Bug 1150137 – VUL-0: CVE-2019-16168: sqlite3: improper validation of qlite_stat1 sz field leads to division by zero

Bug 1150137 - (CVE-2019-16168) VUL-0: CVE-2019-16168: sqlite3: improper validation of qlite_stat1 sz field leads to division by zero

(CVE-2019-16168)
Summary:	VUL-0: CVE-2019-16168: sqlite3: improper validation of qlite_stat1 sz field ...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/242074/
Whiteboard:	CVSSv3:SUSE:CVE-2019-16168:6.5:(AV:N/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-09-10 10:08 UTC by Alexandros Toptsoglou
Modified:	2020-05-06 15:44 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
POC (152 bytes, application/sql) 2019-09-10 10:11 UTC, Alexandros Toptsoglou	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2019-09-10 10:08:18 UTC

CVE-2019-16168

In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a
browser or other application because of missing validation of a sqlite_stat1 sz
field, aka a "severe division by zero in the query planner."

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16168
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168
https://www.sqlite.org/src/timeline?c=98357d8c1263920b
https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62
https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html

Comment 1 Alexandros Toptsoglou 2019-09-10 10:11:27 UTC

Only affects sqlite3 and specifically the versions found in SLE12,SLE12-SP1 and SLE15. To reproduce the issue simply do the following:

1) valgrind sqlite3 
2) sqlite>  .read $POC 

OUTPUT:

==16118== Process terminating with default action of signal 8 (SIGFPE): dumping core
==16118==  Integer divide by zero at address 0x100328C7C0
==16118==    at 0x441180: whereLoopAddBtreeIndex (sqlite3.c:121073)
==16118==    by 0x441AD1: whereLoopAddBtree (sqlite3.c:121430)
==16118==    by 0x45ABD4: whereLoopAddAll (sqlite3.c:121764)
==16118==    by 0x45ABD4: sqlite3WhereBegin (sqlite3.c:122809)
==16118==    by 0x45E580: sqlite3Select (sqlite3.c:111475)
==16118==    by 0x484F27: yy_reduce (sqlite3.c:125636)
==16118==    by 0x484F27: sqlite3Parser (sqlite3.c:126716)
==16118==    by 0x488806: sqlite3RunParser (sqlite3.c:127539)
==16118==    by 0x488E39: sqlite3Prepare (sqlite3.c:106212)
==16118==    by 0x48912B: sqlite3LockAndPrepare (sqlite3.c:106307)
==16118==    by 0x489407: sqlite3_prepare_v2 (sqlite3.c:106383)
==16118==    by 0x40AA6E: shell_exec.constprop.13 (shell.c:1499)
==16118==    by 0x40FBDD: process_input (shell.c:4217)
==16118==    by 0x40D4EA: do_meta_command (shell.c:3450)

Comment 2 Alexandros Toptsoglou 2019-09-10 10:11:53 UTC

Created attachment 817538 [details]
POC

Comment 3 Alexandros Toptsoglou 2019-09-10 10:12:49 UTC

fix at https://www.sqlite.org/src/info/98357d8c1263920b

Comment 4 Reinhard Max 2019-09-10 15:32:05 UTC

(In reply to Alexandros Toptsoglou from comment #1)
> Only affects sqlite3 and specifically the versions found in SLE12,SLE12-SP1
> and SLE15.

The bug was introduced in version 3.8.5, so 3.8.3 on SLE12 is not affected, but SLE12-SP1 and SLE15 are.

Comment 7 Antonios Konstantinos Pappas 2019-10-01 09:01:47 UTC

During bug validation I found that 12SP3 and 15/15SP1 were not affected. 12SP4 was.

Comment 8 Swamp Workflow Management 2019-10-03 16:15:55 UTC

SUSE-SU-2019:2533-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150137
CVE References: CVE-2019-16168
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    sqlite3-3.28.0-3.9.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    sqlite3-3.28.0-3.9.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    sqlite3-3.28.0-3.9.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    sqlite3-3.28.0-3.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2019-10-03 16:19:21 UTC

SUSE-SU-2019:2536-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150137
CVE References: CVE-2019-16168
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    sqlite3-3.8.10.2-9.12.1
SUSE Linux Enterprise Server 12-SP4 (src):    sqlite3-3.8.10.2-9.12.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    sqlite3-3.8.10.2-9.12.1
SUSE CaaS Platform 3.0 (src):    sqlite3-3.8.10.2-9.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Swamp Workflow Management 2019-10-08 22:13:05 UTC

openSUSE-SU-2019:2298-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150137
CVE References: CVE-2019-16168
Sources used:
openSUSE Leap 15.0 (src):    sqlite3-3.28.0-lp150.2.9.1

Comment 11 Swamp Workflow Management 2019-10-08 22:16:02 UTC

openSUSE-SU-2019:2300-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150137
CVE References: CVE-2019-16168
Sources used:
openSUSE Leap 15.1 (src):    sqlite3-3.28.0-lp151.2.3.1

Comment 12 Alexandros Toptsoglou 2020-05-06 15:44:49 UTC

Done