1841231 – (CVE-2020-13435) CVE-2020-13435 sqlite: NULL pointer dereference in sqlite3ExprCodeTarget()

Bug 1841231 (CVE-2020-13435) - CVE-2020-13435 sqlite: NULL pointer dereference in sqlite3ExprCodeTarget()

Summary: CVE-2020-13435 sqlite: NULL pointer dereference in sqlite3ExprCodeTarget()

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-13435
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1841232 1841233 1841234 1841235 1846249 1846260 1846261
Blocks:	1841236
TreeView+	depends on / blocked

Reported:	2020-05-28 16:48 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-09-26 14:52 UTC (History)
CC List:	13 users (show)
Fixed In Version:	sqlite 3.32.1
Doc Type:	If docs needed, set a value
Doc Text:	A NULL pointer dereference flaw was found in SQLite when rewriting select statements for window functions. This flaw allows an attacker who can execute SQL statements, to crash the application, resulting in a denial of service.
Clone Of:
Environment:
Last Closed:	2021-10-28 11:00:03 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:4396	0	None	None	None	2021-11-09 18:37:01 UTC

Description Guilherme de Almeida Suckevicz 2020-05-28 16:48:10 UTC

SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.

Reference and upstream commit:
https://www.sqlite.org/src/info/7a5279a25c57adf1

Comment 1 Guilherme de Almeida Suckevicz 2020-05-28 16:48:50 UTC

Created mingw-sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1841233]


Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1841235]


Created sqlite2 tracking bugs for this issue:

Affects: epel-all [bug 1841232]
Affects: fedora-all [bug 1841234]

Comment 2 Mauro Matteo Cascella 2020-06-11 08:28:31 UTC

Upstream fix:
https://www.sqlite.org/src/info/ad7bb70af9bb68d1

Comment 6 Mauro Matteo Cascella 2020-06-11 12:23:54 UTC

Under some circumstances it is possible for a SQL expression to cause a NULL pointer dereference in sqlite3ExprCodeTarget() in expr.c, when the pInfo->aFunc struct pointer is set to 0. This may happen when rewriting a query for window functions, if the rewrite changes the depth of TK_AGG_FUNCTION nodes. An attacker would need to have a level of access that allows him to write particular SQL expressions to trigger this flaw, leading to a denial of service.

Comment 8 errata-xmlrpc 2021-11-09 18:36:59 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4396 https://access.redhat.com/errata/RHSA-2021:4396

Note You need to log in before you can comment on or make changes to this bug.