Bugzilla – Bug 936835
VUL-0: CVE-2015-3659: sqlite3,sqlite2: SQLite Default Value Authorization Bypass Vulnerability
Last modified: 2015-07-27 10:57:31 UTC
via ZDI: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SQLite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of DEFAULT expressions for column values. The issue lies in the ability to create a table that will execute privileged functions by specifying a DEFAULT value for a column and then inserting into the table. An attacker can leverage this vulnerability to execute restricted SQL statements under the context of the current process. I found zero reference on this on the sqlite upstream project? And why does it link to Apple for an update? References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3659 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3659 http://www.zerodayinitiative.com/advisories/ZDI-15-291/
https://support.apple.com/de-de/HT204950 > WebKit Storage > > Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X > Yosemite v10.10.3 > > Impact: Visiting a maliciously crafted webpage may lead to an unexpected > application termination or arbitrary code execution > > Description: An insufficient comparison issue existed in SQLite authorizer > which allowed invocation of arbitrary SQL functions. This issue was addressed > with improved authorization checks. > > CVE-2015-3659 : Peter Rutenbar working with HP's Zero Day Initiative Is SQLite authorizer specific to the OS X platform, or do we ship this in this or a similar form?
The SQLite authorizer is generic. It is a callback mechanism for allowing or denying the execution of SQL code from untrusted sources: https://www.sqlite.org/c3ref/set_authorizer.html But it looks to me like the problem was in the callbacks that OSX uses with the authorizer rather than in the authorizer code itself, because upstream hasn't touched the respective source file since 2009. I will cross-check this with the author.
bugbot adjusting priority
(In reply to Reinhard Max from comment #2) > The SQLite authorizer is generic. It is a callback mechanism for allowing or > denying the execution of SQL code from untrusted sources: > > https://www.sqlite.org/c3ref/set_authorizer.html > > But it looks to me like the problem was in the callbacks that OSX uses with > the authorizer rather than in the authorizer code itself, because upstream > hasn't touched the respective source file since 2009. > > I will cross-check this with the author. Did you get anything?
Here's the conversation from today: --- snip --- > as the maintainer of the SQLite RPMs on SUSE, I am currently faced > with a bug report concerning CVE-2015-3659[0]. > > From the CVE's description it looks to me like the bug was in Apple's > authorizer callback rather than SQLite's authorization mechanism, can > anyone confirm this? Your email was the first time we (the SQLite developers) have heard of this issue. We have no additional information. It sounds, as you say, like Apple's callback was misimplemented and that this is not a fault within SQLite. --- snap ---
Thanks, rejecting as not affecting the GNU/Linux platform.