Summary: | <dev-db/sqlite-3.11.1: arbitrary code execution on databases with malformed schema, buffer overreads | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | arfrever.fta |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1305820 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=605688 | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
![]() From documentation of SQLite 3.11.0 (released on 2016-02-15): releaselog/3_11_0.html : "Backwards Compatibility: Because of continuing security concerns, the two-argument version of of the seldom-used and little-known fts3_tokenizer() function is disabled unless SQLite is compiled with the SQLITE_ENABLE_FTS3_TOKENIZER." fts3.html#f3tknzr : "As of SQLite version 3.11.0, the second form of the fts3_tokenizer() function is only available if the library is compiled with the -DSQLITE_ENABLE_FTS3_TOKENIZER compiler switch. In earlier versions it was always available. SECURITY WARNING: If a version of the fts3/4 extension that supports the second form of fts3_tokenizer() is deployed in an environment where potentially malicious users may execute arbitrary SQL, they should be prevented from invoking the fts3_tokenizer() function, possibly using the authorization callback. SECURITY UPDATE for Version 3.11.0: Because of continuing concern, the two-argument version of fts3_tokenizer() is disabled unless SQLite is compiled with SQLITE_ENABLE_FTS3_TOKENIZER." ================================================ From documentation of SQLite 3.12.0 (released probably on 2016-04-*): releaselog/3_12_0.html : "New Features: Added the SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER option to sqlite3_db_config() which allows the two-argument version of the fts3_tokenizer() SQL function to be enabled or disabled at run-time." fts3.html#f3tknzr : "Because of security concerns, SQLite version 3.11.0 only enabled the second form of the fts3_tokenizer() function when the library is compiled with the -DSQLITE_ENABLE_FTS3_TOKENIZER option. In earlier versions it was always available. Beginning with SQLite version 3.12.0, the second form of fts3_tokenizer() can also be activated at run-time by calling sqlite3_db_config(db,SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER,1,0). SECURITY WARNING: If a version of the fts3/4 extension that supports the two-argument form of fts3_tokenizer() is deployed in an environment where malicious users can run arbitrary SQL, then those users should be prevented from invoking the two-argument fts3_tokenizer() function. This can be done using the authorization callback, or by disabling the two-argument fts3_tokenizer() interface using a call to sqlite3_db_config(db,SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER,0,0)." ================================================ Support for SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER option backported to SQLite 3.11.0 in Gentoo. -DSQLITE_ENABLE_FTS3_TOKENIZER not passed to compiler by SQLite ebuild, so support for custom FTS3/FTS4 tokenizers disabled at run time by default. If any package is using custom FTS3/FTS4 tokenizers, then it should be modified to enable this feature at run time: #ifdef SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER sqlite3_db_config(db, SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER, 1, 0); #endif Stabilize dev-db/sqlite-3.11.0. Other security-related fixes in SQLite 3.11.0: https://sqlite.org/src/info/facbc424e5550611 2016-02-11 18:08:38 "Avoid a buffer overread when reading a corrupt fts5 structure record." https://sqlite.org/src/info/130580207ab5cee7 2016-02-12 17:56:27 "Fix a fairly obscure buffer overread in fts5." https://sqlite.org/src/info/a049fbbde5da2e43 2016-02-12 18:48:09 "Fix a potential buffer overread provoked by invalid utf-8 in fts5." From documentation of SQLite 3.11.1 (released on 2016-03-03): releaselog/3_11_1.html : "Fix a buffer overread that might occur if FTS5 is used to query a corrupt database file." https://sqlite.org/src/info/c9a30e117f2c6c9e 2016-02-29 17:34:16 "Fix a problem in fts5 where a corrupt db could lead to a (huge) buffer overread." (Stabilization of dev-db/sqlite-3.11.0 withdrawn.) Stabilize dev-db/sqlite-3.11.1. Stable for PPC64. amd64 stable Stable for HPPA. arm stable x86 stable Stable on alpha. ppc stable sparc stable ia64 stable Stabilized on arm64 by Steev Klimaszewski <steev@gentoo.org>: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=deaf1729beb9730001330f4eb6bbe75b0151bcbd dev-db/sqlite-3.12.0 is now being stabilized in bug #578940. New GLSA created. This issue was resolved and addressed in GLSA 201612-21 at https://security.gentoo.org/glsa/201612-21 by GLSA coordinator Aaron Bauman (b-man). |