Re: [sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )
Thanks Simon for the reply. Can you please also let me know how this bug can be exploited in an application. I am just using Android API (SQLiteOpenHelper) for SQLite to access SQLiteDB CRUD operations. We don't have authorization feature built into our client side. Even authentication is done from the server side. End Users don't have access to db directly. No SQL injection is possible too. Just wanted to check if this bug can be exploited in our application. Best Regards, Saurav On Mon, Apr 17, 2017 at 2:46 PM, Simon Slavin <slav...@bigfraud.org> wrote: > > On 17 Apr 2017, at 9:56am, Saurav Sarkar <saurav.sark...@gmail.com> wrote: > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6607 > > > > It mentions the escalation of privilege attack in Android due to an > > internal bug in SQlite > > > > We use SQLite distributed with Android in our application and use the > > normal Android APIs for SQLite Access .And use it for our CRUD > operations. > > > > I did not find any more details about this bug so would like to know in > > this list if this is a problem. > > SQLite 3.8.9, which according to the announcement fixed the relevant bug, > was released in April 2015, which is now two years ago. > > As described in the report, if you’re still using a version of Android > before 5.1.1 the bug will still effect the platform. > > > Would like to know if the same vulnerability applies for Windows > universal > > platform as well. > > SQLite is not built into that platform. If you wish to use SQLite on WUP > yourself, just make sure you include a current version, not a two year old > version. > > Simon. > ___ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
[sqlite] SQLite CVE-2015-6607 (Escalation of privilege issue )
Dear SQLite Experts, This is regarding SQlite vulnerability http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6607 It mentions the escalation of privilege attack in Android due to an internal bug in SQlite We use SQLite distributed with Android in our application and use the normal Android APIs for SQLite Access .And use it for our CRUD operations. I did not find any more details about this bug so would like to know in this list if this is a problem. Also we have a Universal Windows platform based application where we use SQLite as external dependency and use for same CRUD operations. Would like to know if the same vulnerability applies for Windows universal platform as well. Thanks and Best Regards, Saurav ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
[sqlite] SQLite Vulnerabilities reported in NVD
Thanks Clemens for your inputs We are using parametrized queries and don't have any user interface where user can modify anything currently. Its almost a read only application. Our is a file management application But we will come up with some functionality where user will be able to upload random files into our application. The files will reside into the application sandbox environment. Once a file is being uploaded, the metadata of that file will get inserted/updated into DB. we will also come with rename (a text box ) and other CRUD operations which will require user interaction. This will again trigger the metadata update into DB. But the queries will be always parametrized ones. Regards, Saurav On Tue, Dec 22, 2015 at 12:12 PM, Clemens Ladisch wrote: > Saurav Sarkar: > >Our application is free of any kind of SQL injection > > Famous last words. :) > > >as we don't have any input fields. > > So where does your data come from? > Does your application have any interface that an attacker > could access? > > How do you create your SQL statements? > Are you always using bound parameters? > > >https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3414 > > This requires the attacker to control a collation name. > > >https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3415 > > This requires the attacker to control the CHECK clause in a CREATE > TABLE statement. > > >https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3416 > > This requires the attacker to control the format string of the print() > SQL function. > > > Regards, > Clemens > ___ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users >
[sqlite] SQLite Vulnerabilities reported in NVD
Hi All, We use SQlite 3.8.8.3 in our Windows 8.1 universal application. We are also using SQLitePCL as a wrapper to work from c# layer. Our application is free of any kind of SQL injection as we don't have any input fields. We see three vulnerabilities reported recently. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3414 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3415 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3416 I am not aware of the SQlite internals . I would like to know if my application can get affected due to these vulnerabilities. Though i know it should not be, but would like to get any hint/comments/opinions on the above mentioned vulnerabilities. Thanks and Regards, Saurav
[sqlite] .NET - Using SQLite in an Universal Windows library without LINQ
