[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[sqlite3] About backporting DSA-3252-1 fixes to wheezy and squeeze

Hi,

sqlite3's DSA-3252-1 concerns three CVEs: CVE-2015-3414, CVE-2015-3415
and CVE-2015-3416. I've took a look on how they impact wheezy and
squeeze, and as far as I can see, backporting CVE-2015-3414 and
CVE-2015-3415 is not so trivial and I'm not sure if they affect the old
stable releases.

However, CVE-2015-3416 affects wheezy and I've backported the attached
patch. For the moment, I've been unable to reproduce the segfault in
squeeze, the code prevents overflowing when it converts floating-points,
but the fix can be backported to add an extra protection. Although, I'd
like to hear a second opinion.
What do you think?

Cheers,

Santiago

Description: guard against excessive width and precision in floating-point conversions in the printf routines
 The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not
 properly handle precision and width values during floating-point conversions,
 which allows context-dependent attackers to cause a denial of service
 (integer overflow and stack-based buffer overflow) or possibly have
 unspecified other impact via large integers in a crafted printf function call
 in a SELECT statement.
 This patch has been backported from the sqlite3 package in Jessie
Bug-Debian: https://bugs.debian.org/783968
Author: D. Richard Hipp
Origin: upstream, http://www.sqlite.org/src/info/c494171f77dc2e5e04cb6d865e688448f04e5920
Last-Update: 2015-06-07

---

--- a/src/printf.c
+++ b/src/printf.c
@@ -417,7 +417,7 @@
         for(idx=precision, rounder=0.4999; idx>0; idx--, rounder*=0.1);
 #else
         /* It makes more sense to use 0.5 */
-        for(idx=precision, rounder=0.5; idx>0; idx--, rounder*=0.1){}
+        for(idx=precision&0xfff, rounder=0.5; idx>0; idx--, rounder*=0.1){}
 #endif
         if( xtype==etFLOAT ) realvalue += rounder;
         /* Normalize realvalue to within 10.0 > realvalue >= 1.0 */
@@ -470,8 +470,9 @@
         }else{
           e2 = exp;
         }
-        if( e2+precision+width > etBUFSIZE - 15 ){
-          bufpt = zExtra = sqlite3Malloc( e2+precision+width+15 );
+        if( MAX(e2,0)+(i64)precision+(i64)width > etBUFSIZE - 15 ){
+          bufpt = zExtra
+              = sqlite3Malloc( MAX(e2,0)+(i64)precision+(i64)width+15 );
           if( bufpt==0 ){
             pAccum->mallocFailed = 1;
             return;
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -389,6 +389,12 @@
 #endif
 
 /*
+ * ** Macros to compute minimum and maximum of two numbers.
+ * */
+#define MIN(A,B) ((A)<(B)?(A):(B))
+#define MAX(A,B) ((A)>(B)?(A):(B))
+
+/*
 ** Check to see if this machine uses EBCDIC.  (Yes, believe it or
 ** not, there are still machines out there that use EBCDIC.)
 */
--- a/test/printf.test
+++ b/test/printf.test
@@ -526,6 +526,9 @@
 do_test printf-2.1.2.9 {
   sqlite3_mprintf_double {abc: %d %d (%1.1g) :xyz} 1 1 1.0e-20
 } {abc: 1 1 (1e-20) :xyz}
+do_test printf-2.1.2.10 {
+  sqlite3_mprintf_double {abc: %*.*f}  2000000000 1000000000 1.0e-20
+} {abc: }
 do_test printf-2.1.3.1 {
   sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0
 } {abc: (1.0) :xyz}

Attachment: signature.asc
Description: Digital signature

Reply to: