Bug 1716881 (CVE-2019-8457) - CVE-2019-8457 sqlite: heap out-of-bound read in function rtreenode()
Summary: CVE-2019-8457 sqlite: heap out-of-bound read in function rtreenode()
Keywords:
Status: NEW
Alias: CVE-2019-8457
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1723338 1719121 1723336 1723337
Blocks: 1719120
TreeView+ depends on / blocked
 
Reported: 2019-06-04 10:53 UTC by Dhananjay Arunesh
Modified: 2020-02-03 01:37 UTC (History)
20 users (show)

Fixed In Version: sqlite 3.28.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:56:46 UTC


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-06-04 10:53:34 UTC
SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound
read in the rtreenode() function when handling invalid rtree tables.

Upstream commit:
https://www.sqlite.org/src/info/90acdbfce9c08858

Comment 1 Dhananjay Arunesh 2019-06-04 10:55:19 UTC
Created sqlite3 tracking bugs for this issue:

Affects: fedora-all [bug 1716883]


Created sqlite3-dbf tracking bugs for this issue:

Affects: fedora-all [bug 1716884]

Comment 2 Dhananjay Arunesh 2019-06-04 10:55:48 UTC
Created sqlite3-dbf tracking bugs for this issue:

Affects: epel-all [bug 1716885]

Comment 3 Product Security DevOps Team 2019-06-10 10:56:46 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Comment 6 Dhananjay Arunesh 2019-06-11 06:09:45 UTC
Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1719121]

Comment 7 nupur priya 2019-06-19 06:48:36 UTC
(In reply to Product Security DevOps Team from comment #3)
> This CVE Bugzilla entry is for community support informational purposes only
> as it does not affect a package in a commercially supported Red Hat product.
> Refer to the dependent bugs for status of those individual community
> products.

Does this mean the sqlite version 3.7.17 is not impacted?

Comment 9 Ondrej Dubaj 2019-07-31 08:16:55 UTC
Hello,

is sqlite version 3.7.17 affected by this issue? From my investigation, the upstream patch is not applicable on rhel-7, as it does not support sqlite3 objects and I do not have reproducer for this bug to test if there is a real problem.
If it is not affected, can we close this bug?
Thank you.

Comment 10 Tomas Hoger 2019-12-17 12:44:01 UTC
Based on the tags on the upstream commit, this was fixed in the upstream version 3.28.0:

https://github.com/sqlite/sqlite/commit/e41fd72acc7a06ce5a6a7d28154db1ffe8ba37a8

Comment 11 Mark Denihan 2020-01-21 11:02:15 UTC
Is there an ETA to when the upstream fix in 3.28.0 will be picked up or if a patch will be made available for 3.7.17? This was reported in June and fixed in other OS distributions like Debian Buster. Is there any reason why this has not been actioned yet?

Comment 12 Ondrej Dubaj 2020-01-21 11:13:36 UTC
Patch for this issue is already in testing for rhel-8. According to very problematic application of this patch on rhel-7, we have decided not to apply this patch on rhel-7.9 due to risk of instability, as rhel-7.9 should contain only critical and high priority issues.

Comment 13 Mark Denihan 2020-01-21 11:54:34 UTC
Thanks for the information @Ondrej! Is there any plan to patch this in rhel-7 at any point?

Comment 14 Ondrej Dubaj 2020-01-21 12:47:50 UTC
If there will be any urgent issue from customer to resolve this issue, we might consider fixing it. But currently there is no plan to resolve it.


Note You need to log in before you can comment on or make changes to this bug.