redpig.dataspill.org: Multiple vulnerabilities in SQLite versions prior to 3.4.0

»Numerous security related bugs in SQLite affecting most versions before 3.4.0.

Background
"SQLite is the most widely deployed SQL database engine in the world." It "is a software library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine."
Details
This section quickly lists the vulnerabilities and links to the author supplied fixes in CVStrac. Upgrading to version 3.4.0 is the recommended path to avoid these vulnerabilities.
[=] Integer overflow / heap overflow in ALTER
[-] If a table contains around 214748364 columns, and the alter command is
 called, a malloc() will occur with a size of 0.
[+] http://www.sqlite.org/cvstrac/chngview?cn=3954
 http://www.sqlite.org/cvstrac/chngview?cn=3956
[?] (Test case is waay to time consuming.)


[=] Signedness error / heap overflow in select (sqlite3VdbeSetNumCols)
[-] The function sqlite3VdbeSetNumCols takes the column count and multiplies it
 by 5 and then by 64 prior to an allocation call.  A query with the number of
 columns of 13421772 or greater will result in an overflow.
[+] http://www.sqlite.org/cvstrac/chngview?cn=3954
 http://www.sqlite.org/cvstrac/chngview?cn=3956
[?] select 1,1,1,1........,1;


[=] Large select statements result in recursion induced stack overflow
[-] The function walkExprTree() in expr.c makes recursive calls to handle each
 of the conditional tests.  Extremely large queries result in stack
exhaustion.
[+] http://www.sqlite.org/cvstrac/chngview?cn=3968
 http://www.sqlite.org/cvstrac/chngview?cn=3954
 http://www.sqlite.org/cvstrac/chngview?cn=3956
[?] select 1 where 1==1 and 1==1 and ...... and 1 == 1;


[=] Integer overflow / heap overflow in ORDER BY expressions
[-] Similarly to the other column count overflows, memory is allocated for a
 size derived from the multiplication of the number of expressions by several
 fixed sizes: sqliteMalloc( sizeof(*pInfo) + nExpr*(sizeof(CollSeq*)+1) ).
[+] http://www.sqlite.org/cvstrac/chngview?cn=3954
 http://www.sqlite.org/cvstrac/chngview?cn=3956
[?] select 1 order by 1,1,1,1,1,......,1


[=] Arithmetic overflow in the modulus operator
[-] The division and modulus code check for a divisor of 0 but neglected to
 check for the LLONG_MIN/-1 case.  Due to the type handling in
sqlite, -2**31 is
 treated as a 32 bit integer but treats -9223372036854775808 as a
real.  In the
 case of division, doubles are used, but in the case of modulo, the value is
 cast down to a 32 bit integer.
[+] http://www.sqlite.org/cvstrac/chngview?cn=3945
[?] select (-9223372036854775808 % -1);
 select (-2147483648.0 % -1);


[=] Out of bound read in sqlite_rename_trigger  / sqlite_rename_table
[-] Two internally used functions, sqlite_rename_trigger and
 sqlite_rename_table do not properly check for terminal tokens when
parsing the
 arguments.  This results in out of band reads.
[+] http://www.sqlite.org/cvstrac/chngview?cn=3944
[?] select sqlite_rename_table(0, 0);
 select sqlite_rename_trigger(0,0);


[=] NULL pointer dereference with pathological detach queries
[-] If unexpected SQL follows the DETACH command, NULL pointer derefencing
 occurs in the parsing code.
[+] http://www.sqlite.org/cvstrac/chngview?cn=3965
[?] DETACH RAISE ( IGNORE ) IN ( SELECT "AAAAAA" . * ORDER BY REGISTER LIMIT
   "AAAAAA" . "AAAAAA" OFFSET RAISE ( IGNORE ) NOT NULL );


[=] NULL pointer dereference with pathological SQL
[-] This is similar to the earlier bug with DETACH but takes a different code
 path.
[+] http://www.sqlite.org/cvstrac/chngview?cn=3965
[?] DETACH DATABASE ( NOT ( SELECT * ) IN ( ) );


[=] Multiple parser bugs resulting in NULL pointer dereferences, bad free()s,
 and assertions
[-] Register tokens are used internally for tracking internal stack state in
 sqlite.
[+] http://www.sqlite.org/cvstrac/chngview?cn=3980
[?] SELECT + #100;
[!] Note: assert() statements are automatically removed in most sqlite
 builds through the definition of NDEBUG. This may increase the impact of
 any reachable assertions.


[=] Schema corruption possible with malformed unicode
[-] Due to a mismatch in string length during processing (alter table and
 substr()), malformed unicode can be used to corrupt the schema.  This would
 allow for memory exhaustion attacks as well as general table damage.
[+] http://www.sqlite.org/cvstrac/chngview?cn=4003
 http://www.sqlite.org/cvstrac/chngview?cn=4033
[?] E.g.,
 echo -e 'create table bar ("\xc6\xc6");' | ./sqlite3 db
 echo "alter table bar add column aaa;"   | ./sqlite3 db
 echo "alter table bar add column aaa;"   | ./sqlite3 db
 echo "alter table bar add column aaa;"   | ./sqlite3 db
 echo ".schema bar"                       | ./sqlite3 db
 # Shows the broken schema


[=] Multiple issues with zeroblob()
[-] The zeroblob function creates empty structures with a claimed size
 that is the supplied argument.  Due to a lack of checking, bitwise ORs
 would occur on null values.  In addition, bad free()s occurred when
 zeroblob was supplied a negative value.
[+] http://www.sqlite.org/cvstrac/chngview?cn=4048
[?] select hex(zeroblob(1) | x'01');
 select zeroblob(-1);
References
Credit
This work was sponsored by my employer.

0 comments:
This page does not necessarily reflect the views of my employer or anyone I'm associated with.
redpig@dataspill.org