The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of SQLite, Chrome: memory corruption via FTS3 Query

Synthesis of the vulnerability 

An attacker can generate a memory corruption via a FTS3 query of SQLite, in order to trigger a denial of service, and possibly to run code.
Vulnerable software: iOS by Apple, iPhone, Mac OS X, Debian, VNX Operating Environment, VNX Series, Fedora, FreeBSD, Android OS, Chrome, Juniper EX-Series, Juniper J-Series, Junos OS, MX-Series, PTX-Series, QFX-Series, SRX-Series, openSUSE Leap, Opera, Oracle DB, Oracle Fusion Middleware, Oracle OIT, WebLogic, RHEL, SQLite, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity of this announce: 3/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 17/12/2018.
Références of this computer vulnerability: cpuapr2020, cpuoct2020, CVE-2018-20346, CVE-2018-20505, CVE-2018-20506, DLA-1613-1, DLA-2340-1, DSA-2020-030, DSA-4352-1, FEDORA-2018-5f91fbf4fd, FEDORA-2018-ccbe8b931c, FEDORA-2019-49f80a78bc, FreeBSD-EN-19:03.sqlite, HT209443, HT209446, JSA11055, Magellan, openSUSE-SU-2018:4056-1, openSUSE-SU-2018:4122-1, openSUSE-SU-2018:4142-1, openSUSE-SU-2018:4143-1, openSUSE-SU-2019:1159-1, openSUSE-SU-2019:1222-1, RHSA-2018:3803-01, SUSE-SU-2019:0913-1, SUSE-SU-2019:0973-1, SUSE-SU-2019:14003-1, Synology-SA-18:61, USN-4019-1, USN-4019-2, VIGILANCE-VUL-28027.

Description of the vulnerability 

The FTS3/FTS4 extension of SQLite can be used to create tables with text indexes.

However, a series of special SQL queries using FTS3 triggers a memory corruption in the ext/fts3/fts3.c file. An access to a SQL session is thus needed for the attacker.

It can be noted that the Chrome browser supports SQL queries via WebSQL implemented with SQLite, so it is also vulnerable via a web page.

An attacker can therefore generate a memory corruption via a FTS3 query of SQLite, in order to trigger a denial of service, and possibly to run code.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security vulnerability impacts software or systems such as iOS by Apple, iPhone, Mac OS X, Debian, VNX Operating Environment, VNX Series, Fedora, FreeBSD, Android OS, Chrome, Juniper EX-Series, Juniper J-Series, Junos OS, MX-Series, PTX-Series, QFX-Series, SRX-Series, openSUSE Leap, Opera, Oracle DB, Oracle Fusion Middleware, Oracle OIT, WebLogic, RHEL, SQLite, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu.

Our Vigil@nce team determined that the severity of this computer weakness bulletin is important.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 3 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this security note.

Solutions for this threat 

SQLite: version 3.26.0.
The version 3.26.0 is fixed:
  https://sqlite.org/download.html

Chrome: version 71.0.3578.80.
The version 71.0.3578.80 is fixed:
  https://www.google.fr/chrome/

Apple iOS: version 12.1.3.
The version 12.1.3 is fixed:
  https://support.apple.com/

Apple macOS: version 10.14.3.
The version 10.14.3 is fixed:
  https://support.apple.com/

Debian 8: new sqlite3 packages.
New packages are available:
  Debian 8: sqlite3 3.8.7.1-1+deb8u3

Debian 9: new chromium-browser packages.
New packages are available:
  Debian 9: chromium-browser 71.0.3578.80-1~deb9u1

Debian 9: new sqlite3 packages.
New packages are available:
  Debian 9: sqlite3 3.16.2-5+deb9u2

Dell EMC VNXe3200: version 3.1.11.10003441.
The version 3.1.11.10003441 is fixed:
  https://www.dell.com/support/

Fedora 29: new mingw-sqlite packages.
New packages are available:
  Fedora 29: mingw-sqlite 3.26.0.0-1.fc29

Fedora 29: new spatialite-tools packages.
New packages are available:
  Fedora 29: spatialite-tools 4.3.0-31.fc29

Fedora: new sqlite packages.
New packages are available:
  Fedora 28: sqlite 3.22.0-5.fc28
  Fedora 29: sqlite 3.26.0-1.fc29

FreeBSD: patch for sqlite.
A patch is indicated in information sources.

