Bug#928770: sqlite3: CVE-2019-5018: Window Function Remote Code Execution Vulnerability

2019-05-25 Thread Robert Scott
> Alternatively, it could be related to:
> https://www.sqlite.org/src/info/4feb3159c6bc3f7e33959
> 
> This was released as a part of 3.27.2 and looks like it has the right
> text as well.  What concerns me is that the ticket[0] is almost a week
> before TALOS's timeline for "Vendor patched" plus it mentioned "free
> that has not been malloc'ed" rather than "use after free".  That said,
> the test case examples for both issue are similar.

This looks like a promising candidate. If you have the actual test case 
examples (I don't seem to be able to find them) it's surely "just" a matter of 
trying the PoC against this revision and its parent. Or going a bit further, 
using it to bisect between 3.27 and 3.28 (using a git mirror of the source).


robert.


Bug#928770: sqlite3: CVE-2019-5018: Window Function Remote Code Execution Vulnerability

2019-05-18 Thread Niels Thykier
On Thu, 16 May 2019 20:09:52 +0200
=?UTF-8?B?TMOhc3psw7MgQsO2c3rDtnJtw6lueWkgKEdDUyk=?=  wrote:
> Hi,
> 
> On Thu, May 16, 2019 at 11:57 AM Pirate Praveen
>  wrote:
> > On Fri, 10 May 2019 21:04:33 +0200 Salvatore Bonaccorso
> >  wrote:
> > > Source: sqlite3
> > > The following vulnerability was published for sqlite3.
> > > CVE-2019-5018[0]:
> > > Window Function Remote Code Execution Vulnerability
> > Could this be that commit? I have not checked thoroughly only looked at
> > the commit message.
> >
> > "Prevent aliases of window functions expressions from being used as
> > arguments to aggregate or other window functions."
> >
> > https://sqlite.org/src/info/1e16d3e8fc60d39c
>  Can be, but not sure. At least four sqlite 3.x issues reported
> recently and as I know, usually upstream is not informed about these.
> :-/
> 
> > > [1] 
> > > https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777
> 
> Regards,
> Laszlo/GCS
> 
> 


According to the TALOS link from the initial mail, TALOS informed the
vendor and the vendor provided on the same day as that commit.

"""
Timeline

2019-02-05 - Vendor Disclosure
2019-03-07 - 30 day follow up with vendor; awaiting moderator approval
2019-03-28 - Vendor patched
2019-05-09 - Public Release
"""

So this implies that there is a patch and it would be dated no later
than 2019-03-28 (caveat emptor: Time zones).  It *might* be fixed in
3.28 (TALOS does not mention it as vulnerable), but the changelog does
not mention this explicit[1].

Alternatively, it could be related to:
https://www.sqlite.org/src/info/4feb3159c6bc3f7e33959

This was released as a part of 3.27.2 and looks like it has the right
text as well.  What concerns me is that the ticket[0] is almost a week
before TALOS's timeline for "Vendor patched" plus it mentioned "free
that has not been malloc'ed" rather than "use after free".  That said,
the test case examples for both issue are similar.

Thanks,
~Niels

[0] Related and correct commit appears to be:
https://www.sqlite.org/src/info/a21ffcd8176672e7

(Based on https://www.sqlite.org/src/info/579b66eaa0816561)

[1] https://www.sqlite.org/draft/changes.html



Bug#928770: sqlite3: CVE-2019-5018: Window Function Remote Code Execution Vulnerability

2019-05-16 Thread GCS
Hi,

On Thu, May 16, 2019 at 11:57 AM Pirate Praveen
 wrote:
> On Fri, 10 May 2019 21:04:33 +0200 Salvatore Bonaccorso
>  wrote:
> > Source: sqlite3
> > The following vulnerability was published for sqlite3.
> > CVE-2019-5018[0]:
> > Window Function Remote Code Execution Vulnerability
> Could this be that commit? I have not checked thoroughly only looked at
> the commit message.
>
> "Prevent aliases of window functions expressions from being used as
> arguments to aggregate or other window functions."
>
> https://sqlite.org/src/info/1e16d3e8fc60d39c
 Can be, but not sure. At least four sqlite 3.x issues reported
recently and as I know, usually upstream is not informed about these.
:-/

> > [1] https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777

Regards,
Laszlo/GCS



Bug#928770: sqlite3: CVE-2019-5018: Window Function Remote Code Execution Vulnerability

2019-05-16 Thread Pirate Praveen
On Fri, 10 May 2019 21:04:33 +0200 Salvatore Bonaccorso
 wrote:
> Source: sqlite3
> Version: 3.27.2-2
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi,
> 
> The following vulnerability was published for sqlite3.
> 
> CVE-2019-5018[0]:
> Window Function Remote Code Execution Vulnerability
> 
> The issue must have been fixed upstream around 2019-03-28, but no
> upstream fixing commit is referenced at [1].
> 

Could this be that commit? I have not checked thoroughly only looked at
the commit message.

"Prevent aliases of window functions expressions from being used as
arguments to aggregate or other window functions."

https://sqlite.org/src/info/1e16d3e8fc60d39c


> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2019-5018
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5018
> [1] https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777
> 
> Regards,
> Salvatore
> 
> 



signature.asc
Description: OpenPGP digital signature


Bug#928770: sqlite3: CVE-2019-5018: Window Function Remote Code Execution Vulnerability

2019-05-10 Thread Salvatore Bonaccorso
Source: sqlite3
Version: 3.27.2-2
Severity: grave
Tags: security
Justification: user security hole

Hi,

The following vulnerability was published for sqlite3.

CVE-2019-5018[0]:
Window Function Remote Code Execution Vulnerability

The issue must have been fixed upstream around 2019-03-28, but no
upstream fixing commit is referenced at [1].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-5018
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5018
[1] https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777

Regards,
Salvatore