Bug 1132045 - (CVE-2017-10989) VUL-1: CVE-2017-10989: sqlite3: getNodeSize function in ext/rtree/rtree.c issues
(CVE-2017-10989)
VUL-1: CVE-2017-10989: sqlite3: getNodeSize function in ext/rtree/rtree.c issues
Status: RESOLVED FIXED
: 1132094 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/229418/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-10 06:38 UTC by Marcus Meissner
Modified: 2021-04-06 18:45 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-04-10 06:38:23 UTC
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.

https://nvd.nist.gov/vuln/detail/CVE-2017-10989

http://marc.info/?l=sqlite-users&m=149933696214713&w=2 	Patch Third Party Advisory

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405 	
https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937 	Issue Tracking Patch Third Party Advisory

https://sqlite.org/src/info/66de6f4a 	Issue Tracking Patch Vendor Advisory
https://sqlite.org/src/vpatch?from=0db20efe201736b3&to=66de6f4a9504ec26
Comment 2 Lidong Zhong 2019-04-18 01:55:36 UTC
*** Bug 1132094 has been marked as a duplicate of this bug. ***
Comment 4 Reinhard Max 2019-04-18 13:43:36 UTC
SLE-15 and SLE-11-GA are not vulnerable.
Comment 5 Swamp Workflow Management 2019-05-10 19:19:57 UTC
SUSE-SU-2019:1208-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1085790,1132045
CVE References: CVE-2017-10989,CVE-2018-8740
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    sqlite3-3.8.10.2-9.6.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    sqlite3-3.8.10.2-9.6.1
SUSE Linux Enterprise Server 12-SP4 (src):    sqlite3-3.8.10.2-9.6.1
SUSE Linux Enterprise Server 12-SP3 (src):    sqlite3-3.8.10.2-9.6.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    sqlite3-3.8.10.2-9.6.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    sqlite3-3.8.10.2-9.6.1
SUSE CaaS Platform ALL (src):    sqlite3-3.8.10.2-9.6.1
SUSE CaaS Platform 3.0 (src):    sqlite3-3.8.10.2-9.6.1
OpenStack Cloud Magnum Orchestration 7 (src):    sqlite3-3.8.10.2-9.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2019-05-22 01:09:01 UTC
openSUSE-SU-2019:1426-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1085790,1132045
CVE References: CVE-2017-10989,CVE-2018-8740
Sources used:
openSUSE Leap 42.3 (src):    sqlite3-3.8.10.2-11.7.1
Comment 8 Swamp Workflow Management 2019-06-17 19:19:03 UTC
SUSE-SU-2019:1522-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1085790,1132045,1136976
CVE References: CVE-2017-10989,CVE-2018-8740,CVE-2019-8457
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    sqlite3-3.8.3.1-2.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Alexandros Toptsoglou 2020-07-10 11:39:10 UTC
Done