Bug 1157817 – VUL-1: CVE-2019-19242: sqlite3,sqlite2,sqlite: undefined behavior can occur when using generated columns that evaluate to a constant in an index and then making use of that index in a join

Bug 1157817 - (CVE-2019-19242) VUL-1: CVE-2019-19242: sqlite3,sqlite2,sqlite: undefined behavior can occur when using generated columns that evaluate to a constant in an index and then making use of that index in a join

(CVE-2019-19242)
Summary:	VUL-1: CVE-2019-19242: sqlite3,sqlite2,sqlite: undefined behavior can occur w...

Status:	RESOLVED INVALID

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/247967/
Whiteboard:	CVSSv2:NVD:CVE-2019-19242:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-11-26 17:34 UTC by Wolfgang Frisch
Modified:	2020-05-12 18:44 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfgang Frisch 2019-11-26 17:34:21 UTC

CVE-2019-19242

SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c. Undefined behavior can occur when using generated columns that evaluate to a  constant in an index and then making use of that index in a join.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19242
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19242.html

Comment 2 Reinhard Max 2020-04-06 14:22:41 UTC

I think we can close this as no official release of SQLite was ever affected:

https://sqlite.org/src/info/8b12e95fec7ce6e0

--- snip ---
The problem fixed in this check-in was reported out as CVE-2019-19244. We, the developers and maintainers of SQLite, believe that report is erroneous as the problem never appeared in any released version of SQLite.

The problem was introduced when we started adding support for Generated Columns, check-in [b855acf1831943b3] on 2019-10-25. Thus the window of vulnerability spans 27 days in late October and in November.

Generated column support is a new feature of SQLite that is under active development. The bug fixed by this check-in is one of many other bugs associated with the new feature. Curiously, this is the only one that has received a CVE (so far).

The CVE was entered without the SQLite developers' approval or even consultation by a third-party who has no control over and only limited knowledge of SQLite. There is, apparently, no vetting of CVEs. Anybody can enter a CVE about anything they want, whenever they want, irregardless of whether the report is pertinent or factual. 
--- snap ---

Comment 3 Wolfgang Frisch 2020-04-07 08:26:30 UTC

Thanks for the analysis. Closing as invalid.