Bug 1841231 (CVE-2020-13435) - CVE-2020-13435 sqlite: NULL pointer dereference in sqlite3ExprCodeTarget()
Summary: CVE-2020-13435 sqlite: NULL pointer dereference in sqlite3ExprCodeTarget()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-13435
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1841232 1841233 1841234 1841235 1846249 1846260 1846261
Blocks: 1841236
TreeView+ depends on / blocked
 
Reported: 2020-05-28 16:48 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-11-09 18:37 UTC (History)
13 users (show)

Fixed In Version: sqlite 3.32.1
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in SQLite when rewriting select statements for window functions. This flaw allows an attacker who can execute SQL statements, to crash the application, resulting in a denial of service.
Clone Of:
Environment:
Last Closed: 2021-10-28 11:00:03 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4396 0 None None None 2021-11-09 18:37:01 UTC

Description Guilherme de Almeida Suckevicz 2020-05-28 16:48:10 UTC
SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.

Reference and upstream commit:
https://www.sqlite.org/src/info/7a5279a25c57adf1

Comment 1 Guilherme de Almeida Suckevicz 2020-05-28 16:48:50 UTC
Created mingw-sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1841233]


Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1841235]


Created sqlite2 tracking bugs for this issue:

Affects: epel-all [bug 1841232]
Affects: fedora-all [bug 1841234]

Comment 2 Mauro Matteo Cascella 2020-06-11 08:28:31 UTC
Upstream fix:
https://www.sqlite.org/src/info/ad7bb70af9bb68d1

Comment 6 Mauro Matteo Cascella 2020-06-11 12:23:54 UTC
Under some circumstances it is possible for a SQL expression to cause a NULL pointer dereference in sqlite3ExprCodeTarget() in expr.c, when the pInfo->aFunc struct pointer is set to 0. This may happen when rewriting a query for window functions, if the rewrite changes the depth of TK_AGG_FUNCTION nodes. An attacker would need to have a level of access that allows him to write particular SQL expressions to trigger this flaw, leading to a denial of service.

Comment 8 errata-xmlrpc 2021-11-09 18:36:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4396 https://access.redhat.com/errata/RHSA-2021:4396


Note You need to log in before you can comment on or make changes to this bug.