Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-11655: SQLite: Check-in [4a302b42c7]

SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object’s initialization is mishandled.

CVE
#sql#dos

Overview

Comment:

In the event of a semantic error in an aggregate query, early-out the resetAccumulator() function to prevent problems due to incomplete or incorrect initialization of the AggInfo object. Fix for ticket [af4556bb5c285c08].

Downloads:

Tarball | ZIP archive | SQL archive

Timelines:

family | ancestors | descendants | both | trunk

Files:

files | file ages | folders

SHA3-256:

4a302b42c7bf5e11ddb5522ca999f74aba397d3a7eb91b1844bb02852f772441

User & Date:

drh on 2020-04-03 13:19:03

Other Links:

manifest | tags

Context

2020-04-03

16:11

Add a test case to fuzzdata8.db for the recent Henry Liu bugs. (check-in: 42b02454b1 user: drh tags: trunk)

15:48

Merge updates from trunk. (check-in: 348c40136c user: drh tags: bytecode-function)

13:39

Do not suppress errors when resolving references in an ORDER BY clause belonging to a compound SELECT within a view or trigger within ALTER TABLE. Fix for ticket [a10a14e9b4ba2]. Also, in the event of a semantic error in an aggregate query, early-out the resetAccumulator() function to prevent problems due to incomplete or incorrect initialization of the AggInfo object. Fix for ticket [af4556bb5c285c08]. (check-in: b64674919f user: drh tags: branch-3.31)

13:19

In the event of a semantic error in an aggregate query, early-out the resetAccumulator() function to prevent problems due to incomplete or incorrect initialization of the AggInfo object. Fix for ticket [af4556bb5c285c08]. (check-in: 4a302b42c7 user: drh tags: trunk)

11:52

Do not suppress errors when resolving references in an ORDER BY clause belonging to a compound SELECT within a view or trigger within ALTER TABLE. Fix for ticket [a10a14e9b4ba2]. (check-in: 684293882c user: dan tags: trunk)

Changes

Modified src/select.c from [6908c059e4] to [fd38aa7f87].

5384 5385 5386 5387 5388 5389 5390

5391 5392 5393 5394 5395 5396 5397

*/ static void resetAccumulator(Parse *pParse, AggInfo *pAggInfo){ Vdbe *v = pParse->pVdbe; int i; struct AggInfo_func *pFunc; int nReg = pAggInfo->nFunc + pAggInfo->nColumn; if( nReg==0 ) return;

#ifdef SQLITE_DEBUG /* Verify that all AggInfo registers are within the range specified by ** AggInfo.mnReg…AggInfo.mxReg */ assert( nReg==pAggInfo->mxReg-pAggInfo->mnReg+1 ); for(i=0; i<pAggInfo->nColumn; i++){ assert( pAggInfo->aCol[i].iMem>=pAggInfo->mnReg && pAggInfo->aCol[i].iMem<=pAggInfo->mxReg );

5384 5385 5386 5387 5388 5389 5390 5391 5392 5393 5394 5395 5396 5397 5398

*/ static void resetAccumulator(Parse *pParse, AggInfo *pAggInfo){ Vdbe *v = pParse->pVdbe; int i; struct AggInfo_func *pFunc; int nReg = pAggInfo->nFunc + pAggInfo->nColumn; if( nReg==0 ) return; if( pParse->nErr ) return; #ifdef SQLITE_DEBUG /* Verify that all AggInfo registers are within the range specified by ** AggInfo.mnReg…AggInfo.mxReg */ assert( nReg==pAggInfo->mxReg-pAggInfo->mnReg+1 ); for(i=0; i<pAggInfo->nColumn; i++){ assert( pAggInfo->aCol[i].iMem>=pAggInfo->mnReg && pAggInfo->aCol[i].iMem<=pAggInfo->mxReg );

Modified test/window1.test from [879a1928c9] to [ec792f92e6].

1649 1650 1651 1652 1653 1654 1655 1656 1657

1658

WHERE a=1 OR ((SELECT sum(a) OVER(ORDER BY a%8)) AND 10<=a) } {10.0}

do_execsql_test 50.5 { SELECT * FROM (SELECT * FROM t1 NATURAL JOIN t1 WHERE a%1 OR ((SELECT sum(a)OVER(ORDER BY a)) AND a<=10)) NATURAL JOIN t1 WHERE a=1 OR ((SELECT sum((SELECT * FROM (SELECT * FROM (SELECT * FROM t1 NATURAL JOIN t1 WHERE a%1 OR ((SELECT sum(a)OVER(ORDER BY a)) AND a<=10)) NATURAL JOIN t1 WHERE a=1 OR ((SELECT sum((SELECT * FROM t1 NATURAL JOIN t1 WHERE a=1 OR ((SELECT sum(a)OVER(ORDER BY a)) AND a<=10)))OVER(ORDER BY a% 1 )) AND a<=10)) NATURAL JOIN t1 WHERE a=1 OR ((SELECT sum(a)OVER(ORDER BY a)) AND 10<=a)))OVER(ORDER BY a%5)) AND a<=10); } {10.0}

finish_test

| |

1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666

WHERE a=1 OR ((SELECT sum(a) OVER(ORDER BY a%8)) AND 10<=a) } {10.0}

do_execsql_test 50.5 { SELECT * FROM (SELECT * FROM t1 NATURAL JOIN t1 WHERE a%1 OR ((SELECT sum(a)OVER(ORDER BY a)) AND a<=10)) NATURAL JOIN t1 WHERE a=1 OR ((SELECT sum((SELECT * FROM (SELECT * FROM (SELECT * FROM t1 NATURAL JOIN t1 WHERE a%1 OR ((SELECT sum(a)OVER(ORDER BY a)) AND a<=10)) NATURAL JOIN t1 WHERE a=1 OR ((SELECT sum((SELECT * FROM t1 NATURAL JOIN t1 WHERE a=1 OR ((SELECT sum(a)OVER(ORDER BY a)) AND a<=10)))OVER(ORDER BY a% 1 )) AND a<=10)) NATURAL JOIN t1 WHERE a=1 OR ((SELECT sum(a)OVER(ORDER BY a)) AND 10<=a)))OVER(ORDER BY a%5)) AND a<=10); } {10.0}

# 2020-04-03 ticket af4556bb5c285c08

reset_db do_catchsql_test 51.1 { CREATE TABLE a(b, c); SELECT c FROM a GROUP BY c HAVING(SELECT(sum(b) OVER(ORDER BY b), sum(b) OVER(PARTITION BY min(DISTINCT c), c ORDER BY b))); } {1 {row value misused}} finish_test

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907