Bug report

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug report

Yongheng Chen
Hi,

This is Yongheng Chen from Gatech and Rui Zhong from PSU. We found 7 crashes for sqlite of  the newest commit 3842e8f166e23a1ed6e6094105e7a23502d414da. We have attached the samples that crash sqlite in the email. FYI, we have also reported the bugs for CVE at cve.mitre.org <http://cve.mitre.org/>.

Thanks,

Yongheng & Rui

_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Bug report

Kees Nuyt
On Tue, 19 Nov 2019 00:19:13 -0500, you wrote:

> Hi,
>
> This is Yongheng Chen from Gatech and Rui Zhong from PSU.
> We found 7 crashes for sqlite of  the newest commit
> 3842e8f166e23a1ed6e6094105e7a23502d414da.
> We have attached the samples that crash sqlite in the email.

The mailing list strips attachemnts. Please insert them in the body text of your
message, or mail them to Richard Hipp.

> FYI, we have also reported the bugs for CVE
> at cve.mitre.org <http://cve.mitre.org/>.

Can you tell us the CVE nunber?


--
Regards,

Kees Nuyt

_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Bug report

Jose Isaias Cabrera-4

Name    Description
CVE-2019-9937<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9937>      In SQLite 3.27.2, interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL Pointer Dereference in fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and ext/fts5/fts5_index.c.
CVE-2019-9936<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9936>      In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.
CVE-2019-5827<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5827>      Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2019-3784<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3784>      Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed. When deployed on cloud foundry with multiple instances using the default embedded SQLite database, a remote authenticated malicious user can switch sessions to another user with the same session id.
CVE-2019-16168<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168>    In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."
CVE-2019-10752<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10752>    Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
CVE-2018-8740<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8740>      In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.
CVE-2018-7774<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7774>      The vulnerability exists within processing of localize.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the username input parameter.


________________________________
From: sqlite-users <[hidden email]> on behalf of Kees Nuyt <[hidden email]>
Sent: Thursday, November 21, 2019 09:51 AM
To: [hidden email] <[hidden email]>
Subject: Re: [sqlite] Bug report

On Tue, 19 Nov 2019 00:19:13 -0500, you wrote:

> Hi,
>
> This is Yongheng Chen from Gatech and Rui Zhong from PSU.
> We found 7 crashes for sqlite of  the newest commit
> 3842e8f166e23a1ed6e6094105e7a23502d414da.
> We have attached the samples that crash sqlite in the email.

The mailing list strips attachemnts. Please insert them in the body text of your
message, or mail them to Richard Hipp.

> FYI, we have also reported the bugs for CVE
> at cve.mitre.org <http://cve.mitre.org/>.

Can you tell us the CVE nunber?


--
Regards,

Kees Nuyt

_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Bug report

Richard Hipp-3
In reply to this post by Yongheng Chen
On 11/19/19, Yongheng Chen <[hidden email]> wrote:
> Hi,
>
> This is Yongheng Chen from Gatech and Rui Zhong from PSU. We found 7 crashes
> for sqlite of  the newest commit 3842e8f166e23a1ed6e6094105e7a23502d414da.
> We have attached the samples that crash sqlite in the email. FYI, we have
> also reported the bugs for CVE at cve.mitre.org <http://cve.mitre.org/>.

There were just two bugs, both related to the new (unreleased)
generated column feature.  Both have now been fixed on trunk.  Thank
you for the bug reports.

In as much as these problems have never appeared in a released version
of SQLite, I think a CVE would be inappropriate.  But I don't really
understand CVEs so perhaps I am wrong.

Please consider following SQLite development on the official
source-code repository.  You can see the latest changes here:

    https://sqlite.org/src/timeline

If you click on any of the check-in hashes, that will take you to a
page that contains links to download tarballs and/or ZIP archives of
the latest code.  Or you can use Fossil to clone the repository.  See
https://www.sqlite.org/getthecode.html for additional information
about how to get the official SQLite source code.

The filenames of your test cases suggest that they were generated by
AFL.  How did you find these issues?  Do you have new and enhanced AFL
fuzzer, perhaps one in which you have replaced the default mutator
with an SQL-language generator?  Can you tell us more about your new
fuzzer?

--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Bug report

Kees Nuyt
In reply to this post by Jose Isaias Cabrera-4

Thanks, Jose.

I see no CVE entered by the OP, but maybe I missed something.

A quick look to your list :

> Name    Description
> CVE-2019-9937 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9937>
> In SQLite 3.27.2, interleaving reads and writes in a single transaction with
> an fts5 virtual table will lead to a NULL Pointer Dereference in
> fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and
> ext/fts5/fts5_index.c.

Resolved 2019-03-18


> CVE-2019-9936 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9936>
> In SQLite 3.27.2, running fts5 prefix queries inside a transaction could
> trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which
> may lead to an information leak. This is related to ext/fts5/fts5_hash.c.

