Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

2017-04-17 Thread Saurav Sarkar 
Thanks Simon for the reply.

Can you please also let me know how this bug can be exploited in an
application.

I am just using Android API (SQLiteOpenHelper) for SQLite to access
SQLiteDB CRUD operations.

We don't have authorization feature built into our client side. Even
authentication is done from the server side.
End Users don't have access to db directly. No SQL injection is possible
too.

Just wanted to check if this bug can be exploited in our application.

Best Regards,
Saurav

On Mon, Apr 17, 2017 at 2:46 PM, Simon Slavin <slav...@bigfraud.org> wrote:

>
> On 17 Apr 2017, at 9:56am, Saurav Sarkar <saurav.sark...@gmail.com> wrote:
>
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6607
> >
> > It mentions the escalation of privilege attack in Android due to an
> > internal bug in SQlite
> >
> > We use SQLite distributed with Android in our application and use the
> > normal Android APIs for SQLite Access .And use it for our CRUD
> operations.
> >
> > I did not find any more details about this bug so would like to know in
> > this list if this is a problem.
>
> SQLite 3.8.9, which according to the announcement fixed the relevant bug,
> was released in April 2015, which is now two years ago.
>
> As described in the report, if you’re still using a version of Android
> before 5.1.1 the bug will still effect the platform.
>
> > Would like to know if the same vulnerability applies for Windows
> universal
> > platform as well.
>
> SQLite is not built into that platform.  If you wish to use SQLite on WUP
> yourself, just make sure you include a current version, not a two year old
> version.
>
> Simon.
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )

2017-04-17 Thread Saurav Sarkar 
Dear SQLite Experts,

This is regarding SQlite vulnerability

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6607

It mentions the escalation of privilege attack in Android due to an
internal bug in SQlite

We use SQLite distributed with Android in our application and use the
normal Android APIs for SQLite Access .And use it for our CRUD operations.

I did not find any more details about this bug so would like to know in
this list if this is a problem.

Also we have a Universal Windows platform based application where we use
SQLite as external dependency and use for same CRUD operations.

Would like to know if the same vulnerability applies for Windows universal
platform as well.

Thanks and Best Regards,
Saurav
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] SQLite Vulnerabilities reported in NVD

2015-12-22 Thread Saurav Sarkar 
Thanks Clemens for your inputs

We are using parametrized queries and don't have any user interface where
user can modify anything currently. Its almost a read only application.
Our is a file management application

But we will come up with some functionality where user will be able to
upload random files into our application.
The files will reside into the application sandbox environment.
Once a file is being uploaded, the metadata of that file will get
inserted/updated into DB.

we will also come with rename  (a text box ) and other CRUD operations
which will require user interaction. This will again trigger the metadata
update into DB.
But the queries will be always parametrized ones.

Regards,
Saurav

On Tue, Dec 22, 2015 at 12:12 PM, Clemens Ladisch 
wrote:

> Saurav Sarkar:
> >Our application is free of any kind of SQL injection
>
> Famous last words.  :)
>
> >as we don't have any input fields.
>
> So where does your data come from?
> Does your application have any interface that an attacker
> could access?
>
> How do you create your SQL statements?
> Are you always using bound parameters?
>
> >https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3414
>
> This requires the attacker to control a collation name.
>
> >https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3415
>
> This requires the attacker to control the CHECK clause in a CREATE
> TABLE statement.
>
> >https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3416
>
> This requires the attacker to control the format string of the print()
> SQL function.
>
>
> Regards,
> Clemens
> ___
> sqlite-users mailing list
> sqlite-users at mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>

[sqlite] SQLite Vulnerabilities reported in NVD

2015-12-22 Thread Saurav Sarkar 
Hi All,

We use SQlite 3.8.8.3 in our Windows 8.1 universal application.
We are also using SQLitePCL as a wrapper to work from c# layer.

Our application is free of any kind of SQL injection as we don't have any
input fields.

We see three vulnerabilities reported recently.


https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3414
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3415
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3416

I am not aware of the SQlite internals .

I would like to know if my application can get affected due to these
vulnerabilities.

Though i know it should not be, but would like to get any
hint/comments/opinions on the above mentioned vulnerabilities.