Google Android/Pixel: patch for March 2019.
A patch is indicated in information sources.

Junos OS: fixed versions for SQLite.
Fixed versions are indicated in information sources.

openSUSE Leap 15.0: new chromium packages (10/12/2018).
New packages are available:
  openSUSE Leap 15.0: chromium 71.0.3578.80-lp150.2.30.1
  SUSE LE 15 RTM: chromium 71.0.3578.80-bp150.2.23.1

openSUSE Leap 15.0: new chromium packages (17/12/2018).
New packages are available:
  openSUSE Leap 15.0: chromium 71.0.3578.98-lp150.2.33.1
  SUSE LE 15 RTM: chromium 71.0.3578.98-bp150.2.26.1

openSUSE Leap 15.0: new sqlite3 packages.
New packages are available:
  openSUSE Leap 15.0: sqlite3 3.27.2-lp150.2.3.1

openSUSE Leap 42.3: new chromium packages.
New packages are available:
  openSUSE Leap 42.3: chromium 71.0.3578.98-189.1

openSUSE Leap 42.3: new sqlite3 packages.
New packages are available:
  openSUSE Leap 42.3: sqlite3 3.8.10.2-11.3.1

Opera: version 57.0.3098.106.
The version 57.0.3098.106 is fixed:
  https://www.opera.com/

Opera: version 58.
The version 58 is fixed:
  https://net.geo.opera.com/opera/stable

Oracle Database: CPU of October 2020.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2694898.1

Oracle Fusion Middleware: CPU of April 2020.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2633852.1

RHEL 6.10: new chromium-browser packages.
New packages are available:
  RHEL 6: chromium-browser 71.0.3578.80-1.el6_10

SUSE LE 11 SP3/4: new sqlite3 packages.
New packages are available:
  SUSE LE 11 SP4: sqlite3 3.7.6.3-1.4.7.3.1
  SUSE LE 11 SP4: sqlite3 3.7.6.3-1.4.7.3.1

SUSE LE 12: new chromium packages.
New packages are available:
  SUSE LE 12 RTM-SP3: chromium 71.0.3578.98-80.1

SUSE LE 12: new sqlite3 packages.
New packages are available:
  SUSE LE 12 SP1: sqlite3 3.8.10.2-9.3.1
  SUSE LE 12 SP2: sqlite3 3.8.10.2-9.3.1
  SUSE LE 12 SP3: sqlite3 3.8.10.2-9.3.1
  SUSE LE 12 SP4: sqlite3 3.8.10.2-9.3.1

SUSE LE 12 RTM: new sqlite3 packages.
New packages are available:
  SUSE LE 12 RTM: sqlite3 3.8.3.1-2.7.1

Synology: solution for SQLite.
See VIGILANCE-SOL-65409.

Ubuntu: new sqlite3 packages.
New packages are available:
  Ubuntu 19.04: sqlite3 3.27.2-2ubuntu0.1
  Ubuntu 18.10: sqlite3 3.24.0-1ubuntu0.1
  Ubuntu 18.04 LTS: sqlite3 3.22.0-1ubuntu0.1
  Ubuntu 16.04 LTS: sqlite3 3.11.0-1ubuntu1.2
  Ubuntu 14.04 ESM: sqlite3 3.8.2-1ubuntu2.2+esm1
  Ubuntu 12.04 ESM: sqlite3 3.7.9-2ubuntu1.3

Wind River Linux: solution (21/05/2019).
The solution is indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides network vulnerability bulletins. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.