Hi Mat, We have been using SQLite in our Windows universal application both for tablet and phone We used SQlitePCL as the wrapper library to write our queries in plain sql . check for more details here http://codifyit.blogspot.in/2015/04/using-sqlite-in-your-windows-store-apps.html cheers, Saurav On Wed, Aug 19, 2015 at 1:16 PM, Mathieu Sicard wrote: > Hi, > > I was previously using System.Data.SQLite in a .NET library, and now want > to port this library to an Universal Windows library. > > I cannot make the System.Data.SQLite work (since I guess it is not > portable), and found only LINQ style SQLite PCL libraries in NuGet ... > > Is there a way that I can use good all fashion queries in an Universal > Windows App in order to have the same or close syntax as in > System.Data.SQLite? > > Something like this : > > SQLiteCommand dbCommand = new SQLiteCommand(dbConnection); > dbCommand.CommandText = dbQuery; > SQLiteDataReader reader = dbCommand.ExecuteReader(); > > Mat. > ___ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users >
[sqlite] Security issues in SQLite
Thanks a lot Richard for your inputs. the link indeed looks positive enough :). Would like to know if anyone else has gone through similar experiences . Best Regards, Saurav On Mon, Mar 23, 2015 at 5:26 PM, Richard Hipp wrote: > On 3/23/15, Saurav Sarkar wrote: > > Hi All, > > > > We use SQLite in our application. Ours is an windows store application > > internally uses SQlite to store data (embedded). I use SQLitePCL library > > which is a C# .NET based library > > > > I was asked to perform Fortify scans on the SQLite code of 3.8.8.3 > > > [...] > > > > Anyone has come across with any security vulnerability with SQLIte ? > > > > Any help/input here will be hugely appreciated. > > > > The Fortify identified errors are all false-positives. Fortify and > other static analyzers excel at generating false-positives in SQLite. > See https://www.sqlite.org/testing.html and especially section 11 for > additional information. > -- > D. Richard Hipp > drh at sqlite.org > ___ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users >
[sqlite] Security issues in SQLite
Hi All, We use SQLite in our application. Ours is an windows store application internally uses SQlite to store data (embedded). I use SQLitePCL library which is a C# .NET based library I was asked to perform Fortify scans on the SQLite code of 3.8.8.3 I used the amalgamation code. Since it is a native component and written in C. i found lot of Buffer Overflow and memory leak errors. Also after college i have not touched c code , so my understanding of c code has reduced :) Just wanted to confirm my understanding and would like to solicit opinion from the community if the issues are real threat. For e.g. in the code SQLite3c line 16458 Error reported here is The function sqlite3OsOpenMalloc() in sqlite3.c allocates memory on line 16467 and fails to free it. SQLITE_PRIVATE int sqlite3OsOpenMalloc( sqlite3_vfs *pVfs, const char *zFile, sqlite3_file **ppFile, int flags, int *pOutFlags ){ int rc = SQLITE_NOMEM; sqlite3_file *pFile; pFile = (sqlite3_file *)sqlite3MallocZero(pVfs->szOsFile); if( pFile ){ rc = sqlite3OsOpen(pVfs, zFile, pFile, flags, pOutFlags); if( rc!=SQLITE_OK ){ sqlite3_free(pFile); }else{ *ppFile = pFile; } } return rc; } For memory leak .SQLitePCL and our application uses the disposable pattern to dispose the prepared statement after its use and the connection we also close once done. i am not sure if closing the DB connection and prepared statement enough to counter this problem. In Shell.c abYield = (int*)sqlite3_realloc(abYield, nAlloc*sizeof(int)); } abYield[iOp] = str_in_array(zOp, azYield); p->aiIndent[iOp] = 0; p->nIndent = iOp+1; if( str_in_array(zOp, azNext) ){ for(i=p2op; iaiIndent[i] += 2; } if( str_in_array(zOp, azGoto) && p2opnIndent && (abYield[p2op] || sqlite3_column_int(pSql, 2)) ){ for(i=p2op+1; i aiIndent[i] += 2; } } p->iIndent = 0; sqlite3_free(abYield); sqlite3_reset(pSql); Its saying abYield has been allocated a memory and has not been freed. But i can see the sqlite3_free() function at the bottom which frees up the memory. Also i assume libraries like SQLitePCL won't use shell.c. Some Buffer Overflow errors like In Line 53855 of SQLite3.c assert( cbrk+size<=usableSize && cbrk>=iCellFirst ); testcase( cbrk+size==usableSize ); testcase( pc+size==usableSize ); put2byte(pAddr, cbrk); if( temp==0 ){ int x; if( cbrk==pc ) continue; temp = sqlite3PagerTempSpace(pPage->pBt->pPager); x = get2byte([hdr+5]); memcpy([x], [x], (cbrk+size) - x); src = temp; } memcpy([cbrk], [pc], size); } assert( cbrk>=iCellFirst ); put2byte([hdr+5], cbrk); data[hdr+1] = 0; Usage of memcpy is discouraged in favor to memcpy_s() Similarly the tool is detecting lot of buffer overflow errors because of usage of gets() ,strcpy() etc. Since my application uses the emebedded database there is no way the input to these methods are being given from my application. I assume i am safe ? Anyone has come across with any security vulnerability with SQLIte ? Any help/input here will be hugely appreciated. Thanks and Best Regards, Saurav
[sqlite] Source code for 3.8.7.4
