Bug 1841562 (CVE-2020-13630) - CVE-2020-13630 sqlite: Use-after-free in fts3EvalNextRow in ext/fts3/fts3.c
Summary: CVE-2020-13630 sqlite: Use-after-free in fts3EvalNextRow in ext/fts3/fts3.c
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-13630
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1841564 1841565 1841566 1845153 1845212
Blocks: 1841236
TreeView+ depends on / blocked
 
Reported: 2020-05-29 13:23 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-05-19 09:54 UTC (History)
13 users (show)

Fixed In Version: sqlite 3.32.0
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the SQLite FTS3 extension module in the way it implemented the snippet function. This flaw allows an attacker who can execute SQL statements to crash the application or potentially execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2020-11-04 02:25:33 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4442 0 None None None 2020-11-04 00:59:53 UTC

Description Guilherme de Almeida Suckevicz 2020-05-29 13:23:34 UTC
ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.

Reference and upstream commit:
https://sqlite.org/src/info/0d69f76f0865f962

Comment 1 Guilherme de Almeida Suckevicz 2020-05-29 13:24:06 UTC
Created mingw-sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1841564]


Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1841566]


Created sqlite2 tracking bugs for this issue:

Affects: fedora-all [bug 1841565]

Comment 5 Mauro Matteo Cascella 2020-06-08 16:56:45 UTC
This flaw was apparently introduced in SQLite upstream version 3.8.9 with the following commit:
  -> https://github.com/sqlite/sqlite/commit/18f6ff9eb7db02356102283c28053b0a602f55d7

Comment 6 Mauro Matteo Cascella 2020-06-08 17:10:21 UTC
Statement:

This flaw did not affect the versions of SQLite as shipped with Red Hat Enterprise Linux 7 as they did not include the vulnerable code, which was introduced in a later version of the package.

Comment 7 Mauro Matteo Cascella 2020-06-08 17:48:39 UTC
According to the documentation, FTS3 is an extension module that allows users to create special virtual tables with a built-in full-text index to efficiently perform full-text searches on a set of documents (https://www.sqlite.org/fts3.html). Under some circumstances it is possible for a SQL SELECT statement to cause a use-after-free while performing a full-text query on FTS3 virtual tables. Specifically, a new SegReader object can be allocated, free'd and then used in functions sqlite3Fts3SegReaderNew(), sqlite3Fts3SegReaderFree() and fts3SnippetAdvance() respectively. For this attack to be successful, an attacker would need to have a level of access that allows him to write particular SQL expressions that use the snippet function to perform full-text queries on FTS3 tables.

Comment 8 errata-xmlrpc 2020-11-04 00:59:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4442 https://access.redhat.com/errata/RHSA-2020:4442

Comment 9 Product Security DevOps Team 2020-11-04 02:25:33 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13630

Comment 10 errata-xmlrpc 2021-05-18 16:30:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1968 https://access.redhat.com/errata/RHSA-2021:1968


Note You need to log in before you can comment on or make changes to this bug.