Bug#736463: libsqlite3-0: UNIQUE PRIMARY KEY + WITHOUT ROWID = segfault

Tue, 14 Jul 2015 12:22:34 -0700 

control: tag -1 patch
thanks

On 14.07.2015 15:34, Yuriy M. Kaminskiy wrote:

On 14.07.2015 14:36, László Böszörményi (GCS) wrote:
On Tue, Jul 14, 2015 at 11:41 AM, Yuriy M. Kaminskiy <[email protected]> wrote: 
Package: libsqlite3-dev
Version: 3.8.7.1-1+deb8u1
Followup-For: Bug #736463

(was sent to unrelated bug, resenting, sorry)
1) I was able to reproduce this bug in jessie's 3.8.7.1 (gdb and valgrind 
report attached);
2) I was *NOT* able to reproduce it in (self-backported) sid's 3.8.10.2-1 
(and running under valgrind does not show any problem).
[fwiw, test.db created by sid {totally expectdly} kills jessie's sqlite3 on attempt to open it]. 
However, I have not found respective entry in changelogs (or upstream
commit), so this could be false positive.

  I can only repeat that the quick solution to remove UNIQUE, the
PRIMARY KEY itself guarantee that the specified column will be unique.


:shrug:
There should be no problem with attempt to open a database file obtained from untrusted source, right? It's just data, no executable code[*], etc, right? 
Then try to open attached database with jessie's sqlite3.
Or feed it to mozilla (IIRC, there are javascript binding?)
That is, this is a security problem.
(The fact that UNIQUE constraint is redundant with PRIMARY KEY is completely irrelevant here; e.g. it can be autogenerated code, database should handle that gracefully anyway).
[*] well, almost; there are triggers, but their side effects are limited to altering the database.
Apparently, this commit: http://www.sqlite.org/src/info/d871a7921722bb0f (included in 3.8.9) plugged SIGSEGV. However, this commit (not yet in any released version): http://www.sqlite.org/src/info/3b936913f3dc2cae suggest that d871a probably was insufficient/broken in some subtle way (and, indeed, I see corruption in patched 3.8.7.1 and [unpatched] 3.8.10.2, triggered by sql code from 3b936 test suite). That said, I think d871a792 is probably sufficient for stable (sigsegv plugged, rest is outside of stable scope). 
Upstream: http://www.sqlite.org/src/info/d871a7921722bb0f
Closes: #736463

Index: sqlite3-3.8.7.1/src/build.c
===================================================================
--- sqlite3-3.8.7.1.orig/src/build.c
+++ sqlite3-3.8.7.1/src/build.c
@@ -3168,6 +3168,7 @@ Index *sqlite3CreateIndex(
             pIdx->onError = pIndex->onError;
           }
         }
+        pRet = pIdx;
         goto exit_create_index;
       }
     }

Reply via email to