Thanks a ton Dan and Smith for sending the link. Best Regards, Saurav On Fri, Mar 20, 2015 at 2:46 PM, R.Smith wrote: > That release was last year I think, try 2014 or 2013. > > > On 2015-03-20 11:11 AM, Saurav Sarkar wrote: > >> Hi All, >> >> i have tried to download amalagamation source code for sqlite for verions >> 3.8.7.4 >> >> By changing the url to >> http://www.sqlite.org/2015/sqlite-amalgamation-3080704.zip >> >> But the file could not be found. >> >> Could download for 3.8.8.2 >> >> Can anyone please help ? >> >> Thanks and Regards, >> Saurav >> >> On Thu, Mar 19, 2015 at 9:05 PM, Saurav Sarkar >> wrote: >> >> Hi Richard, >>> >>> Thanks for the info. >>> I got this link from the site for 3.8.7.4 >>> http://www.sqlite.org/cgi/src/info/f66f7a17b78ba617 >>> >>> Hope this is fine. >>> >>> I want this version because my project is using this release. >>> >>> Best Regards, >>> Saurav >>> >>> On Thu, Mar 19, 2015 at 8:38 PM, Richard Hipp wrote: >>> >>> On 3/19/15, Saurav Sarkar wrote: >>>> >>>>> Hi All, >>>>> >>>>> Can anyone please tell me how can i get the source code for 3.8.7.4 ? >>>>> In the website of SQLite i could get hold of a amalgamation source code >>>>> >>>> of >>>> >>>>> latest release 3.8.8.3 in a zip file. >>>>> >>>>> Can i similarly get for 3.8.7.4 ? >>>>> >>>>> Over 14,400 different historical versions of SQLite are available at >>>> https://www.sqlite.org/src/ >>>> >>>> Why do you want 3.8.7.4 instead of 3.8.8.3? >>>> -- >>>> D. Richard Hipp >>>> drh at sqlite.org >>>> ___ >>>> sqlite-users mailing list >>>> sqlite-users at mailinglists.sqlite.org >>>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users >>>> >>>> >>> ___ >> sqlite-users mailing list >> sqlite-users at mailinglists.sqlite.org >> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users >> > > ___ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users >
[sqlite] Source code for 3.8.7.4
Hi All, i have tried to download amalagamation source code for sqlite for verions 3.8.7.4 By changing the url to http://www.sqlite.org/2015/sqlite-amalgamation-3080704.zip But the file could not be found. Could download for 3.8.8.2 Can anyone please help ? Thanks and Regards, Saurav On Thu, Mar 19, 2015 at 9:05 PM, Saurav Sarkar wrote: > Hi Richard, > > Thanks for the info. > I got this link from the site for 3.8.7.4 > http://www.sqlite.org/cgi/src/info/f66f7a17b78ba617 > > Hope this is fine. > > I want this version because my project is using this release. > > Best Regards, > Saurav > > On Thu, Mar 19, 2015 at 8:38 PM, Richard Hipp wrote: > >> On 3/19/15, Saurav Sarkar wrote: >> > Hi All, >> > >> > Can anyone please tell me how can i get the source code for 3.8.7.4 ? >> > In the website of SQLite i could get hold of a amalgamation source code >> of >> > latest release 3.8.8.3 in a zip file. >> > >> > Can i similarly get for 3.8.7.4 ? >> > >> >> Over 14,400 different historical versions of SQLite are available at >> https://www.sqlite.org/src/ >> >> Why do you want 3.8.7.4 instead of 3.8.8.3? >> -- >> D. Richard Hipp >> drh at sqlite.org >> ___ >> sqlite-users mailing list >> sqlite-users at mailinglists.sqlite.org >> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users >> > >
[sqlite] Source code for 3.8.7.4
Hi Richard, Thanks for the info. I got this link from the site for 3.8.7.4 http://www.sqlite.org/cgi/src/info/f66f7a17b78ba617 Hope this is fine. I want this version because my project is using this release. Best Regards, Saurav On Thu, Mar 19, 2015 at 8:38 PM, Richard Hipp wrote: > On 3/19/15, Saurav Sarkar wrote: > > Hi All, > > > > Can anyone please tell me how can i get the source code for 3.8.7.4 ? > > In the website of SQLite i could get hold of a amalgamation source code > of > > latest release 3.8.8.3 in a zip file. > > > > Can i similarly get for 3.8.7.4 ? > > > > Over 14,400 different historical versions of SQLite are available at > https://www.sqlite.org/src/ > > Why do you want 3.8.7.4 instead of 3.8.8.3? > -- > D. Richard Hipp > drh at sqlite.org > ___ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users >
[sqlite] Source code for 3.8.7.4
Hi All, Can anyone please tell me how can i get the source code for 3.8.7.4 ? In the website of SQLite i could get hold of a amalgamation source code of latest release 3.8.8.3 in a zip file. Can i similarly get for 3.8.7.4 ? thanks and Regards, Saurav
[sqlite] Consuming Visual studio extension SDKs in a remote build
Hi All, I am new to .NET and developing an universal Windows application. I am using Visual Studio extension for SQLite for WinRT and Windows Phone. http://www.sqlite.org/2015/sqlite-wp81-winrt-3080801.vsix http://www.sqlite.org/2015/sqlite-winrt81-3080801.vsix I can perfectly install the extensions and work with locally. My question is about the remotely building (continuous integration) of my application through msbuild in TFS. Does the build machines need to have the same version of SQLite SDKs installed manually in order to resolve the dependency ? There can be multiple project in my TFS collection which can refer to separate version of VSIX files . Both versions can not co exist together. What happens then ? Can I somehow upload the vsix file to our package management software (Nexus) and refer from there. We have been building other dependencies as Nuget packages from Nexus. There might be number of packages required for different architecture and other component's packages. Any help will be hugely appreciated. Thanks and Best Regards, Saurav