sqlite3: CVE-2019-5018: Window Function Remote Code Execution Vulnerability

Debian Bug report logs - #928770
sqlite3: CVE-2019-5018: Window Function Remote Code Execution Vulnerability

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: sqlite3: CVE-2019-5018: Window Function Remote Code Execution Vulnerability

Date: Fri, 10 May 2019 21:04:33 +0200

Source: sqlite3
Version: 3.27.2-2
Severity: grave
Tags: security
Justification: user security hole

Hi,

The following vulnerability was published for sqlite3.

CVE-2019-5018[0]:
Window Function Remote Code Execution Vulnerability

The issue must have been fixed upstream around 2019-03-28, but no
upstream fixing commit is referenced at [1].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-5018
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5018
[1] https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777

Regards,
Salvatore

Message #12 received at 928770@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@onenetbeyond.org>

To: 928770@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: sqlite3: CVE-2019-5018: Window Function Remote Code Execution Vulnerability

Date: Thu, 16 May 2019 15:26:10 +0530

[Message part 1 (text/plain, inline)]

On Fri, 10 May 2019 21:04:33 +0200 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Source: sqlite3
> Version: 3.27.2-2
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi,
> 
> The following vulnerability was published for sqlite3.
> 
> CVE-2019-5018[0]:
> Window Function Remote Code Execution Vulnerability
> 
> The issue must have been fixed upstream around 2019-03-28, but no
> upstream fixing commit is referenced at [1].
> 

Could this be that commit? I have not checked thoroughly only looked at
the commit message.

"Prevent aliases of window functions expressions from being used as
arguments to aggregate or other window functions."

https://sqlite.org/src/info/1e16d3e8fc60d39c


> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2019-5018
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5018
> [1] https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777
> 
> Regards,
> Salvatore
> 
> 

[signature.asc (application/pgp-signature, attachment)]

Message #17 received at 928770@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Pirate Praveen <praveen@onenetbeyond.org>, 928770@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#928770: sqlite3: CVE-2019-5018: Window Function Remote Code Execution Vulnerability

Date: Thu, 16 May 2019 20:09:52 +0200

Hi,

On Thu, May 16, 2019 at 11:57 AM Pirate Praveen
<praveen@onenetbeyond.org> wrote:
> On Fri, 10 May 2019 21:04:33 +0200 Salvatore Bonaccorso
> <carnil@debian.org> wrote:
> > Source: sqlite3
> > The following vulnerability was published for sqlite3.
> > CVE-2019-5018[0]:
> > Window Function Remote Code Execution Vulnerability
> Could this be that commit? I have not checked thoroughly only looked at
> the commit message.
>
> "Prevent aliases of window functions expressions from being used as
> arguments to aggregate or other window functions."
>
> https://sqlite.org/src/info/1e16d3e8fc60d39c
 Can be, but not sure. At least four sqlite 3.x issues reported
recently and as I know, usually upstream is not informed about these.
:-/

> > [1] https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777

Regards,
Laszlo/GCS

Message #22 received at 928770@bugs.debian.org (full text, mbox, reply):

From: Niels Thykier <niels@thykier.net>

To: 928770@bugs.debian.org, László Böszörményi (GCS) <gcs@debian.org>, Pirate Praveen <praveen@onenetbeyond.org>

Subject: Re: Bug#928770: sqlite3: CVE-2019-5018: Window Function Remote Code Execution Vulnerability

