SQLite Forum

Reporting vulnerabilities

Reporting vulnerabilities

(1) By anonymous on 2021-04-16 17:50:22 [source]

Following CVE is listed in NIST and seem to affect SQLite. Thanks for including it in your list, together with your valuable comments. Since the score is high, it creates crisis between suppliers and customers.

CVE-2021-28305 (score 9.8)


Kemal Bayrakceken mehmetkemal.bayrakceken@altran.com

(2.1) By Keith Medcalf (kmedcalf) on 2021-04-16 19:14:47 edited from 2.0 in reply to 1 [link] [source]

An issue was discovered in the diesel crate before 1.4.6 for Rust. There is a use-after-free in the SQLite backend because the semantics of sqlite3_column_name are not followed.

That CVE references a programming error in the diesel crate before 1.4.6 for Rust.

We've misused sqlite3_column_name. The SQLite documentation states that the following:

The returned string pointer is valid until either the prepared statement is destroyed by sqlite3_finalize() or until the statement is automatically reprepared by the first call to sqlite3_step() for a particular run or until the next call to sqlite3_column_name() or sqlite3_column_name16() on the same column.

As part of our query_by_name infrastructure we've first received all field names for the prepared statement and stored them as string slices for later use. After that we called sqlite3_step() for the first time, which invalids the pointer and therefore the stored string slice.

This does not affect SQLite3, it affects the diesel crate before 1.4.6 for Rust.

(3) By anonymous on 2021-04-18 08:23:31 in reply to 2.1 [link] [source]

Thanks a lot for your feedback.

Bon dimanche!