CC List:	13 users (show)
Fixed In Version:	sqlite 3.32.1
Doc Type:	If docs needed, set a value
Doc Text:	An integer overflow flaw was found in the SQLite implementation of the printf() function. This flaw allows an attacker who can control the precision of floating-point conversions, to crash the application, resulting in a denial of service.
Clone Of:
Environment:
Last Closed:	2021-05-18 14:33:57 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-05-28 16:41:33 UTC

SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.

References and upstream commit:
https://www.sqlite.org/src/info/23439ea582241138
https://www.sqlite.org/src/info/d08d3405878d394e

Comment 1 Guilherme de Almeida Suckevicz 2020-05-28 16:42:06 UTC

Created mingw-sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1841225]


Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1841227]


Created sqlite2 tracking bugs for this issue:

Affects: epel-all [bug 1841224]
Affects: fedora-all [bug 1841226]

Comment 5 Mauro Matteo Cascella 2020-06-10 09:05:10 UTC

Statement:

This flaw did not affect the versions of SQLite as shipped with Red Hat Enterprise Linux 7 as they did not include support for the printf() function, which was introduced in a later version of the package.

Comment 6 Mauro Matteo Cascella 2020-06-10 09:07:22 UTC

printf() was introduced in SQLite upstream version 3.8.3 via the following commit:
  -> https://github.com/sqlite/sqlite/commit/a5c1416d64b4b857721f085258b6ef1dcaeb6f5b

Comment 7 Mauro Matteo Cascella 2020-06-10 20:26:45 UTC

Under some circumstances, when performing floating-point conversions it is possible to cause an integer overflow in the SQL printf() function, resulting in a stack-based buffer overflow. Consider the following excerpt from sqlite3_str_vappendf() in printf.c:

```
char *bufpt;               /* Pointer to the conversion buffer */
char buf[etBUFSIZE];       /* Conversion buffer, etBUFSIZE == 70 */
...
bufpt = buf;
...
if( exp<-4 || exp>precision ){
  xtype = etEXP;
}else{
  precision = precision - exp;
  xtype = etFLOAT;
}
...
/* Size of a temporary buffer needed */
szBufNeeded = MAX(e2,0)+(i64)precision+(i64)width+15;
if( szBufNeeded > etBUFSIZE ){
  ...
}
...
/* Significant digits after the decimal point */
while( (precision--)>0 ){
  *(bufpt++) = et_getdigit(&realvalue,&nsd);
}
```

A format string can be crafted so that precision == 2147483646 and exp == -2. This causes an integer overflow on the precision variable (due to 2147483646-(-2) = 2147483648 = 0x80000000) leading to the computation of a negative buffer size. In turn, this leads to the overflow of the conversion buffer. Note that the conversion buffer is incrementally populated with the ascii code of the digits after the decimal point (up to the 16th digit, after which '0' is always returned).

Comment 8 Mauro Matteo Cascella 2020-06-11 09:22:33 UTC

SQLite provides the compile-time option SQLITE_PRINTF_PRECISION_LIMIT to protect against similar attacks. Note that the versions of SQLite as shipped with Red Hat Enterprise Linux 7 and 8 were *not* compiled with that preprocessor option.

Comment 9 errata-xmlrpc 2021-05-18 13:21:40 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1581 https://access.redhat.com/errata/RHSA-2021:1581

Comment 10 errata-xmlrpc 2021-05-18 13:27:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1581 https://access.redhat.com/errata/RHSA-2021:1581

Comment 11 Product Security DevOps Team 2021-05-18 14:33:57 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13434

Comment 12 errata-xmlrpc 2021-05-18 16:30:05 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1968 https://access.redhat.com/errata/RHSA-2021:1968

Note You need to log in before you can comment on or make changes to this bug.