Bugzilla – Bug 928702
VUL-1: CVE-2015-3416: sqlite3,sqlite2: sqlite3VXPrintf precision and width handling vulnerability
Last modified: 2021-10-28 07:56:22 UTC
The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3416 http://www.cvedetails.com/cve/CVE-2015-3416/ http://www.sqlite.org/src/info/c494171f77dc2e5e04cb6d865e688448f04e5920 http://www.sqlite.org/releaselog/3_8_9.html bug CVE-2015-3414, bug CVE-2015-3415 and bug CVE-2015-3416 go together.
bug 928700, bug 928701, bug 928702 all affect the query parser. This is typically exposed to and queries not supplied by users/remotely, except in WebDB / WebSQL like systems mentioned in http://seclists.org/fulldisclosure/2015/Apr/31
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-07-18. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62888
back to max for cross verification if we fixed this
Created attachment 823274 [details] upstream patch Source: https://www.sqlite.org/src/info/c494171f77dc2e5e
sles11 sp2 sqlite3 is not affected, as the precision is bound to the stack buffer size if( precision>etBUFSIZE/2-10 ) precision = etBUFSIZE/2-10; while in later versions it no longer is (sqlite transitions to a malloced buffer). The security bug was the transition to the malloced buffer was not handled in integer overflow cases between precision + width.