1809315 – (CVE-2020-9327) CVE-2020-9327 sqlite: NULL pointer dereference and segmentation fault because of generated column optimizations

Bug 1809315 (CVE-2020-9327) - CVE-2020-9327 sqlite: NULL pointer dereference and segmentation fault because of generated column optimizations

Summary: CVE-2020-9327 sqlite: NULL pointer dereference and segmentation fault because...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-9327
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1809316 1809317 1816572 1840141
Blocks:	1809318
TreeView+	depends on / blocked

Reported:	2020-03-02 20:24 UTC by Guilherme de Almeida Suckevicz
Modified:	2020-11-04 02:24 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A NULL pointer dereference was found in SQLite in the way it executes select statements with column optimizations. An attacker who is able to execute SQL statements can use this flaw to crash the application.
Clone Of:
Environment:
Last Closed:	2020-11-04 02:24:33 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4442	0	None	None	None	2020-11-04 00:59:47 UTC

Description Guilherme de Almeida Suckevicz 2020-03-02 20:24:10 UTC

In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.

References:
https://www.sqlite.org/cgi/src/info/4374860b29383380
https://www.sqlite.org/cgi/src/info/9d0d4ab95dc0c56e
https://www.sqlite.org/cgi/src/info/abc473fb8fb99900

Comment 1 Guilherme de Almeida Suckevicz 2020-03-02 20:24:34 UTC

Created mingw-sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1809316]


Created sqlite3 tracking bugs for this issue:

Affects: fedora-all [bug 1809317]

Comment 2 Riccardo Schirone 2020-03-24 09:33:31 UTC

In some cases it is possible for a SQL expression to cause a NULL pointer dereference in impliesNotNullRow() in expr.c, when the pTab field of a  pLeft(or pRight) expression of a node is set to 0. This may happen in functions whereIndexExprTransColumn() and whereIndexExprTransNode() in wherecode.c. An attacker would need to have a level of access that allows him to write particular SQL expressions to trigger this flaw, leading to a denial of service.

Comment 5 Riccardo Schirone 2020-03-24 09:57:36 UTC

The version of SQLite as shipped in Red Hat Enterprise Linux 7 has different code compared to the vulnerable versions and the same flaw does not seem to be present there. In particular, there is no function impliesNotNullRow() or similar.

Comment 6 Guilherme de Almeida Suckevicz 2020-05-26 13:05:23 UTC

Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1840141]

Comment 7 errata-xmlrpc 2020-11-04 01:00:01 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4442 https://access.redhat.com/errata/RHSA-2020:4442

Comment 8 Product Security DevOps Team 2020-11-04 02:24:33 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-9327

Note You need to log in before you can comment on or make changes to this bug.