Bug 1708301 (CVE-2019-5018) - CVE-2019-5018 sqlite: Use-after-free in window function leading to remote code execution
Summary: CVE-2019-5018 sqlite: Use-after-free in window function leading to remote cod...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-5018
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1721509 1784431
Blocks: 1720587
TreeView+ depends on / blocked
 
Reported: 2019-05-09 14:41 UTC by Marian Rehak
Modified: 2021-02-16 21:57 UTC (History)
16 users (show)

Fixed In Version: sqlite 3.28.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-04 02:21:21 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4442 0 None None None 2020-11-04 00:59:29 UTC

Description Marian Rehak 2019-05-09 14:41:00 UTC
An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.

External References:

https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777

Comment 3 Riccardo Schirone 2019-06-14 13:22:42 UTC
According to https://www.sqlite.org/windowfunctions.html window functions was first added to SQLite with upstream release version 3.25.0 (2018-09-15).

Comment 4 Riccardo Schirone 2019-06-18 09:03:45 UTC
Upstream patch:
https://www.sqlite.org/src/info/1e16d3e8fc60d39c

Comment 8 Riccardo Schirone 2019-06-18 10:21:48 UTC
The expression Expr representing the Window function is deleted in selectWindowRewriteExprCb(), during the rewrite of the Window statement. During the deletion of a Window, which happens in sqlite3WindowDelete(), the pPartition list is deleted as well, but it is re-used shortly after, in function sqlite3WindowRewrite(). This causes a use-after-free, which could be abused by an attacker to execute code on the system.

Comment 9 Riccardo Schirone 2019-06-18 12:28:32 UTC
Setting Impact to Moderate as this flaw requires the attacker to already have access to the database in such a way to perform custom queries (e.g. either directly or from a SQL injection in an application). This means the attacker could already extract data from the database or destroy them.

Comment 10 Riccardo Schirone 2019-06-18 12:30:36 UTC
Statement:

This issue did not affect the versions of sqlite as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they did not include support for Window functions.

Comment 12 Tomas Hoger 2019-12-17 12:27:17 UTC
Based on the tags on the upstream commit, this was fixed in the upstream version 3.28.0:

https://github.com/sqlite/sqlite/commit/4ded26a53c4df312e9fd06facbbf70377e969983

Comment 13 Tomas Hoger 2019-12-17 12:27:38 UTC
Created sqlite tracking bugs for this issue:

Affects: fedora-30 [bug 1784431]

Comment 14 errata-xmlrpc 2020-11-04 00:59:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4442 https://access.redhat.com/errata/RHSA-2020:4442

Comment 15 Product Security DevOps Team 2020-11-04 02:21:21 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-5018


Note You need to log in before you can comment on or make changes to this bug.