Only if the application were so badly written as to permit the execution of untrusted code ...
--- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume. >-----Original Message----- >From: sqlite-users [mailto:sqlite-users- >boun...@mailinglists.sqlite.org] On Behalf Of Jens Alfke >Sent: Thursday, 20 December, 2018 18:56 >To: SQLite mailing list >Subject: Re: [sqlite] Claimed vulnerability in SQLite: Info or Intox? > > > >> On Dec 20, 2018, at 5:05 PM, Simon Slavin <slav...@bigfraud.org> >wrote: >> >> Which would make it do what ? I can imagine "crash with a memory >fault". I find it much harder to believe "execute code stored in the >database". You would have to know a lot about a program to make it >do that, and an attack aimed at one program/library (e.g. Chromium) >wouldn't work on another with a different memory layout. > >It depends on the details of the vulnerability. Since it’s an FTS3 >query that triggered the problem, there are probably multiple FTS3 >and SQLite stack frames active at the time the buffer overrun occurs, >so it may not depend so much on the application itself. (Of course it >would likely depend on the compiler, the optimization settings, and >of course CPU architecture.) > >Again, from Dr. Hipp’s statement: > By making malicious changes to the shadow tables that FTS3 uses >and then running > FTS3 queries that used those tables, an integer overflow could >cause a > buffer overrun, which if carefully managed might lead to an RCE. > This is only a problem for application that enable FTS3 (using >the > SQLITE_ENABLE_FTS3 or SQLITE_ENABLE_FTS4 compile-time options) >and > which allow potential attackers to run arbitrary SQL. > >Anyway, my original question was: If an application opens untrusted >SQLite databases as documents, and if a trigger added to a database >can run arbitrary SQL, wouldn’t that make such an application >vulnerable? > >—Jens >_______________________________________________ >sqlite-users mailing list >sqlite-users@mailinglists.sqlite.org >http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
