Headline
CVE-2015-3415: SQLite: Check-in [02e3c88f]
The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.
Overview
References
Context
2015-05-20
19:44
Ensure that comparison operators do not mess up the MEM_Dyn flag on registers when reverting affinity changes. Cherrypick of [02e3c88fbf6a]. (check-in: 4125477e user: dan tags: branch-3.8.6)
2015-03-31
13:46
Add the “mptest” target to Makefile.msc (check-in: 1e814e0b user: drh tags: trunk)
11:42
Ensure that comparison operators do not mess up the MEM_Dyn flag on registers when reverting affinity changes. (check-in: 02e3c88f user: drh tags: trunk)
2015-03-30
23:43
Prevent a possible infinite loop when trying to DROP a table from a corrupt database. (check-in: 395bb3e6 user: drh tags: trunk)
Changes
Modified src/vdbe.c from [bbfede5a] to [86ae6f47].
︙
︙
1916 1917 1918 1919 1920 1921 1922
1923 1924 1925 1926 1927
1928 1929 1930 1931 1932 1933 1934
applyNumericAffinity(pIn3,0);
}
}else if( affinity==SQLITE\_AFF\_TEXT ){
if( (pIn1->flags & MEM\_Str)==0 && (pIn1->flags & (MEM\_Int|MEM\_Real))!=0 ){
testcase( pIn1->flags & MEM\_Int );
testcase( pIn1->flags & MEM\_Real );
sqlite3VdbeMemStringify(pIn1, encoding, 1);
}
if( (pIn3->flags & MEM\_Str)==0 && (pIn3->flags & (MEM\_Int|MEM\_Real))!=0 ){
testcase( pIn3->flags & MEM\_Int );
testcase( pIn3->flags & MEM\_Real );
sqlite3VdbeMemStringify(pIn3, encoding, 1);
}
}
assert( pOp->p4type==P4\_COLLSEQ || pOp->p4.pColl==0 );
if( pIn1->flags & MEM\_Zero ){
sqlite3VdbeMemExpandBlob(pIn1);
flags1 &= ~MEM\_Zero;
}
1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938
applyNumericAffinity(pIn3,0);
}
}else if( affinity==SQLITE\_AFF\_TEXT ){
if( (pIn1->flags & MEM\_Str)==0 && (pIn1->flags & (MEM\_Int|MEM\_Real))!=0 ){
testcase( pIn1->flags & MEM\_Int );
testcase( pIn1->flags & MEM\_Real );
sqlite3VdbeMemStringify(pIn1, encoding, 1);
testcase( (flags1&MEM\_Dyn) != (pIn1->flags&MEM\_Dyn) );
flags1 = (pIn1->flags & ~MEM\_TypeMask) | (flags1 & MEM\_TypeMask); }
if( (pIn3->flags & MEM\_Str)==0 && (pIn3->flags & (MEM\_Int|MEM\_Real))!=0 ){
testcase( pIn3->flags & MEM\_Int );
testcase( pIn3->flags & MEM\_Real );
sqlite3VdbeMemStringify(pIn3, encoding, 1);
testcase( (flags3&MEM\_Dyn) != (pIn3->flags&MEM\_Dyn) );
flags3 = (pIn3->flags & ~MEM\_TypeMask) | (flags3 & MEM\_TypeMask); }
}
assert( pOp->p4type==P4\_COLLSEQ || pOp->p4.pColl==0 );
if( pIn1->flags & MEM\_Zero ){
sqlite3VdbeMemExpandBlob(pIn1);
flags1 &= ~MEM\_Zero;
}
︙
︙
1957 1958 1959 1960 1961 1962 1963
1964
1965 1966 1967 1968 1969 1970 1971
}else{ VdbeBranchTaken(res!=0, (pOp->p5 & SQLITE_NULLEQ)?2:3); if( res ){ pc = pOp->p2-1; } } /* Undo any changes made by applyAffinity() to the input registers. */
pIn1->flags = flags1;
pIn3->flags = flags3; break; }
/* Opcode: Permutation * * * P4 * ** ** Set the permutation used by the OP_Compare operator to be the array
1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977
}else{ VdbeBranchTaken(res!=0, (pOp->p5 & SQLITE_NULLEQ)?2:3); if( res ){ pc = pOp->p2-1; } } /* Undo any changes made by applyAffinity() to the input registers. */ assert( (pIn1->flags & MEM_Dyn) == (flags1 & MEM_Dyn) ); pIn1->flags = flags1; assert( (pIn3->flags & MEM_Dyn) == (flags3 & MEM_Dyn) ); pIn3->flags = flags3; break; }
/* Opcode: Permutation * * * P4 * ** ** Set the permutation used by the OP_Compare operator to be the array
︙
︙
Related news
Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.