Bug 1173641 (CVE-2020-15358)

Summary: VUL-0: CVE-2020-15358: sqlite3: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: aalzayed, ashawki, ayman.rayyan, carlos.lopez, gianluca.gabrielli, max, meissner, security-team, smash_bz, zeina.klink
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/262458/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-15358:6.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Alexandros Toptsoglou 2020-07-02 15:39:51 UTC 
Only SLE15 is affected. To reproduce the issue: 

valgrind sqlite3 

sqlite> CREATE TABLE a(b);
sqlite> CREATE VIEW c(d) AS SELECT b FROM a ORDER BY b;
sqlite> SELECT sum(d) OVER( PARTITION BY(SELECT 0 FROM c JOIN a WHERE b =(SELECT b INTERSECT SELECT d FROM c) AND b = 123)) FROM c;
==31360== Invalid read of size 8
==31360==    at 0x4E90BFF: multiSelectCollSeq.isra.653 (sqlite3.c:126847)
==31360==    by 0x4E90C1D: multiSelectCollSeq.isra.653 (sqlite3.c:126838)
==31360==    by 0x4E910A1: multiSelectOrderByKeyInfo.constprop.926 (sqlite3.c:126876)
==31360==    by 0x4ED0674: multiSelectOrderBy (sqlite3.c:127827)
==31360==    by 0x4ED0674: multiSelect (sqlite3.c:127209)
==31360==    by 0x4EBFB14: sqlite3Select (sqlite3.c:130386)
==31360==    by 0x4EC3054: sqlite3CodeSubselect (sqlite3.c:99820)
==31360==    by 0x4EC5E72: sqlite3ExprCodeTarget (sqlite3.c:100770)
==31360==    by 0x4ECB588: codeEqualityTerm (sqlite3.c:136650)
==31360==    by 0x4ECC95B: codeAllEqualityTerms (sqlite3.c:136871)
==31360==    by 0x4ECC95B: sqlite3WhereCodeOneLoopStart (sqlite3.c:137778)
==31360==    by 0x4ECC95B: sqlite3WhereBegin (sqlite3.c:145131)
==31360==    by 0x4EC0E04: sqlite3Select (sqlite3.c:130697)
==31360==    by 0x4EC3054: sqlite3CodeSubselect (sqlite3.c:99820)
==31360==    by 0x4EC5E72: sqlite3ExprCodeTarget (sqlite3.c:100770)
==31360==  Address 0x6619ca0 is 16 bytes before a block of size 1,208 alloc'd
==31360==    at 0x4C2E2DF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31360==    by 0x4E85143: sqlite3MemMalloc (sqlite3.c:22889)
==31360==    by 0x4E5B6F3: mallocWithAlarm (sqlite3.c:26721)
==31360==    by 0x4E5B6F3: sqlite3Malloc (sqlite3.c:26751)
==31360==    by 0x4E5D51F: dbMallocRawFinish (sqlite3.c:26982)
==31360==    by 0x4E718FD: sqlite3ExprListDup (sqlite3.c:98290)
==31360==    by 0x4E71C04: sqlite3SelectDup (sqlite3.c:98409)
==31360==    by 0x4E71632: exprDup (sqlite3.c:98165)
==31360==    by 0x4E71529: sqlite3ExprDup (sqlite3.c:98281)
==31360==    by 0x4E71529: exprDup (sqlite3.c:98198)
==31360==    by 0x4E7150D: sqlite3ExprDup (sqlite3.c:98281)
==31360==    by 0x4E7150D: exprDup (sqlite3.c:98196)
==31360==    by 0x4E71C36: sqlite3ExprDup (sqlite3.c:98281)
==31360==    by 0x4E71C36: sqlite3SelectDup (sqlite3.c:98411)
==31360==    by 0x4E71632: exprDup (sqlite3.c:98165)
==31360==    by 0x4E7DD97: sqlite3ExprDup (sqlite3.c:98281)
==31360==    by 0x4E7DD97: exprListAppendList (sqlite3.c:146289)
==31360== 
==31360== Invalid read of size 8
==31360==    at 0x4E90BFF: multiSelectCollSeq.isra.653 (sqlite3.c:126847)
==31360==    by 0x4E910A1: multiSelectOrderByKeyInfo.constprop.926 (sqlite3.c:126876)
==31360==    by 0x4ED0674: multiSelectOrderBy (sqlite3.c:127827)
==31360==    by 0x4ED0674: multiSelect (sqlite3.c:127209)
==31360==    by 0x4EBFB14: sqlite3Select (sqlite3.c:130386)
==31360==    by 0x4EC3054: sqlite3CodeSubselect (sqlite3.c:99820)
==31360==    by 0x4EC5E72: sqlite3ExprCodeTarget (sqlite3.c:100770)
==31360==    by 0x4ECB588: codeEqualityTerm (sqlite3.c:136650)
==31360==    by 0x4ECC95B: codeAllEqualityTerms (sqlite3.c:136871)
==31360==    by 0x4ECC95B: sqlite3WhereCodeOneLoopStart (sqlite3.c:137778)
==31360==    by 0x4ECC95B: sqlite3WhereBegin (sqlite3.c:145131)
==31360==    by 0x4EC0E04: sqlite3Select (sqlite3.c:130697)
==31360==    by 0x4EC3054: sqlite3CodeSubselect (sqlite3.c:99820)
==31360==    by 0x4EC5E72: sqlite3ExprCodeTarget (sqlite3.c:100770)
==31360==    by 0x4EC72A3: sqlite3ExprCodeExprList (sqlite3.c:101202)
==31360==  Address 0x6618760 is 16 bytes before a block of size 1,208 alloc'd
==31360==    at 0x4C2E2DF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31360==    by 0x4E85143: sqlite3MemMalloc (sqlite3.c:22889)
==31360==    by 0x4E5B6F3: mallocWithAlarm (sqlite3.c:26721)
==31360==    by 0x4E5B6F3: sqlite3Malloc (sqlite3.c:26751)
==31360==    by 0x4E5D51F: dbMallocRawFinish (sqlite3.c:26982)
==31360==    by 0x4E718FD: sqlite3ExprListDup (sqlite3.c:98290)
==31360==    by 0x4E71C04: sqlite3SelectDup (sqlite3.c:98409)
==31360==    by 0x4E71632: exprDup (sqlite3.c:98165)
==31360==    by 0x4E71529: sqlite3ExprDup (sqlite3.c:98281)
==31360==    by 0x4E71529: exprDup (sqlite3.c:98198)
==31360==    by 0x4E7150D: sqlite3ExprDup (sqlite3.c:98281)
==31360==    by 0x4E7150D: exprDup (sqlite3.c:98196)
==31360==    by 0x4E71C36: sqlite3ExprDup (sqlite3.c:98281)
==31360==    by 0x4E71C36: sqlite3SelectDup (sqlite3.c:98411)
==31360==    by 0x4E71632: exprDup (sqlite3.c:98165)
==31360==    by 0x4E7DD97: sqlite3ExprDup (sqlite3.c:98281)
==31360==    by 0x4E7DD97: exprListAppendList (sqlite3.c:146289)
Comment 2 Aaron Mangino 2021-01-29 17:45:16 UTC 
Hello