Thanks and Regards,
Saurav

[sqlite] .NET - Using SQLite in an Universal Windows library without LINQ

2015-08-19 Thread Saurav Sarkar 
Hi Mat,

We have been using SQLite in our Windows universal application both for
tablet and phone

We used SQlitePCL as the wrapper library to write our queries in plain sql .

check for more details here
http://codifyit.blogspot.in/2015/04/using-sqlite-in-your-windows-store-apps.html

cheers,
Saurav


On Wed, Aug 19, 2015 at 1:16 PM, Mathieu Sicard 
wrote:

> Hi,
>
> I was previously using System.Data.SQLite in a .NET library, and now want
> to port this library to an Universal Windows library.
>
> I cannot make the System.Data.SQLite work (since I guess it is not
> portable), and found only LINQ style SQLite PCL libraries in NuGet ...
>
> Is there a way that I can use good all fashion queries in an Universal
> Windows App in order to have the same or close syntax as in
> System.Data.SQLite?
>
> Something like this :
>
> SQLiteCommand dbCommand = new SQLiteCommand(dbConnection);
> dbCommand.CommandText = dbQuery;
> SQLiteDataReader reader = dbCommand.ExecuteReader();
>
> Mat.
> ___
> sqlite-users mailing list
> sqlite-users at mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>

[sqlite] Security issues in SQLite

2015-03-23 Thread Saurav Sarkar 
Thanks a lot Richard for your inputs.

the link indeed looks positive enough  :).

Would like to know if anyone else has gone through similar experiences .

Best Regards,
Saurav

On Mon, Mar 23, 2015 at 5:26 PM, Richard Hipp  wrote:

> On 3/23/15, Saurav Sarkar  wrote:
> > Hi All,
> >
> > We use SQLite in our application. Ours is an windows store application
> > internally uses SQlite to store data (embedded). I use SQLitePCL library
> > which is a C# .NET based library
> >
> > I was asked to perform Fortify scans on the SQLite code of 3.8.8.3
> >
> [...]
> >
> > Anyone has come across with  any security vulnerability with SQLIte ?
> >
> > Any help/input here will be hugely appreciated.
> >
>
> The Fortify identified errors are all false-positives.  Fortify and
> other static analyzers excel at generating false-positives in SQLite.
> See https://www.sqlite.org/testing.html and especially section 11 for
> additional information.
> --
> D. Richard Hipp
> drh at sqlite.org
> ___
> sqlite-users mailing list
> sqlite-users at mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>

[sqlite] Security issues in SQLite

2015-03-23 Thread Saurav Sarkar 
Hi All,

We use SQLite in our application. Ours is an windows store application
internally uses SQlite to store data (embedded). I use SQLitePCL library
which is a C# .NET based library

I was asked to perform Fortify scans on the SQLite code of 3.8.8.3

I used the amalgamation code.

Since it is a native component and written in C. i found lot of Buffer
Overflow and memory leak errors. Also after college i have not touched c
code , so my understanding of c code has reduced :)

Just wanted to confirm my understanding and would like to solicit opinion
from the community if the issues are real threat.

For e.g. in the code SQLite3c line 16458

Error reported here is The function sqlite3OsOpenMalloc() in sqlite3.c
allocates memory on line 16467 and fails to free it.

SQLITE_PRIVATE int sqlite3OsOpenMalloc(
  sqlite3_vfs *pVfs,
  const char *zFile,
  sqlite3_file **ppFile,
  int flags,
  int *pOutFlags
){
  int rc = SQLITE_NOMEM;
  sqlite3_file *pFile;
  pFile = (sqlite3_file *)sqlite3MallocZero(pVfs->szOsFile);
  if( pFile ){
rc = sqlite3OsOpen(pVfs, zFile, pFile, flags, pOutFlags);
if( rc!=SQLITE_OK ){
  sqlite3_free(pFile);
}else{
  *ppFile = pFile;
}
  }
  return rc;
}


For memory leak .SQLitePCL and our application uses the disposable pattern
to dispose the prepared statement after its use and the connection we also
close once done.

i am not sure if closing the DB connection and prepared statement enough to
counter this problem.

