Bug 1809315 (CVE-2020-9327) - CVE-2020-9327 sqlite: NULL pointer dereference and segmentation fault because of generated column optimizations
Summary: CVE-2020-9327 sqlite: NULL pointer dereference and segmentation fault because...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-9327
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1809316 1809317 1816572 1840141
Blocks: 1809318
TreeView+ depends on / blocked
 
Reported: 2020-03-02 20:24 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-11-04 02:24 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference was found in SQLite in the way it executes select statements with column optimizations. An attacker who is able to execute SQL statements can use this flaw to crash the application.
Clone Of:
Environment:
Last Closed: 2020-11-04 02:24:33 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4442 0 None None None 2020-11-04 00:59:47 UTC

Description Guilherme de Almeida Suckevicz 2020-03-02 20:24:10 UTC
In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.

References:
https://www.sqlite.org/cgi/src/info/4374860b29383380
https://www.sqlite.org/cgi/src/info/9d0d4ab95dc0c56e
https://www.sqlite.org/cgi/src/info/abc473fb8fb99900

Comment 1 Guilherme de Almeida Suckevicz 2020-03-02 20:24:34 UTC
Created mingw-sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1809316]


Created sqlite3 tracking bugs for this issue:

Affects: fedora-all [bug 1809317]

Comment 2 Riccardo Schirone 2020-03-24 09:33:31 UTC
In some cases it is possible for a SQL expression to cause a NULL pointer dereference in impliesNotNullRow() in expr.c, when the pTab field of a  pLeft(or pRight) expression of a node is set to 0. This may happen in functions whereIndexExprTransColumn() and whereIndexExprTransNode() in wherecode.c. An attacker would need to have a level of access that allows him to write particular SQL expressions to trigger this flaw, leading to a denial of service.

Comment 5 Riccardo Schirone 2020-03-24 09:57:36 UTC
The version of SQLite as shipped in Red Hat Enterprise Linux 7 has different code compared to the vulnerable versions and the same flaw does not seem to be present there. In particular, there is no function impliesNotNullRow() or similar.

Comment 6 Guilherme de Almeida Suckevicz 2020-05-26 13:05:23 UTC
Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1840141]

Comment 7 errata-xmlrpc 2020-11-04 01:00:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4442 https://access.redhat.com/errata/RHSA-2020:4442

Comment 8 Product Security DevOps Team 2020-11-04 02:24:33 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-9327


Note You need to log in before you can comment on or make changes to this bug.