I have a customer wanting to know if there is an ETA for this bug fix.
Comment 3 Reinhard Max 2021-01-29 17:53:14 UTC 
We plan to upgrade SQLite to the latest version, but there is no ETA yet.

For the time being, please point the customer to this upstream statement regarding alleged CVEs in SQLite:
https://www.sqlite.org/cves.html
Comment 4 Aaron Mangino 2021-01-29 17:57:35 UTC 
Thanks for the update.
Comment 13 Ayman Rayyan 2021-04-05 08:08:34 UTC 
Hi team,
kindly, appreciate your update on when we can the package will be released? the customer is following with us.
Comment 14 Reinhard Max 2021-04-06 18:46:16 UTC 
A new submission is on the way to SLE12 and SLE15.
Hopefully this time it will get through.
Comment 16 Ayman Rayyan 2021-04-12 10:06:52 UTC 
Hi All,
sorry to ask you again, but the customer is following up so, kindly, when we can have the package?
Comment 17 Ayman Rayyan 2021-04-28 09:44:24 UTC 
Hi Team,
Kindly, any update!
Comment 18 Ahmed Shawki 2021-04-28 12:09:29 UTC 
HI Team, 
This is Ahmed, Se team lead for the MENA region, we have a scheduled call with SABIC management today and we are expected to have an update on that, can you please let us know the current status of package submission and expected availability dates?
Comment 19 Alexandros Toptsoglou 2021-04-28 12:17:43 UTC 
(In reply to Ahmed Shawki from comment #18)
> HI Team, 
> This is Ahmed, Se team lead for the MENA region, we have a scheduled call
> with SABIC management today and we are expected to have an update on that,
> can you please let us know the current status of package submission and
> expected availability dates?