In Shell.c

 abYield = (int*)sqlite3_realloc(abYield, nAlloc*sizeof(int));
}
abYield[iOp] = str_in_array(zOp, azYield);
p->aiIndent[iOp] = 0;
p->nIndent = iOp+1;

if( str_in_array(zOp, azNext) ){
  for(i=p2op; iaiIndent[i] += 2;
}
if( str_in_array(zOp, azGoto) && p2opnIndent
 && (abYield[p2op] || sqlite3_column_int(pSql, 2))
){
  for(i=p2op+1; iaiIndent[i] += 2;
}
  }

  p->iIndent = 0;
  sqlite3_free(abYield);
  sqlite3_reset(pSql);

Its saying abYield has been allocated a memory and has not been freed.
But i can see the sqlite3_free() function at the bottom which frees up the
memory.

Also i assume libraries like SQLitePCL won't use shell.c.

Some Buffer Overflow errors like

In Line 53855 of SQLite3.c

  assert( cbrk+size<=usableSize && cbrk>=iCellFirst );
testcase( cbrk+size==usableSize );
testcase( pc+size==usableSize );
put2byte(pAddr, cbrk);
if( temp==0 ){
  int x;
  if( cbrk==pc ) continue;
  temp = sqlite3PagerTempSpace(pPage->pBt->pPager);
  x = get2byte([hdr+5]);
  memcpy([x], [x], (cbrk+size) - x);
  src = temp;
}
memcpy([cbrk], [pc], size);
  }
  assert( cbrk>=iCellFirst );
  put2byte([hdr+5], cbrk);
  data[hdr+1] = 0;

Usage of memcpy is discouraged in favor to memcpy_s()
Similarly the tool is detecting lot of buffer overflow errors because of
usage of gets() ,strcpy() etc.

Since my application uses the emebedded database there is no way the input
to these methods are being given from my application. I assume i am safe ?

Anyone has come across with  any security vulnerability with SQLIte ?

Any help/input here will be hugely appreciated.

Thanks and Best Regards,
Saurav

[sqlite] Source code for 3.8.7.4

2015-03-20 Thread Saurav Sarkar 
Thanks a ton Dan and Smith for sending the link.

Best Regards,
Saurav

On Fri, Mar 20, 2015 at 2:46 PM, R.Smith  wrote:

> That release was last year I think, try 2014 or 2013.
>
>
> On 2015-03-20 11:11 AM, Saurav Sarkar wrote:
>
>> Hi All,
>>
>> i have tried to download amalagamation source code for sqlite for verions
>> 3.8.7.4
>>
>> By changing the url to
>> http://www.sqlite.org/2015/sqlite-amalgamation-3080704.zip
>>
>> But the file could not be found.
>>
>> Could download for 3.8.8.2
>>
>> Can anyone please help ?
>>
>> Thanks and Regards,
>> Saurav
>>
>> On Thu, Mar 19, 2015 at 9:05 PM, Saurav Sarkar 
>> wrote:
>>
>>  Hi Richard,
>>>
>>> Thanks for the info.
>>> I got this link from the site for 3.8.7.4
>>> http://www.sqlite.org/cgi/src/info/f66f7a17b78ba617
>>>
>>> Hope this is fine.
>>>
>>> I want this version because my project is using this release.
>>>
>>> Best Regards,
>>> Saurav
>>>
>>> On Thu, Mar 19, 2015 at 8:38 PM, Richard Hipp  wrote:
>>>
>>>  On 3/19/15, Saurav Sarkar  wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> Can anyone please tell me how can i get the source code for 3.8.7.4 ?
>>>>> In the website of SQLite i could get hold of a amalgamation source code
>>>>>
>>>> of
>>>>
>>>>> latest release 3.8.8.3 in a zip file.
>>>>>
>>>>> Can i similarly get for 3.8.7.4 ?
>>>>>
>>>>>  Over 14,400 different historical versions of SQLite are available at
>>>> https://www.sqlite.org/src/
>>>>
>>>> Why do you want 3.8.7.4 instead of 3.8.8.3?
>>>> --
>>>> D. Richard Hipp
>>>> drh at sqlite.org
>>>> ___
>>>> sqlite-users mailing list
>>>> sqlite-users at mailinglists.sqlite.org
>>>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>>>>
>>>>
>>>  ___
>> sqlite-users mailing list
>> sqlite-users at mailinglists.sqlite.org
>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>>
>
> ___
> sqlite-users mailing list
> sqlite-users at mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>

[sqlite] Source code for 3.8.7.4

2015-03-20 Thread Saurav Sarkar 
Hi All,

i have tried to download amalagamation source code for sqlite for verions
3.8.7.4

By changing the url to
http://www.sqlite.org/2015/sqlite-amalgamation-3080704.zip

But the file could not be found.

