Bug 1841574 (CVE-2020-13632) - CVE-2020-13632 sqlite: NULL pointer dereference in ext/fts3/fts3_snippet.c via a crafted matchinfo() query
Summary: CVE-2020-13632 sqlite: NULL pointer dereference in ext/fts3/fts3_snippet.c vi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-13632
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1841575 1841576 1841577 1845572 1845615
Blocks: 1841236
TreeView+ depends on / blocked
 
Reported: 2020-05-29 13:39 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-05-19 09:54 UTC (History)
13 users (show)

Fixed In Version: sqlite 3.32.0
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in the matchinfo auxiliary function of the SQLite FTS3 extension module. This flaw allows an attacker who can execute SQL statements to crash the application, resulting in a denial of service.
Clone Of:
Environment:
Last Closed: 2020-11-04 02:25:39 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4442 0 None None None 2020-11-04 01:00:00 UTC

Description Guilherme de Almeida Suckevicz 2020-05-29 13:39:06 UTC 
ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.

Reference and upstream commit:
https://sqlite.org/src/info/a4dd148928ea65bd
Comment 1 Guilherme de Almeida Suckevicz 2020-05-29 13:39:35 UTC 
Created mingw-sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1841575]


Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1841577]


Created sqlite2 tracking bugs for this issue:

Affects: fedora-all [bug 1841576]
Comment 4 Mauro Matteo Cascella 2020-06-09 15:56:08 UTC 
According to the documentation, FTS3 is an extension module that allows users to create special virtual tables with a built-in full-text index to efficiently perform full-text searches on a set of documents (https://www.sqlite.org/fts3.html). Under some circumstances it is possible for a SQL SELECT statement to cause a NULL pointer dereference while performing a full-text query on FTS3 virtual tables using the matchinfo function (https://www.sqlite.org/fts3.html#matchinfo). This may occur in function fts3ColumnlistCount() in fts3_snippet.c, when the pEnd pointer ends up being set to 0 in a while loop. For this attack to be successful, an attacker would need to have a level of access that allows him to write particular SQL expressions that use the matchinfo function to perform full-text queries on FTS3 tables.
Comment 5 Mauro Matteo Cascella 2020-06-09 16:16:17 UTC 
Function fts3ExprLHits() in fts3_snippet.c was responsible for calling fts3ColumnlistCount() with an invalid pointer. The former was introduced in SQLite upstream version 3.8.11 with the following commit:
  -> https://github.com/sqlite/sqlite/commit/e60aedc564c6f7291143b33a90869529b1676b35

It was fixed in upstream version 3.32.0 (see Comment 0).
Comment 6 Mauro Matteo Cascella 2020-06-09 16:18:13 UTC 
Statement:

This flaw did not affect the versions of SQLite as shipped with Red Hat Enterprise Linux 7 as they did not include the vulnerable code, which was introduced in a later version of the package.
Comment 8 errata-xmlrpc 2020-11-04 01:00:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4442 https://access.redhat.com/errata/RHSA-2020:4442
Comment 9 Product Security DevOps Team 2020-11-04 02:25:39 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13632
Comment 10 errata-xmlrpc 2021-05-18 16:30:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1968 https://access.redhat.com/errata/RHSA-2021:1968
Note You need to log in before you can comment on or make changes to this bug.