Reinhard could you please help here
Comment 21 Ahmed Shawki 2021-04-28 12:28:07 UTC 
SLES15SP1 for SAP.
CR# 00277222
Comment 23 Reinhard Max 2021-04-28 12:45:17 UTC 
(In reply to Alexandros Toptsoglou from comment #19)

> Reinhard could you please help here

Technically the version upgrade would be ready for submission, but I realised that the Jira ticket is only about SLE-15-SP3 while I assuming we are upgrading all of SLE-15 and SLE-12, which would require an ECO. I asked Marcus for clarification on that, because he opened the ticket, but he hasn't answered yet due to his parental leave.

As a (maybe) quicker alternative I could also look into a backport for this particular issue.

But there are two things that I don't get in this whole thing:

1. Why is the customer so keen on getting this has a maintenance update, given that they already received it as a PTF? Aren't PTFs meant to take the pressure out of situations like this and yet the customer is still pushing?

2. Why are they only hammering on this particular issue? There are > 20 CVEs we have open for SQLite, which are all of the same class: They can only be exploited with crafted SQL statements, which means that only applications that contain a SQL injection vulnerability themselves are vulnerable to these issues. But if an application does accept SQL from untrusted sources all kinds of nasy things can be done even with a bug-free SQLite.

Let me once more refer to the upstream statement about these CVEs:
https://www.sqlite.org/cves.html
Comment 24 Ahmed Shawki 2021-04-28 13:39:12 UTC 
(In reply to Reinhard Max from comment #23)
> (In reply to Alexandros Toptsoglou from comment #19)
> 
> > Reinhard could you please help here
> 
> Technically the version upgrade would be ready for submission, but I
> realised that the Jira ticket is only about SLE-15-SP3 while I assuming we
> are upgrading all of SLE-15 and SLE-12, which would require an ECO. I asked
> Marcus for clarification on that, because he opened the ticket, but he
> hasn't answered yet due to his parental leave.
> 
> As a (maybe) quicker alternative I could also look into a backport for this
> particular issue.
> 
> But there are two things that I don't get in this whole thing:
> 
> 1. Why is the customer so keen on getting this has a maintenance update,
> given that they already received it as a PTF? Aren't PTFs meant to take the
> pressure out of situations like this and yet the customer is still pushing?
> 
> 2. Why are they only hammering on this particular issue? There are > 20 CVEs
> we have open for SQLite, which are all of the same class: They can only be
> exploited with crafted SQL statements, which means that only applications
> that contain a SQL injection vulnerability themselves are vulnerable to
> these issues. But if an application does accept SQL from untrusted sources
> all kinds of nasy things can be done even with a bug-free SQLite.
> 
> Let me once more refer to the upstream statement about these CVEs:
> https://www.sqlite.org/cves.html

Orignal bug is https://bugzilla.suse.com/show_bug.cgi?id=1183309 with the correct version SLES4SAP 15.sp1, so appreciate your support to check the status of porting this to 15.sp1 

Answers: 
1. PTF was shipped and applied, as we are currently part of SAP transformation project, we have menagement weekly call for project progress, with customer and different vendors, PTF from customer prospective is a temp fix, their security team is checking on that everycall. 
2. I'm not sure why this one in particular, if you think we need to educate them about other CVEs I'm happy to do if we are also ready to support/fix that.
Comment 25 Reinhard Max 2021-04-28 13:58:32 UTC 
> 1. PTF was shipped and applied, as we are currently part of SAP
> transformation project, we have menagement weekly call for project progress,
> with customer and different vendors, PTF from customer prospective is a temp
> fix, their security team is checking on that everycall. 

The PTF contains exactly the same fix(es) that they will receive in the final MU once it is done. So, it is true that the PTF is meant to be temporary, but at least in this case it is not a second-class fix.

