subject:"Re\: \[sqlite\] SQLite CVE\-2015\-6607 \(Escalation of privilege issue \)"

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

2017-04-17 Thread Richard Hipp

On 4/17/17, Simon Slavin  wrote:
>
> On 17 Apr 2017, at 10:29pm, Michael Falconer 
> wrote:
>
>> From an old (2012) blog report HERE
>> 
>
> Your recent links appear to be for other problems.  This one, for instance,
> is from 2012.

The 2012 report does not provide any details.  I have no idea what the
complaint is.

My guess is that it is another case of:  If you give untrusted users
unfettered SQL access, they can do harmful things.  My response to
this is "Duh!"

-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

2017-04-17 Thread Simon Slavin

On 17 Apr 2017, at 10:29pm, Michael Falconer  
wrote:

> From an old (2012) blog report HERE
> 

Your recent links appear to be for other problems.  This one, for instance, is 
from 2012.

Simon.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

2017-04-17 Thread Richard Hipp

On 4/17/17, Michael Falconer  wrote:
> These may enlighten a little..at least it appears to be related?
>
>  http://www.cvedetails.com/cve/CVE-2015-6607/
>
> IBM report 

Huh.  That's not much of a vulnerability.

If an attacker can execute arbitrary SQL (notice that they must
already be well inside the system to do this) then they can run a
query like this:

 SELECT printf('%10d', 0);

And that query does a malloc for a 1-billion-byte (plus 1) buffer in
which to write the result, which might cause problems elsewhere in the
system.  Or at least that is how I read the bug report.

We added the SQLITE_PRINTF_PRECISION_LIMIT compile-time option here
(http://sqlite.org/src/timeline?c=ecad75d69e0d5c83dd35) to deal with
that problem for the rare application that gives untrusted users the
ability to run unvetted SQL.
-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

2017-04-17 Thread Michael Falconer

Just amusing, and found while looking for above.

Researchers have disclosed a vulnerability in *Android's* SQLite that can
> leak sensitive information without an application having adequate
> privileges.
>
So when did DRH sell out to Android? :-)

From an old (2012) blog report HERE


Getting a sense that it's more about Android than sqlite, just as DRH
suggested.


-- 
Regards,
 Michael.j.Falconer.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

2017-04-17 Thread Michael Falconer

These may enlighten a little..at least it appears to be related?

 http://www.cvedetails.com/cve/CVE-2015-6607/

IBM report 




On 17 April 2017 at 22:09, Simon Slavin  wrote:

>
> On 17 Apr 2017, at 10:35am, Saurav Sarkar 
> wrote:
>
> > Can you please also let me know how this bug can be exploited in an
> > application.
>
> The problem was apparently spotted as a theoretical vulnerability and no
> demonstration code was submitted.  It was never reported to the SQLite
> development team, so the team has no record of what was wrong, what it did,
> or how to exploit it.
>
> From what I can see, it affected only versions of Android before Android
> 5.1.  It allowed an application with exploit code in, if given sufficient
> privilages, to modify certain system files.  I don’t know which files it
> could modify or what damage could be done that way.  If you can find
> discussion of the problem or demonstration code I think it would be welcome
> here.
>
> Simon.
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>



-- 
Regards,
 Michael.j.Falconer.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

2017-04-17 Thread Simon Slavin

On 17 Apr 2017, at 10:35am, Saurav Sarkar  wrote:

> Can you please also let me know how this bug can be exploited in an
> application.

The problem was apparently spotted as a theoretical vulnerability and no 
demonstration code was submitted.  It was never reported to the SQLite 
development team, so the team has no record of what was wrong, what it did, or 
how to exploit it.

From what I can see, it affected only versions of Android before Android 5.1.  
It allowed an application with exploit code in, if given sufficient privilages, 
to modify certain system files.  I don’t know which files it could modify or 
what damage could be done that way.  If you can find discussion of the problem 
or demonstration code I think it would be welcome here.

Simon.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

2017-04-17 Thread Richard Hipp

On 4/17/17, Saurav Sarkar  wrote:
> Dear SQLite Experts,
>
> This is regarding SQlite vulnerability
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6607

I don't know anything about this.  It is the first I've heard of it.
I could not figure out what it has to do with SQLite based on the link
above.  My assumption this is some kind of bug in the Android
interface to SQLite, not in SQLite itself.

-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

2017-04-17 Thread Saurav Sarkar

Thanks Simon for the reply.

Can you please also let me know how this bug can be exploited in an
application.

I am just using Android API (SQLiteOpenHelper) for SQLite to access
SQLiteDB CRUD operations.

We don't have authorization feature built into our client side. Even
authentication is done from the server side.
End Users don't have access to db directly. No SQL injection is possible
too.

Just wanted to check if this bug can be exploited in our application.

Best Regards,
Saurav

On Mon, Apr 17, 2017 at 2:46 PM, Simon Slavin  wrote:

>
> On 17 Apr 2017, at 9:56am, Saurav Sarkar  wrote:
>
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6607
> >
> > It mentions the escalation of privilege attack in Android due to an
> > internal bug in SQlite
> >
> > We use SQLite distributed with Android in our application and use the
> > normal Android APIs for SQLite Access .And use it for our CRUD
> operations.
> >
> > I did not find any more details about this bug so would like to know in
> > this list if this is a problem.
>
> SQLite 3.8.9, which according to the announcement fixed the relevant bug,
> was released in April 2015, which is now two years ago.
>
> As described in the report, if you’re still using a version of Android
> before 5.1.1 the bug will still effect the platform.
>
> > Would like to know if the same vulnerability applies for Windows
> universal
> > platform as well.
>
> SQLite is not built into that platform.  If you wish to use SQLite on WUP
> yourself, just make sure you include a current version, not a two year old
> version.
>
> Simon.
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

2017-04-17 Thread Simon Slavin

On 17 Apr 2017, at 9:56am, Saurav Sarkar  wrote:

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6607
> 
> It mentions the escalation of privilege attack in Android due to an
> internal bug in SQlite
> 
> We use SQLite distributed with Android in our application and use the
> normal Android APIs for SQLite Access .And use it for our CRUD operations.
> 
> I did not find any more details about this bug so would like to know in
> this list if this is a problem.

SQLite 3.8.9, which according to the announcement fixed the relevant bug, was 
released in April 2015, which is now two years ago.

As described in the report, if you’re still using a version of Android before 
5.1.1 the bug will still effect the platform.

> Would like to know if the same vulnerability applies for Windows universal
> platform as well.

SQLite is not built into that platform.  If you wish to use SQLite on WUP 
yourself, just make sure you include a current version, not a two year old 
version.

Simon.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

9 matches

Site Navigation

Mail list logo

Footer information