clusterfuzz-found issue in GDAL, Ubuntu packages

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

clusterfuzz-found issue in GDAL, Ubuntu packages

Seth Arnold
Hello; Even Rouault privately reported to Ubuntu Launchpad a bug in
sqlite3 as shipped in Ubuntu 16.04 LTS (and possibly other releases,
so far I've not tested the others). Valgrind reports multiple 1 byte
invalid reads.

This bug was discovered by Google's clusterfuzz project when fuzzing GDAL.

The currently-closed bugs are:
https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405

This apparently was fixed before 3.17.

How should we proceed? I feel awkwardly out of place since clusterfuzz
didn't report the bug to me but I do have a database and instructions
to reproduce it. I'm guessing that probably the GDAL team would need
help from the sqlite3 team to address the issue anyway. I'd rather not
wait 90 days for the original clusterfuzz bug to be made public.

I'm not subscribed to the list so I'd appreciate Cc:s on replies.

Thanks

_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: clusterfuzz-found issue in GDAL, Ubuntu packages

Richard Hipp-3
I'm confused...

Are you reporting that clusterfuzz found a bug in SQLite that was
fixed in version 3.17.0?

On 6/30/17, Seth Arnold <[hidden email]> wrote:

> Hello; Even Rouault privately reported to Ubuntu Launchpad a bug in
> sqlite3 as shipped in Ubuntu 16.04 LTS (and possibly other releases,
> so far I've not tested the others). Valgrind reports multiple 1 byte
> invalid reads.
>
> This bug was discovered by Google's clusterfuzz project when fuzzing GDAL.
>
> The currently-closed bugs are:
> https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405
>
> This apparently was fixed before 3.17.
>
> How should we proceed? I feel awkwardly out of place since clusterfuzz
> didn't report the bug to me but I do have a database and instructions
> to reproduce it. I'm guessing that probably the GDAL team would need
> help from the sqlite3 team to address the issue anyway. I'd rather not
> wait 90 days for the original clusterfuzz bug to be made public.
>
> I'm not subscribed to the list so I'd appreciate Cc:s on replies.
>
> Thanks
>


--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: clusterfuzz-found issue in GDAL, Ubuntu packages

Even Rouault
On samedi 1 juillet 2017 06:07:30 CEST Richard Hipp wrote:
> I'm confused...
>
> Are you reporting that clusterfuzz found a bug in SQLite that was
> fixed in version 3.17.0?

Seth, I can turn the Launchpad bug report as public if you wish. I marked it privately if Ubuntu
felt it was better. I don't care that much about disclosing it publicly.

Richard, yes. I bisected the issue (heap buffer overfow read on corrupted database, on a
SELECT on a RTree) to a commit that appeared first in 3.17.0, but the commit doesn't
explictly mention fixing a corruption issue. It looks like more a side effect. Ubuntu 16.04 ship
with sqlite 3.11.0 . I managed to apply the patch corresponding to the commit on top of
3.11.0, and it fixed the issue in 3.11.0 as well, but I don't have the expertise to know if it is a
safe backport.

Even

>
> On 6/30/17, Seth Arnold <[hidden email]> wrote:
> > Hello; Even Rouault privately reported to Ubuntu Launchpad a bug in
> > sqlite3 as shipped in Ubuntu 16.04 LTS (and possibly other releases,
> > so far I've not tested the others). Valgrind reports multiple 1 byte
> > invalid reads.
> >
> > This bug was discovered by Google's clusterfuzz project when fuzzing GDAL.
> >
> > The currently-closed bugs are:
> > https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937
> > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405
> >
> > This apparently was fixed before 3.17.
> >
> > How should we proceed? I feel awkwardly out of place since clusterfuzz
> > didn't report the bug to me but I do have a database and instructions
> > to reproduce it. I'm guessing that probably the GDAL team would need
> > help from the sqlite3 team to address the issue anyway. I'd rather not
> > wait 90 days for the original clusterfuzz bug to be made public.
> >
> > I'm not subscribed to the list so I'd appreciate Cc:s on replies.
> >
> > Thanks


--
Spatialys - Geospatial professional services
http://www.spatialys.com
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: clusterfuzz-found issue in GDAL, Ubuntu packages

Richard Hipp-3
On 7/1/17, Even Rouault <[hidden email]> wrote:

> On samedi 1 juillet 2017 06:07:30 CEST Richard Hipp wrote:
>> I'm confused...
>>
>> Are you reporting that clusterfuzz found a bug in SQLite that was
>> fixed in version 3.17.0?
>
> Seth, I can turn the Launchpad bug report as public if you wish. I marked it
> privately if Ubuntu
> felt it was better. I don't care that much about disclosing it publicly.
>
> Richard, yes. I bisected the issue (heap buffer overfow read on corrupted
> database, on a
> SELECT on a RTree) to a commit that appeared first in 3.17.0,

Can you tell me which commit?

--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: clusterfuzz-found issue in GDAL, Ubuntu packages

Seth Arnold
In reply to this post by Seth Arnold
[Sorry for the late reply, but I enjoyed a nice long weekend except
for the sunburns. I kept the wider Cc:s since it feels like this can
be opened.]

On Sat, Jul 01, 2017 at 12:52:54PM +0200, Even Rouault wrote:
> Seth, I can turn the Launchpad bug report as public if you wish. I
> marked it privately if Ubuntu felt it was better. I don't care that much
> about disclosing it publicly.

Aha, I wasn't certain we were allowed to mark it public yet. I don't want
to upset anyone needlessly, but it would be easier to discuss the bug in
public. (Especially since it appears to be 'just' out-of-bound reads. This
can of course be surprising and have non-obvious consequences, but it
doesn't immediately lead to e.g. remote code execution.)

Does this issue sound like it should receive a CVE to ensure other
consumers of sqlite3 discover it? I'm happy to do the paperwork if so.

On Sat, Jul 01, 2017 at 11:28:10AM -0400, Richard Hipp wrote:
> A proper fix for the problem can be seen at https://sqlite.org/src/info/66de6f4a

Now this is short and sweet. I like the look of this patch quite a lot
more than the start of the larger transformation.

On Sat, Jul 01, 2017 at 05:40:57PM +0200, Even Rouault wrote:

> > The plain ASCII patch can be seen at
> > https://sqlite.org/src/vpatch?from=0db20efe201736b3&to=66de6f4a9504ec26
>
> I've just applied this patch on top of 3.11.0. It applies cleanly
>
> patching file ext/rtree/rtree.c
> Hunk #1 succeeded at 3153 (offset -282 lines).
> patching file ext/rtree/rtreeA.test
>
> and I confirm that it solves the issue !
Very good news! Thank you both.

_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: clusterfuzz-found issue in GDAL, Ubuntu packages

Even Rouault
> Aha, I wasn't certain we were allowed to mark it public yet. I don't want
> to upset anyone needlessly, but it would be easier to discuss the bug in
> public.

I've just turned
https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937 public

> (Especially since it appears to be 'just' out-of-bound reads. This
> can of course be surprising and have non-obvious consequences, but it
> doesn't immediately lead to e.g. remote code execution.)
>
> Does this issue sound like it should receive a CVE to ensure other
> consumers of sqlite3 discover it? I'm happy to do the paperwork if so.

Probably a good idea. Will make their own fuzzing efforts easier at least :-) Thanks

--
Spatialys - Geospatial professional services
http://www.spatialys.com
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Loading...