Date: Sat, 18 May 2019 08:02:00 +0000

On Thu, 16 May 2019 20:09:52 +0200
=?UTF-8?B?TMOhc3psw7MgQsO2c3rDtnJtw6lueWkgKEdDUyk=?= <gcs@debian.org> wrote:
> Hi,
> 
> On Thu, May 16, 2019 at 11:57 AM Pirate Praveen
> <praveen@onenetbeyond.org> wrote:
> > On Fri, 10 May 2019 21:04:33 +0200 Salvatore Bonaccorso
> > <carnil@debian.org> wrote:
> > > Source: sqlite3
> > > The following vulnerability was published for sqlite3.
> > > CVE-2019-5018[0]:
> > > Window Function Remote Code Execution Vulnerability
> > Could this be that commit? I have not checked thoroughly only looked at
> > the commit message.
> >
> > "Prevent aliases of window functions expressions from being used as
> > arguments to aggregate or other window functions."
> >
> > https://sqlite.org/src/info/1e16d3e8fc60d39c
>  Can be, but not sure. At least four sqlite 3.x issues reported
> recently and as I know, usually upstream is not informed about these.
> :-/
> 
> > > [1] https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777
> 
> Regards,
> Laszlo/GCS
> 
> 


According to the TALOS link from the initial mail, TALOS informed the
vendor and the vendor provided on the same day as that commit.

"""
Timeline

2019-02-05 - Vendor Disclosure
2019-03-07 - 30 day follow up with vendor; awaiting moderator approval
2019-03-28 - Vendor patched
2019-05-09 - Public Release
"""

So this implies that there is a patch and it would be dated no later
than 2019-03-28 (caveat emptor: Time zones).  It *might* be fixed in
3.28 (TALOS does not mention it as vulnerable), but the changelog does
not mention this explicit[1].

Alternatively, it could be related to:
https://www.sqlite.org/src/info/4feb3159c6bc3f7e33959

This was released as a part of 3.27.2 and looks like it has the right
text as well.  What concerns me is that the ticket[0] is almost a week
before TALOS's timeline for "Vendor patched" plus it mentioned "free
that has not been malloc'ed" rather than "use after free".  That said,
the test case examples for both issue are similar.

Thanks,
~Niels

[0] Related and correct commit appears to be:
https://www.sqlite.org/src/info/a21ffcd8176672e7

(Based on https://www.sqlite.org/src/info/579b66eaa0816561)

[1] https://www.sqlite.org/draft/changes.html

Message #27 received at 928770@bugs.debian.org (full text, mbox, reply):

From: Robert Scott <bugs@humanleg.org.uk>

To: 928770@bugs.debian.org

Subject: Re: Bug#928770: sqlite3: CVE-2019-5018: Window Function Remote Code Execution Vulnerability

Date: Sat, 25 May 2019 20:00:20 +0100

> Alternatively, it could be related to:
> https://www.sqlite.org/src/info/4feb3159c6bc3f7e33959
> 
> This was released as a part of 3.27.2 and looks like it has the right
> text as well.  What concerns me is that the ticket[0] is almost a week
> before TALOS's timeline for "Vendor patched" plus it mentioned "free
> that has not been malloc'ed" rather than "use after free".  That said,
> the test case examples for both issue are similar.

This looks like a promising candidate. If you have the actual test case 
examples (I don't seem to be able to find them) it's surely "just" a matter of 
trying the PoC against this revision and its parent. Or going a bit further, 
using it to bisect between 3.27 and 3.28 (using a git mirror of the source).


robert.

Message #32 received at 928770-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 928770-close@bugs.debian.org

