An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability. External References: https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777
According to https://www.sqlite.org/windowfunctions.html window functions was first added to SQLite with upstream release version 3.25.0 (2018-09-15).
Upstream patch: https://www.sqlite.org/src/info/1e16d3e8fc60d39c
The expression Expr representing the Window function is deleted in selectWindowRewriteExprCb(), during the rewrite of the Window statement. During the deletion of a Window, which happens in sqlite3WindowDelete(), the pPartition list is deleted as well, but it is re-used shortly after, in function sqlite3WindowRewrite(). This causes a use-after-free, which could be abused by an attacker to execute code on the system.
Setting Impact to Moderate as this flaw requires the attacker to already have access to the database in such a way to perform custom queries (e.g. either directly or from a SQL injection in an application). This means the attacker could already extract data from the database or destroy them.
Statement: This issue did not affect the versions of sqlite as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they did not include support for Window functions.
Based on the tags on the upstream commit, this was fixed in the upstream version 3.28.0: https://github.com/sqlite/sqlite/commit/4ded26a53c4df312e9fd06facbbf70377e969983
Created sqlite tracking bugs for this issue: Affects: fedora-30 [bug 1784431]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4442 https://access.redhat.com/errata/RHSA-2020:4442
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-5018