Bug 1150137 - (CVE-2019-16168) VUL-0: CVE-2019-16168: sqlite3: improper validation of qlite_stat1 sz field leads to division by zero
(CVE-2019-16168)
VUL-0: CVE-2019-16168: sqlite3: improper validation of qlite_stat1 sz field ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/242074/
CVSSv3:SUSE:CVE-2019-16168:6.5:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-10 10:08 UTC by Alexandros Toptsoglou
Modified: 2020-05-06 15:44 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
POC (152 bytes, application/sql)
2019-09-10 10:11 UTC, Alexandros Toptsoglou
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-09-10 10:08:18 UTC
CVE-2019-16168

In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a
browser or other application because of missing validation of a sqlite_stat1 sz
field, aka a "severe division by zero in the query planner."

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16168
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168
https://www.sqlite.org/src/timeline?c=98357d8c1263920b
https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62
https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html
Comment 1 Alexandros Toptsoglou 2019-09-10 10:11:27 UTC
Only affects sqlite3 and specifically the versions found in SLE12,SLE12-SP1 and SLE15. To reproduce the issue simply do the following:

1) valgrind sqlite3 
2) sqlite>  .read $POC 

OUTPUT:

==16118== Process terminating with default action of signal 8 (SIGFPE): dumping core
==16118==  Integer divide by zero at address 0x100328C7C0
==16118==    at 0x441180: whereLoopAddBtreeIndex (sqlite3.c:121073)
==16118==    by 0x441AD1: whereLoopAddBtree (sqlite3.c:121430)
==16118==    by 0x45ABD4: whereLoopAddAll (sqlite3.c:121764)
==16118==    by 0x45ABD4: sqlite3WhereBegin (sqlite3.c:122809)
==16118==    by 0x45E580: sqlite3Select (sqlite3.c:111475)
==16118==    by 0x484F27: yy_reduce (sqlite3.c:125636)
==16118==    by 0x484F27: sqlite3Parser (sqlite3.c:126716)
==16118==    by 0x488806: sqlite3RunParser (sqlite3.c:127539)
==16118==    by 0x488E39: sqlite3Prepare (sqlite3.c:106212)
==16118==    by 0x48912B: sqlite3LockAndPrepare (sqlite3.c:106307)
==16118==    by 0x489407: sqlite3_prepare_v2 (sqlite3.c:106383)
==16118==    by 0x40AA6E: shell_exec.constprop.13 (shell.c:1499)
==16118==    by 0x40FBDD: process_input (shell.c:4217)
==16118==    by 0x40D4EA: do_meta_command (shell.c:3450)
Comment 2 Alexandros Toptsoglou 2019-09-10 10:11:53 UTC
Created attachment 817538 [details]
POC
Comment 3 Alexandros Toptsoglou 2019-09-10 10:12:49 UTC
fix at https://www.sqlite.org/src/info/98357d8c1263920b
Comment 4 Reinhard Max 2019-09-10 15:32:05 UTC
(In reply to Alexandros Toptsoglou from comment #1)
> Only affects sqlite3 and specifically the versions found in SLE12,SLE12-SP1
> and SLE15.

The bug was introduced in version 3.8.5, so 3.8.3 on SLE12 is not affected, but SLE12-SP1 and SLE15 are.
Comment 7 Antonios Konstantinos Pappas 2019-10-01 09:01:47 UTC
During bug validation I found that 12SP3 and 15/15SP1 were not affected. 12SP4 was.
Comment 8 Swamp Workflow Management 2019-10-03 16:15:55 UTC
SUSE-SU-2019:2533-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150137
CVE References: CVE-2019-16168
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    sqlite3-3.28.0-3.9.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    sqlite3-3.28.0-3.9.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    sqlite3-3.28.0-3.9.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    sqlite3-3.28.0-3.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-10-03 16:19:21 UTC
SUSE-SU-2019:2536-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150137
CVE References: CVE-2019-16168
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    sqlite3-3.8.10.2-9.12.1
SUSE Linux Enterprise Server 12-SP4 (src):    sqlite3-3.8.10.2-9.12.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    sqlite3-3.8.10.2-9.12.1
SUSE CaaS Platform 3.0 (src):    sqlite3-3.8.10.2-9.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2019-10-08 22:13:05 UTC
openSUSE-SU-2019:2298-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150137
CVE References: CVE-2019-16168
Sources used:
openSUSE Leap 15.0 (src):    sqlite3-3.28.0-lp150.2.9.1
Comment 11 Swamp Workflow Management 2019-10-08 22:16:02 UTC
openSUSE-SU-2019:2300-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1150137
CVE References: CVE-2019-16168
Sources used:
openSUSE Leap 15.1 (src):    sqlite3-3.28.0-lp151.2.3.1
Comment 12 Alexandros Toptsoglou 2020-05-06 15:44:49 UTC
Done