Hi, sqlite3's DSA-3252-1 concerns three CVEs: CVE-2015-3414, CVE-2015-3415 and CVE-2015-3416. I've took a look on how they impact wheezy and squeeze, and as far as I can see, backporting CVE-2015-3414 and CVE-2015-3415 is not so trivial and I'm not sure if they affect the old stable releases. However, CVE-2015-3416 affects wheezy and I've backported the attached patch. For the moment, I've been unable to reproduce the segfault in squeeze, the code prevents overflowing when it converts floating-points, but the fix can be backported to add an extra protection. Although, I'd like to hear a second opinion. What do you think? Cheers, Santiago
Description: guard against excessive width and precision in floating-point conversions in the printf routines The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement. This patch has been backported from the sqlite3 package in Jessie Bug-Debian: https://bugs.debian.org/783968 Author: D. Richard Hipp Origin: upstream, http://www.sqlite.org/src/info/c494171f77dc2e5e04cb6d865e688448f04e5920 Last-Update: 2015-06-07 --- --- a/src/printf.c +++ b/src/printf.c @@ -417,7 +417,7 @@ for(idx=precision, rounder=0.4999; idx>0; idx--, rounder*=0.1); #else /* It makes more sense to use 0.5 */ - for(idx=precision, rounder=0.5; idx>0; idx--, rounder*=0.1){} + for(idx=precision&0xfff, rounder=0.5; idx>0; idx--, rounder*=0.1){} #endif if( xtype==etFLOAT ) realvalue += rounder; /* Normalize realvalue to within 10.0 > realvalue >= 1.0 */ @@ -470,8 +470,9 @@ }else{ e2 = exp; } - if( e2+precision+width > etBUFSIZE - 15 ){ - bufpt = zExtra = sqlite3Malloc( e2+precision+width+15 ); + if( MAX(e2,0)+(i64)precision+(i64)width > etBUFSIZE - 15 ){ + bufpt = zExtra + = sqlite3Malloc( MAX(e2,0)+(i64)precision+(i64)width+15 ); if( bufpt==0 ){ pAccum->mallocFailed = 1; return; --- a/src/sqliteInt.h +++ b/src/sqliteInt.h @@ -389,6 +389,12 @@ #endif /* + * ** Macros to compute minimum and maximum of two numbers. + * */ +#define MIN(A,B) ((A)<(B)?(A):(B)) +#define MAX(A,B) ((A)>(B)?(A):(B)) + +/* ** Check to see if this machine uses EBCDIC. (Yes, believe it or ** not, there are still machines out there that use EBCDIC.) */ --- a/test/printf.test +++ b/test/printf.test @@ -526,6 +526,9 @@ do_test printf-2.1.2.9 { sqlite3_mprintf_double {abc: %d %d (%1.1g) :xyz} 1 1 1.0e-20 } {abc: 1 1 (1e-20) :xyz} +do_test printf-2.1.2.10 { + sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20 +} {abc: } do_test printf-2.1.3.1 { sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0 } {abc: (1.0) :xyz}
Attachment:
signature.asc
Description: Digital signature