Bug 1169126 - (CVE-2020-11655) VUL-0: CVE-2020-11655: sqlite3: denial of service (segmentation fault) via a malformed winw-function query
(CVE-2020-11655)
VUL-0: CVE-2020-11655: sqlite3: denial of service (segmentation fault) via a ...
Status: RESOLVED UPSTREAM
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Major
: ---
Assigned To: Reinhard Max
Security Team bot
https://smash.suse.de/issue/256911/
CVSSv3.1:RedHat:CVE-2020-11655:7.5:(...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-04-09 15:34 UTC by Alexandros Toptsoglou
Modified: 2020-05-20 12:28 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-04-09 15:34:09 UTC
CVE-2020-11655

SQLite through 3.31.1 allows attackers to cause a denial of service
(segmentation fault) via a malformed window-function query because the AggInfo
object's initialization is mishandled.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11655
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11655
https://www3.sqlite.org/cgi/src/tktview?name=af4556bb5c
https://www3.sqlite.org/cgi/src/info/4a302b42c7bf5e11
Comment 1 Alexandros Toptsoglou 2020-04-09 15:36:17 UTC
I cannot reproduce the issue. Could you help me here Reinhard? According to the ticket the segfault appears from version 3.30.0 and on.
Comment 3 Reinhard Max 2020-05-04 10:14:21 UTC
I cannot reproduce it either.

I tried version 3.28.0 on Leap 15.1, which according to the ticket should throw an assertion fault and 3.31.1 on Tumbleweed, which should trigger a segfault. I also tried a stock build of 3.31.1 without any of the compile time knobs we turn in our RPM.

But all three variants just give me "Error: DISTINCT aggregates must have exactly one argument", which is not a crash, but quite a different error message than "row value misused" which the new test case expects from a fixed version.
Comment 4 Alexandros Toptsoglou 2020-05-20 12:28:00 UTC
Closing this as Upstream