lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 14 Apr 2015 11:33:50 -0700
From: Michal Zalewski <>
To: "" <>
Cc: bugtraq <>
Subject: several issues in SQLite (+ catching up on several other bugs)

SQLite is probably the most popular embedded database in use today; it
is also known for being very well-tested and robust.

Because of its versatility, SQLite sometimes finds use as the
mechanism behind SQL-style query APIs that are exposed between
privileged execution contexts and less-trusted code. One example of
this is the WebDB / WebSQL mechanism available in some browsers; in
this setting, vulnerabilities in the SQLite parser can open up the
platform to attacks.

Anyway, long story short, I recently reported around 22 bugs in the
query parser, including the use of uninitialized memory when parsing
collation sequences:

...and bad free():

...and a stack buffer overflow:

Since all the fixes are already public and the issues are fixed in
3.8.9, but there's no upstream advisory, I figured I'd drop a note
here; if you're relying on SQLite in a way mentioned earlier on, you
may want to upgrade. There are no CVEs assigned for any of the above.

The aforementioned three bugs aside, the remaining 19 issues are
probably less interesting. They depend on "privileged" commands (e.g.,
ATTACH), only have DoS potential, or corrupt nominally boring areas of
memory (say, Some of
them may matter for escalating SQL injection to RCE. If you are
curious, you can check out docs/vuln_samples/sqlite_* shipping with
afl-fuzz for a complete set.

All of the above bugs were found with
after spending around 30 minutes to set up the job.

Peace out,


PS. Here's another, unrelated bug that may not have had a CVEs. It
affects browser <video> handling (H.264):

PPS. I haven't posted about this before, but here are three
recently-fixed issues affect PNG, JXR, and TIFF handling in MSIE,
leaking values from browser memory:

PPPS. Since we're on the topic of catching up, I would strongly advise
against using jxrlib, a Microsoft-developed open source library for
parsing JXR / HDP / WDP files (JPEG XR), a new image format supported
in Internet Explorer and Adobe Flash. It appears to have many
exploitable memory corruption errors that are discoverable with AFL. I
pinged them in December, but the maintainers weren't very responsive.
The bugs do not affect MSIE, since the OSS implementation appears to
be completely separate (huh). That said, they will affect ImageMagick
and similar programs if they are built with jxrlib support compiled
in. Since the library has fairly minimal install base, this note is
about as much effort as I think it warrants.


Powered by blists - more mailing lists