Bug 1778867 (CVE-2019-19242) - CVE-2019-19242 sqlite: SQL injection in sqlite3ExprCodeTarget in expr.c
Summary: CVE-2019-19242 sqlite: SQL injection in sqlite3ExprCodeTarget in expr.c
Status: NEW
Alias: CVE-2019-19242
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1778869 1778870 1787039 1778868 1786655
Blocks: 1778871
TreeView+ depends on / blocked
Reported: 2019-12-02 17:09 UTC by Guilherme de Almeida Suckevicz
Modified: 2019-12-30 14:24 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2019-12-02 17:09:27 UTC
SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.

Reference and upstream commit:

Comment 1 Guilherme de Almeida Suckevicz 2019-12-02 17:09:50 UTC
Created mingw-sqlite tracking bugs for this issue:

Affects: epel-7 [bug 1778870]
Affects: fedora-all [bug 1778869]

Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1778868]

Comment 7 Marco Benatto 2019-12-30 13:57:23 UTC
There's an issue with SQLite when using a generated column which is evaluated to a constant value as index for a table. When evaluating the SQL expression containing a join clause referencing the generated column, an internal field representing the tables involved on the join is set to NULL. However, due to an error in the logic used during expression evaluation the same field is further dereferenced leading to an NULL pointer dereference. An attack may leverage this flaw to cause DoS.

The Attack Complexity may be considered high as the attack needs to triage the existance of a table with such schema, a query with the aspects mentioned above and a way to trigger it. The availability impact when an attack is successful may be considered High.

Note You need to log in before you can comment on or make changes to this bug.