SQLite Vulnerabilities reported in NVD

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

SQLite Vulnerabilities reported in NVD

Saurav Sarkar
Hi All,

We use SQlite 3.8.8.3 in our Windows 8.1 universal application.
We are also using SQLitePCL as a wrapper to work from c# layer.

Our application is free of any kind of SQL injection as we don't have any
input fields.

We see three vulnerabilities reported recently.

<goog_527215187>
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3414
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3415
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3416

I am not aware of the SQlite internals .

I would like to know if my application can get affected due to these
vulnerabilities.

Though i know it should not be, but would like to get any
hint/comments/opinions on the above mentioned vulnerabilities.

Thanks and Regards,
Saurav
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: SQLite Vulnerabilities reported in NVD

Clemens Ladisch
Saurav Sarkar:
>Our application is free of any kind of SQL injection

Famous last words.  :)

>as we don't have any input fields.

So where does your data come from?
Does your application have any interface that an attacker
could access?

How do you create your SQL statements?
Are you always using bound parameters?

>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3414

This requires the attacker to control a collation name.

>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3415

This requires the attacker to control the CHECK clause in a CREATE
TABLE statement.

>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3416

This requires the attacker to control the format string of the print()
SQL function.


Regards,
Clemens
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: SQLite Vulnerabilities reported in NVD

Saurav Sarkar
Thanks Clemens for your inputs

We are using parametrized queries and don't have any user interface where
user can modify anything currently. Its almost a read only application.
Our is a file management application

But we will come up with some functionality where user will be able to
upload random files into our application.
The files will reside into the application sandbox environment.
Once a file is being uploaded, the metadata of that file will get
inserted/updated into DB.

we will also come with rename  (a text box ) and other CRUD operations
which will require user interaction. This will again trigger the metadata
update into DB.
But the queries will be always parametrized ones.

Regards,
Saurav

On Tue, Dec 22, 2015 at 12:12 PM, Clemens Ladisch <[hidden email]>
wrote:

> Saurav Sarkar:
> >Our application is free of any kind of SQL injection
>
> Famous last words.  :)
>
> >as we don't have any input fields.
>
> So where does your data come from?
> Does your application have any interface that an attacker
> could access?
>
> How do you create your SQL statements?
> Are you always using bound parameters?
>
> >https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3414
>
> This requires the attacker to control a collation name.
>
> >https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3415
>
> This requires the attacker to control the CHECK clause in a CREATE
> TABLE statement.
>
> >https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3416
>
> This requires the attacker to control the format string of the print()
> SQL function.
>
>
> Regards,
> Clemens
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: SQLite Vulnerabilities reported in NVD

Simon Slavin-3

On 22 Dec 2015, at 7:02am, Saurav Sarkar <[hidden email]> wrote:

> But the queries will be always parametrized ones.

Exploits 1 and 2 are controlled by things which can't be parameterised.

I'm not 100% sure about the format string of a printf, but I can't think of a way to parameterise it.  So you would seem to be safe from those exploits.

I expect Richard to soon announce that the underlying problems have been fixed, anyway.

Simon.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: SQLite Vulnerabilities reported in NVD

Richard Hipp-3
On 12/22/15, Simon Slavin <[hidden email]> wrote:

>
> On 22 Dec 2015, at 7:02am, Saurav Sarkar <[hidden email]> wrote:
>
>> But the queries will be always parametrized ones.
>
> Exploits 1 and 2 are controlled by things which can't be parameterised.
>
> I'm not 100% sure about the format string of a printf, but I can't think of
> a way to parameterise it.  So you would seem to be safe from those
> exploits.
>
> I expect Richard to soon announce that the underlying problems have been
> fixed, anyway.

I do not know where those vulnerability reports originated.  They did
not originate from me.  For that matter, I was never consulted about
them.  None of them represent real vulnerabilities, in my assessment.
All of the problems identified have been fixed for a long time.

I think that these reports achieve nothing beyond vulnerability
fatigue.  I think it is shameful that nvd.nist.gov publishes them.

--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: SQLite Vulnerabilities reported in NVD

Matthias-Christian Ott
On 2015-12-22 13:48, Richard Hipp wrote:
> I do not know where those vulnerability reports originated.  They did
> not originate from me.  For that matter, I was never consulted about
> them.  None of them represent real vulnerabilities, in my assessment.
> All of the problems identified have been fixed for a long time.

Perhaps it was part of a full disclosure consideration.

> I think that these reports achieve nothing beyond vulnerability
> fatigue.  I think it is shameful that nvd.nist.gov publishes them.

Some software uses the affected versions and it's a good idea they know
that the software is affected. It's a matter of transparency.

_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: SQLite Vulnerabilities reported in NVD

Simon Slavin-3

On 22 Dec 2015, at 1:16pm, Matthias-Christian Ott <[hidden email]> wrote:

> Some software uses the affected versions and it's a good idea they know
> that the software is affected. It's a matter of transparency.

But it doesn't say when the vulns are fixed so it's not useful to people looking to fix their vulns.  The Apple version of that report says

Description:  Multiple vulnerabilities existed in SQLite v3.8.5.
These issues were addressed by updating SQLite to version 3.8.10.2.

which is more helpful.

Simon.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users