If I now put effort into a backport of this CVE and release it as a MU it will actually be a downgrade or regression for them compared to the PTF. It would be the old version with a single issue fixed compared to sticking with the PTF that contains a current version with another 22 or so issues fixed and lots of other improvements.

> 2. I'm not sure why this one in particular, if you think we need to educate
> them about other CVEs I'm happy to do if we are also ready to support/fix
> that.

Well, the upgrade I have in preparation will fix all of them, but we should rather educate our customers the other way around, i.e. tell them that all these SQLite CVEs are just bugs, but no security issues for applications that don't contain a security issue themselves already, as described in detail by upstream.
Comment 35 Swamp Workflow Management 2021-07-14 20:03:49 UTC 
SUSE-SU-2021:2320-1: An update that fixes 21 vulnerabilities, contains one feature is now available.

Category: security (important)
Bug References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701
CVE References: CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327
JIRA References: SLE-16032
Sources used:
SUSE MicroOS 5.0 (src):    sqlite3-3.36.0-3.12.1
SUSE Manager Server 4.0 (src):    sqlite3-3.36.0-3.12.1
SUSE Manager Retail Branch Server 4.0 (src):    sqlite3-3.36.0-3.12.1
SUSE Manager Proxy 4.0 (src):    sqlite3-3.36.0-3.12.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    sqlite3-3.36.0-3.12.1
SUSE Linux Enterprise Server for SAP 15 (src):    sqlite3-3.36.0-3.12.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    sqlite3-3.36.0-3.12.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    sqlite3-3.36.0-3.12.1
SUSE Linux Enterprise Server 15-LTSS (src):    sqlite3-3.36.0-3.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    sqlite3-3.36.0-3.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    sqlite3-3.36.0-3.12.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    sqlite3-3.36.0-3.12.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    sqlite3-3.36.0-3.12.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    sqlite3-3.36.0-3.12.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    sqlite3-3.36.0-3.12.1
SUSE Enterprise Storage 6 (src):    sqlite3-3.36.0-3.12.1
SUSE CaaS Platform 4.0 (src):    sqlite3-3.36.0-3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 36 Swamp Workflow Management 2021-07-14 20:08:45 UTC 
openSUSE-SU-2021:2320-1: An update that fixes 21 vulnerabilities, contains one feature is now available.

Category: security (important)
Bug References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701
CVE References: CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327
JIRA References: SLE-16032
Sources used:
openSUSE Leap 15.3 (src):    sqlite3-3.36.0-3.12.1
Comment 37 Swamp Workflow Management 2021-07-20 01:28:49 UTC 
openSUSE-SU-2021:1058-1: An update that fixes 21 vulnerabilities, contains one feature is now available.

Category: security (important)
Bug References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701
CVE References: CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327
JIRA References: SLE-16032
Sources used:
openSUSE Leap 15.2 (src):    sqlite3-3.36.0-lp152.4.3.1
Comment 40 Swamp Workflow Management 2021-09-23 20:37:00 UTC 
SUSE-SU-2021:3215-1: An update that fixes 28 vulnerabilities, contains one feature is now available.

Category: security (important)
Bug References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701
CVE References: CVE-2015-3414,CVE-2015-3415,CVE-2016-6153,CVE-2017-10989,CVE-2017-2518,CVE-2018-20346,CVE-2018-8740,CVE-2019-16168,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2019-8457,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327
JIRA References: SLE-16032
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    sqlite3-3.36.0-9.18.1
SUSE OpenStack Cloud Crowbar 8 (src):    sqlite3-3.36.0-9.18.1
SUSE OpenStack Cloud 9 (src):    sqlite3-3.36.0-9.18.1
SUSE OpenStack Cloud 8 (src):    sqlite3-3.36.0-9.18.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    sqlite3-3.36.0-9.18.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    sqlite3-3.36.0-9.18.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    sqlite3-3.36.0-9.18.1
SUSE Linux Enterprise Server 12-SP5 (src):    sqlite3-3.36.0-9.18.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    sqlite3-3.36.0-9.18.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    sqlite3-3.36.0-9.18.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    sqlite3-3.36.0-9.18.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    sqlite3-3.36.0-9.18.1
HPE Helion Openstack 8 (src):    sqlite3-3.36.0-9.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 41 Carlos López 2022-06-10 09:40:22 UTC 
Done, closing.