In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations. References: https://www.sqlite.org/cgi/src/info/4374860b29383380 https://www.sqlite.org/cgi/src/info/9d0d4ab95dc0c56e https://www.sqlite.org/cgi/src/info/abc473fb8fb99900
Created mingw-sqlite tracking bugs for this issue: Affects: fedora-all [bug 1809316] Created sqlite3 tracking bugs for this issue: Affects: fedora-all [bug 1809317]
In some cases it is possible for a SQL expression to cause a NULL pointer dereference in impliesNotNullRow() in expr.c, when the pTab field of a pLeft(or pRight) expression of a node is set to 0. This may happen in functions whereIndexExprTransColumn() and whereIndexExprTransNode() in wherecode.c. An attacker would need to have a level of access that allows him to write particular SQL expressions to trigger this flaw, leading to a denial of service.
The version of SQLite as shipped in Red Hat Enterprise Linux 7 has different code compared to the vulnerable versions and the same flaw does not seem to be present there. In particular, there is no function impliesNotNullRow() or similar.
Created sqlite tracking bugs for this issue: Affects: fedora-all [bug 1840141]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4442 https://access.redhat.com/errata/RHSA-2020:4442
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-9327