Subject: Bug#928770: fixed in sqlite3 3.27.2-3

Date: Mon, 10 Jun 2019 17:04:24 +0000

Source: sqlite3
Source-Version: 3.27.2-3

We believe that the bug you reported is fixed in the latest version of
sqlite3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928770@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated sqlite3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 01 Jun 2019 15:38:52 +0000
Source: sqlite3
Architecture: source
Version: 3.27.2-3
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 928770
Changes:
 sqlite3 (3.27.2-3) unstable; urgency=high
 .
   * Backport security related patches:
     - CVE-2019-8457: heap out-of-bound read in the rtreenode() function when
       handling invalid rtree tables,
     - prevent aliases of window functions expressions from being used as
       arguments to aggregate or other window functions (probably fixing
       CVE-2019-5018) (closes: #928770),
     - enforce the SQLITE_LIMIT_COLUMN limit on virtual tables (probably
       fixing most of CVE-2019-5827),
     - use the 64-bit memory allocator interfaces in extensions, whenever
       possible (probably additional fix for CVE-2019-5827).
Checksums-Sha1:
 a5c0057fde4e8959024610fe1078740908fceccd 2398 sqlite3_3.27.2-3.dsc
 feb345f5e9a20730d8839d8d22049b41e8033a26 30372 sqlite3_3.27.2-3.debian.tar.xz
 6adc6ddeaf0b145993df10bee55b09842b6db183 9077 sqlite3_3.27.2-3_amd64.buildinfo
Checksums-Sha256:
 4d8c953891d6268911aa273f8cb7c9e0bdd026c7918f6203fd019d3e16cea1cc 2398 sqlite3_3.27.2-3.dsc
 0a95abfc23baa8d0fa2ec7fc6b96f46e34c37f23ff540bc041eff111e6550af9 30372 sqlite3_3.27.2-3.debian.tar.xz
 5ffc0b2330dca6617c0cd54497e5a249f71703770f7300fb2355afef7bd9ac66 9077 sqlite3_3.27.2-3_amd64.buildinfo
Files:
 ec0bb67d9c1eef8e8d521bbc62937420 2398 devel optional sqlite3_3.27.2-3.dsc
 6320b89221e1b2698af7e8fde62eeb54 30372 devel optional sqlite3_3.27.2-3.debian.tar.xz
 7fba009d98e161cbdf195855f00dc565 9077 devel optional sqlite3_3.27.2-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlz+iXIACgkQ3OMQ54ZM
yL/HFhAApAxscToXYhv5lZlSVBs48VtszkXpcQidxmIWRZwGMGpO8yqUJ9lVXL8q
y2Q9Manr4/EsP2IiPdON/qkOUuS47HN0iI47BpXDbAV+7WIZ+IKur5f6RDQFjPlg
wowP/8d9HCysdXcvEmdZOxUP4Fkzc8LopndZdqmO78bK4WZZktDnVE7Il1bwTHby
BQyK1O8oIKCnhlZ5ibjzcjg57Dov9pA7K1Ww+DikJ2A9wykVf75RdbjZNRA6gd7V
QX+ihnfg7ou0+pbdFJdR+SCzGJ9hEfp8s8zD6zqPvmFomvk86Sg0Ru6qwSZhJq0g
z85FM4EPSo/zg0yQ/h4fAvSluWYCatxGGIJL27GN/o9mjN5qj7QCiprZAqskHgPG
4vrygsLcfKTLxpjJFodYUjdFwIhB6coup+poC2uAxkK4313H6qcWEKePEgJSTWSN
BXn20Ju9MT0mWpiXxCrmurOQsnP5vSLcE9Kop/Id661RG73/wFAqKw6+iJiLEyOD
zTQltgY1e8F8b7B5H9qSjcKUsbsVYKpbg5nukp4Iv7cXaTdf8C04ZhEbdE6/ToSA
Pc4vxvepv3q4Es8Lkjik7whHE09XGn3he5uVroCkji6DX+zwYuvSAKzhWIHhUYJ/
K6cdQkLxERfgnDyYaiXSBcfAr5fE0FmRqA7H9kUfpVFZbw/BRuE=
=k2dL
-----END PGP SIGNATURE-----

Message #37 received at 928770@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 928770@bugs.debian.org

Subject: Re: Bug#928770 closed by Laszlo Boszormenyi (GCS) <gcs@debian.org> (Bug#928770: fixed in sqlite3 3.27.2-3)

Date: Tue, 11 Jun 2019 06:15:03 +0200

Hi Laszlo,

On Mon, Jun 10, 2019 at 05:06:07PM +0000, Debian Bug Tracking System wrote:
>  sqlite3 (3.27.2-3) unstable; urgency=high
>  .
>    * Backport security related patches:
[...]
>      - prevent aliases of window functions expressions from being used as
>        arguments to aggregate or other window functions (probably fixing
>        CVE-2019-5018) (closes: #928770),

Did you got any upstream confirmation or from TALOS project that this
one was the right fixes to pick for the CVE-2019-5018 issue?

