Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 810031 (CVE-2021-36690) - <dev-db/sqlite-3.37.0: null pointer dereference (CVE-2021-36690)
Summary: <dev-db/sqlite-3.37.0: null pointer dereference (CVE-2021-36690)
Status: RESOLVED FIXED
Alias: CVE-2021-36690
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.sqlite.org/forum/forumpos...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-24 16:36 UTC by John Helmert III
Modified: 2022-07-16 03:08 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-24 16:36:53 UTC 
CVE-2021-36690:

Segmentation fault vulnerability in SQLite sqlite3 3.36.0 via the idxGetTableInfo function, in which a crafted SQL query can cause a denial of service


Seems there's a patch: https://sqlite.org/src/info/b1e0c22ec981cf5f
Comment 1 Federico Justus Denkena 2022-07-15 17:15:26 UTC 
Patch applied in upstream (as linked - https://sqlite.org/src/info/b1e0c22ec981cf5f). Patch got merged long ago, as far as I can see no vulnerable versions left in tree.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-15 17:36:26 UTC 
(In reply to 9ts641j2 from comment #1)
> Patch applied in upstream (as linked -
> https://sqlite.org/src/info/b1e0c22ec981cf5f). Patch got merged long ago, 

When? What version?

> as far as I can see no vulnerable versions left in tree.
Comment 3 Federico Justus Denkena 2022-07-15 17:42:02 UTC 
Patch was merged 2021-07-08 12:12:39 in commit fdcd3bd969351c4e860a1368a6ab64bc4c94d2d89396805b28853a514d06fd92 into branch "trunk". 
Oldest version in tree is 3.38.2, published 2022-03-26 (https://sqlite.org/src/timeline?t=version-3.38.2) while the latest version 3.39.1 was published 2022-07-13 (https://sqlite.org/src/timeline?t=version-3.39.1). The fix should have been live for about a year now.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-16 03:08:20 UTC 
Seems it's actually been in since 3.37.0:

https://github.com/sqlite/sqlite/commit/77ea22300b5bcc0961be5c2578a262d91917cf1f

(sorry, no idea how to use fossil)

Seems to be near impossible to exploit without control of the database anyway, so no GLSA. All done!