Could download for 3.8.8.2

Can anyone please help ?

Thanks and Regards,
Saurav

On Thu, Mar 19, 2015 at 9:05 PM, Saurav Sarkar 
wrote:

> Hi Richard,
>
> Thanks for the info.
> I got this link from the site for 3.8.7.4
> http://www.sqlite.org/cgi/src/info/f66f7a17b78ba617
>
> Hope this is fine.
>
> I want this version because my project is using this release.
>
> Best Regards,
> Saurav
>
> On Thu, Mar 19, 2015 at 8:38 PM, Richard Hipp  wrote:
>
>> On 3/19/15, Saurav Sarkar  wrote:
>> > Hi All,
>> >
>> > Can anyone please tell me how can i get the source code for 3.8.7.4 ?
>> > In the website of SQLite i could get hold of a amalgamation source code
>> of
>> > latest release 3.8.8.3 in a zip file.
>> >
>> > Can i similarly get for 3.8.7.4 ?
>> >
>>
>> Over 14,400 different historical versions of SQLite are available at
>> https://www.sqlite.org/src/
>>
>> Why do you want 3.8.7.4 instead of 3.8.8.3?
>> --
>> D. Richard Hipp
>> drh at sqlite.org
>> ___
>> sqlite-users mailing list
>> sqlite-users at mailinglists.sqlite.org
>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>>
>
>

[sqlite] Source code for 3.8.7.4

2015-03-19 Thread Saurav Sarkar 
Hi Richard,

Thanks for the info.
I got this link from the site for 3.8.7.4
http://www.sqlite.org/cgi/src/info/f66f7a17b78ba617

Hope this is fine.

I want this version because my project is using this release.

Best Regards,
Saurav

On Thu, Mar 19, 2015 at 8:38 PM, Richard Hipp  wrote:

> On 3/19/15, Saurav Sarkar  wrote:
> > Hi All,
> >
> > Can anyone please tell me how can i get the source code for 3.8.7.4 ?
> > In the website of SQLite i could get hold of a amalgamation source code
> of
> > latest release 3.8.8.3 in a zip file.
> >
> > Can i similarly get for 3.8.7.4 ?
> >
>
> Over 14,400 different historical versions of SQLite are available at
> https://www.sqlite.org/src/
>
> Why do you want 3.8.7.4 instead of 3.8.8.3?
> --
> D. Richard Hipp
> drh at sqlite.org
> ___
> sqlite-users mailing list
> sqlite-users at mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>

[sqlite] Source code for 3.8.7.4

2015-03-19 Thread Saurav Sarkar 
Hi All,

Can anyone please tell me how can i get the source code for 3.8.7.4 ?
In the website of SQLite i could get hold of a amalgamation source code of
latest release 3.8.8.3 in a zip file.

Can i similarly get for 3.8.7.4 ?

thanks and Regards,
Saurav

[sqlite] Consuming Visual studio extension SDKs in a remote build

2015-02-23 Thread Saurav Sarkar 
Hi All,



I am new to .NET and developing an universal Windows application.



I am using Visual Studio extension for SQLite for WinRT and Windows Phone.



http://www.sqlite.org/2015/sqlite-wp81-winrt-3080801.vsix

http://www.sqlite.org/2015/sqlite-winrt81-3080801.vsix



I can perfectly install the extensions and work with locally.



My question is about the remotely building (continuous integration) of my
application through msbuild in TFS.

Does the build machines need to have the same version of SQLite SDKs
installed manually in order to resolve the dependency ?



There can be multiple project in my TFS collection which can refer to
separate version of VSIX files . Both versions can not co exist together.
What happens then ?





Can I somehow upload the vsix file to our package management software
(Nexus) and refer from there.

We have been building other dependencies as Nuget packages from Nexus.

There might be number of packages required for different architecture and
other component's packages.



Any help will be hugely appreciated.





Thanks and Best Regards,

Saurav