Bug 1469672 (CVE-2017-10989) - CVE-2017-10989 sqlite: Heap-buffer overflow in the getNodeSize function
Summary: CVE-2017-10989 sqlite: Heap-buffer overflow in the getNodeSize function
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-10989
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1469677 1469673 1469674 1469675 1469676
Blocks: 1469678
TreeView+ depends on / blocked
 
Reported: 2017-07-11 15:27 UTC by Andrej Nemec
Modified: 2021-10-21 11:54 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-21 11:54:32 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2017-07-11 15:27:50 UTC 
The getNodeSize function in ext/rtree/rtree.c in SQLite mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.

References:

https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937
http://marc.info/?l=sqlite-users&m=149933696214713&w=2

Upstream patch:

https://sqlite.org/src/info/66de6f4a
Comment 1 Andrej Nemec 2017-07-11 15:28:10 UTC 
Created mingw-sqlite tracking bugs for this issue:

Affects: epel-7 [bug 1469674]
Affects: fedora-all [bug 1469676]


Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1469673]


Created sqlite2 tracking bugs for this issue:

Affects: epel-all [bug 1469677]
Affects: fedora-all [bug 1469675]
Comment 2 Petr Kubat 2017-07-12 07:09:36 UTC 
This seems to only affect sqlite versions older than 3.17 as, according to the sqlite developers and the reporter of the Ubuntu bug, the issue has been indirectly fixed in version 3.17.

For later versions the patch serves only to detect the issue earlier and to provide the user with a more useful error message.
Note You need to log in before you can comment on or make changes to this bug.