Regards,
Salvatore

Message #42 received at 928770@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 928770@bugs.debian.org

Subject: Re: Bug#928770: closed by Laszlo Boszormenyi (GCS) <gcs@debian.org> (Bug#928770: fixed in sqlite3 3.27.2-3)

Date: Tue, 11 Jun 2019 07:24:06 +0200

Hi Salvatore,

On Tue, Jun 11, 2019 at 6:18 AM Salvatore Bonaccorso <carnil@debian.org> wrote:
> On Mon, Jun 10, 2019 at 05:06:07PM +0000, Debian Bug Tracking System wrote:
> >  sqlite3 (3.27.2-3) unstable; urgency=high
> >  .
> >    * Backport security related patches:
> [...]
> >      - prevent aliases of window functions expressions from being used as
> >        arguments to aggregate or other window functions (probably fixing
> >        CVE-2019-5018) (closes: #928770),
>
> Did you got any upstream confirmation or from TALOS project that this
> one was the right fixes to pick for the CVE-2019-5018 issue?
 I can't find a contact method for TALOS project. Upstream says they
don't know what's CVE-2019-5018 but I can assemble the PoC from the
TALOS report page. As they know / read the issue it is fixed in
sqlite3 3.28.0 and I should use that - being tested in every sense by
their closed source detailed test cases.
But upstream says that the commit (I've used for the package) is a
good to have fix for window functions.
Then it was asked publicly again and all that upstream say about which
version / commit fixes this: "it appears to be 3.28.0, as best as I
can tell"[1]. Anyone can interpret this as s/he would like. :-/

Regards,
Laszlo/GCS
[1] https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg115515.html

Message #47 received at 928770@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: László Böszörményi (GCS) <gcs@debian.org>

Cc: 928770@bugs.debian.org

Subject: Re: Bug#928770: closed by Laszlo Boszormenyi (GCS) <gcs@debian.org> (Bug#928770: fixed in sqlite3 3.27.2-3)

Date: Tue, 11 Jun 2019 21:24:57 +0200

Hi!

On Tue, Jun 11, 2019 at 07:24:06AM +0200, László Böszörményi (GCS) wrote:
> Hi Salvatore,
> 
> On Tue, Jun 11, 2019 at 6:18 AM Salvatore Bonaccorso <carnil@debian.org> wrote:
> > On Mon, Jun 10, 2019 at 05:06:07PM +0000, Debian Bug Tracking System wrote:
> > >  sqlite3 (3.27.2-3) unstable; urgency=high
> > >  .
> > >    * Backport security related patches:
> > [...]
> > >      - prevent aliases of window functions expressions from being used as
> > >        arguments to aggregate or other window functions (probably fixing
> > >        CVE-2019-5018) (closes: #928770),
> >
> > Did you got any upstream confirmation or from TALOS project that this
> > one was the right fixes to pick for the CVE-2019-5018 issue?
>  I can't find a contact method for TALOS project. Upstream says they
> don't know what's CVE-2019-5018 but I can assemble the PoC from the
> TALOS report page. As they know / read the issue it is fixed in
> sqlite3 3.28.0 and I should use that - being tested in every sense by
> their closed source detailed test cases.
> But upstream says that the commit (I've used for the package) is a
> good to have fix for window functions.
> Then it was asked publicly again and all that upstream say about which
> version / commit fixes this: "it appears to be 3.28.0, as best as I
> can tell"[1]. Anyone can interpret this as s/he would like. :-/

Okay, very sad that this is so much intransparent from upstream.

Thanks for your research and try of contact!

Regards,
Salvatore

Send a report that this bug log contains spam.