Resolved 2019-03-18


> CVE-2019-5827 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5827>
> Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131
> allowed a remote attacker to potentially exploit heap corruption via a crafted
> HTML page.

Resolved 2019-04-13


> CVE-2019-3784 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3784>
> Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session
> that can be spoofed. When deployed on cloud foundry with multiple instances
> using the default embedded SQLite database, a remote authenticated malicious
> user can switch sessions to another user with the same session id.

Application error


> CVE-2019-1616 8<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168>
> In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a
> browser or other application because of missing validation of a sqlite_stat1
> sz field, aka a "severe division by zero in the query planner."

Resolved 2019-08-15


> CVE-2019-1075 2<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10752>
> Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to
> SQL Injection due to sequelize.json() helper function not escaping values
> properly when formatting sub paths for JSON queries for MySQL, MariaDB and
> SQLite.

Application error


> CVE-2018-8740 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8740>
> In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE
> TABLE AS statement could cause a NULL pointer dereference, related to build.c
> and prepare.c.

Resolved 2018-03-16


> CVE-2018-7774 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7774>
> The vulnerability exists within processing of localize.php in Schneider
> Electric U.motion Builder software versions prior to v1.3.4. The underlying
> SQLite database query is subject to SQL injection on the username input
> parameter.

Application error


--
Regards,
Kees Nuyt
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Bug report

Jose Isaias Cabrera-4

Kees Nuyt, on Thursday, November 21, 2019 03:48 PM, wrote...
>
>
> Thanks, Jose.
>
> I see no CVE entered by the OP, but maybe I missed something.

Yes, you are right.  After pasting it, I went through the top 5 and none of these aren't/weren't the one. Apologies.  I thought that by searching on sqlite the top 5 or so would be the one that was just opened, but for some reason, it was not.  Sorry about that.  Fast fingers Jose.

josé

> A quick look to your list :
>
> > Name    Description
> > CVE-2019-9937, on
> > In SQLite 3.27.2, interleaving reads and writes in a single transaction with
> > an fts5 virtual table will lead to a NULL Pointer Dereference in
> > fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and
> > ext/fts5/fts5_index.c.
>
> Resolved 2019-03-18
>
>
> > CVE-2019-9936, on
> > In SQLite 3.27.2, running fts5 prefix queries inside a transaction could
> > trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which
> > may lead to an information leak. This is related to ext/fts5/fts5_hash.c.
>
> Resolved 2019-03-18
>
>
> > CVE-2019-5827, on
> > Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131
> > allowed a remote attacker to potentially exploit heap corruption via a crafted
> > HTML page.
>
> Resolved 2019-04-13
>
>
> > CVE-2019-3784, on
> > Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session
> > that can be spoofed. When deployed on cloud foundry with multiple instances
> > using the default embedded SQLite database, a remote authenticated malicious
> > user can switch sessions to another user with the same session id.
>
> Application error
>
>
> > CVE-2019-1616 8<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168>
> > In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a
> > browser or other application because of missing validation of a sqlite_stat1
> > sz field, aka a "severe division by zero in the query planner."
>
> Resolved 2019-08-15
>
>
> > CVE-2019-1075 2<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10752>
> > Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to
> > SQL Injection due to sequelize.json() helper function not escaping values
> > properly when formatting sub paths for JSON queries for MySQL, MariaDB and
> > SQLite.
>
> Application error
>
>
> > CVE-2018-8740, on
> > In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE
> > TABLE AS statement could cause a NULL pointer dereference, related to build.c
> > and prepare.c.
>
> Resolved 2018-03-16
>
>
> > CVE-2018-7774, on
> > The vulnerability exists within processing of localize.php in Schneider
> > Electric U.motion Builder software versions prior to v1.3.4. The underlying
> > SQLite database query is subject to SQL injection on the username input
> > parameter.
>
> Application error
>
>
> --
> Regards,
> Kees Nuyt
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Bug report

Kees Nuyt
On Thu, 21 Nov 2019 21:02:57 +0000, Jose Isaias Cabrera wrote:

>Kees Nuyt, on Thursday, November 21, 2019 03:48 PM, wrote...
[...]
>>
>> I see no CVE entered by the OP, but maybe I missed something.
>
> Yes, you are right.  After pasting it, I went through the top 5
> and none of these aren't/weren't the one. Apologies.
> I thought that by searching on sqlite the top 5 or so
> would be the one that was just opened, but for some reason,
> it was not.  Sorry about that.  Fast fingers Jose.

No problem!
We'll wait for more input from the OP.

--
Regards,
Kees Nuyt
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Bug report

Simon Slavin-3
CVE will not record this bug if it doesn't affect a /released/ version of any product.  One hopes that none of the products which incorporate SQLite would incorporate a version of SQLite which never received a release number.

In other words, the reporters told the developer team before the bug became a problem.  Very good.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users