CVE-2021-20227 / Flaw in SQLite's Select Query functionality
(1) By anonymous on 2021-03-25 12:10:22 [link] [source]
Hi *, while searching for open sqlite cves I found one the seems to not be adressed in https://sqlite.org/cves.html . >If you notice new CVEs associated with SQLite that are not in the table below, please bring them to the attention of the developers on the SQLite Forum so they can be added. So here is the heads up: https://nvd.nist.gov/vuln/detail/CVE-2021-20227 (Sorry if this is a dupe or already fixed. Although a search for 20227 within this forum didn't yield anything). Regards, anon
(2) By Richard Hipp (drh) on 2021-03-25 12:43:05 in reply to 1 [source]
You didn't see the hyperlink in the CVE itself showing that the problem was fixed in SQLite version 3.34.1?
This "vulnerability" (if you can call it that) requires that the attacker be able to inject arbitrary SQL queries into the application. In other words, it requires a pre-existing SQL injection vulnerability. And the error causes a chunk of memory that had previously been passed to free() to be read (not written, just read) after it was freed. In theory, this might cause a segmentation fault. However, nobody has ever been able to demonstrate one. In practice, the fault appears to be completely harmless. It would be undetectable without MSAN or valgrind.
The check-in that fixed this problem is here: https://www.sqlite.org/src/info/f62f983b56623f0e
Documentation for this CVE have been queued up for inclusion in the next update since earlier this week. You can see the change here: https://www.sqlite.org/docsrc/vinfo/2706ba81b89c976c?diff=2 I just haven't pushed that change out to the website yet.