Bug 1131576 – VUL-0: CVE-2018-20506: sqlite3: SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow in merge operation

Bug 1131576 - (CVE-2018-20506) VUL-0: CVE-2018-20506: sqlite3: SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow in merge operation

(CVE-2018-20506)
Summary:	VUL-0: CVE-2018-20506: sqlite3: SQLite before 3.25.3, when the FTS3 extension...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/228739/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-04-04 14:48 UTC by Alexandros Toptsoglou
Modified:	2020-04-28 15:43 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2019-04-04 14:48:19 UTC

CVE-2018-20506

SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer
overflow (and resultant buffer overflow) for FTS3 queries in a "merge" operation
that occurs after crafted changes to FTS3 shadow tables, allowing remote
attackers to execute arbitrary code by leveraging the ability to run arbitrary
SQL statements (such as in certain WebSQL use cases). This is a different
vulnerability than CVE-2018-20346.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20506
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20506
https://support.apple.com/kb/HT209448
https://support.apple.com/kb/HT209447
https://support.apple.com/kb/HT209446
https://support.apple.com/kb/HT209443
https://seclists.org/bugtraq/2019/Jan/39
https://seclists.org/bugtraq/2019/Jan/33
https://seclists.org/bugtraq/2019/Jan/32
https://seclists.org/bugtraq/2019/Jan/31
https://seclists.org/bugtraq/2019/Jan/29
https://support.apple.com/kb/HT209451
http://www.securityfocus.com/bid/106698
http://seclists.org/fulldisclosure/2019/Jan/69
http://seclists.org/fulldisclosure/2019/Jan/68
http://seclists.org/fulldisclosure/2019/Jan/67
http://seclists.org/fulldisclosure/2019/Jan/66
http://seclists.org/fulldisclosure/2019/Jan/64
http://seclists.org/fulldisclosure/2019/Jan/62
https://sqlite.org/src/info/940f2adc8541a838
https://seclists.org/bugtraq/2019/Jan/28
https://support.apple.com/kb/HT209450

Comment 1 Alexandros Toptsoglou 2019-04-04 14:51:39 UTC

The fix [1] for this issue is the same as in  CVE-2018-20346. 

SLE-15 already ships a fixed version 
The fix for SLE-11-SP4 has been already backported
The rest code-streams will receive the update soon

Comment 2 Alexandros Toptsoglou 2019-04-04 14:52:13 UTC

(In reply to Alexandros Toptsoglou from comment #1)
> The fix [1] for this issue is the same as in  CVE-2018-20346. 
> 
> SLE-15 already ships a fixed version 
> The fix for SLE-11-SP4 has been already backported
> The rest code-streams will receive the update soon

[1] https://sqlite.org/src/info/940f2adc8541a838

Comment 4 Swamp Workflow Management 2019-04-09 13:10:10 UTC

SUSE-SU-2019:0913-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1119687,1131576
CVE References: CVE-2018-20346,CVE-2018-20506
Sources used:
SUSE OpenStack Cloud 7 (src):    sqlite3-3.8.10.2-9.3.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    sqlite3-3.8.10.2-9.3.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    sqlite3-3.8.10.2-9.3.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    sqlite3-3.8.10.2-9.3.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    sqlite3-3.8.10.2-9.3.1
SUSE Linux Enterprise Server 12-SP4 (src):    sqlite3-3.8.10.2-9.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    sqlite3-3.8.10.2-9.3.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    sqlite3-3.8.10.2-9.3.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    sqlite3-3.8.10.2-9.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    sqlite3-3.8.10.2-9.3.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    sqlite3-3.8.10.2-9.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    sqlite3-3.8.10.2-9.3.1
SUSE Enterprise Storage 4 (src):    sqlite3-3.8.10.2-9.3.1
SUSE CaaS Platform ALL (src):    sqlite3-3.8.10.2-9.3.1
SUSE CaaS Platform 3.0 (src):    sqlite3-3.8.10.2-9.3.1
OpenStack Cloud Magnum Orchestration 7 (src):    sqlite3-3.8.10.2-9.3.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 6 Swamp Workflow Management 2019-04-17 16:10:29 UTC

SUSE-SU-2019:0973-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1119687,1131576,987394
CVE References: CVE-2016-6153,CVE-2018-20346,CVE-2018-20506
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    sqlite3-3.8.3.1-2.7.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2019-04-17 19:15:17 UTC

openSUSE-SU-2019:1222-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1119687,1131576
CVE References: CVE-2018-20346,CVE-2018-20506
Sources used:
openSUSE Leap 42.3 (src):    sqlite3-3.8.10.2-11.3.1

Comment 8 Alexandros Toptsoglou 2020-04-28 15:43:26 UTC

Done