Vulnerabilities > CVE-2019-19959

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
sqlite
canonical
nessus

Summary

ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1810.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1810 advisory. - sqlite: fts3: improve shadow table corruption detection (CVE-2019-13752) - sqlite: fts3: incorrectly removed corruption check (CVE-2019-13753) - sqlite: mishandling of certain uses of SELECT DISTINCT involving a LEFT JOIN in flattenSubquery in select.c leads to a NULL pointer dereference (CVE-2019-19923) - sqlite: incorrect sqlite3WindowRewrite() error handling leads to mishandling certain parser-tree rewriting (CVE-2019-19924) - sqlite: zipfileUpdate in ext/misc/zipfile.c mishandles a NULL pathname during an update of a ZIP archive (CVE-2019-19925) - sqlite: mishandles certain uses of INSERT INTO in situations involving embedded
    last seen2020-04-30
    modified2020-04-28
    plugin id136056
    published2020-04-28
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136056
    titleRHEL 8 : sqlite (RHSA-2020:1810)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2020:1810. The text
    # itself is copyright (C) Red Hat, Inc.
    #
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(136056);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/29");
    
      script_cve_id(
        "CVE-2019-8457",
        "CVE-2019-13752",
        "CVE-2019-13753",
        "CVE-2019-19923",
        "CVE-2019-19924",
        "CVE-2019-19925",
        "CVE-2019-19959"
      );
      script_xref(name:"RHSA", value:"2020:1810");
    
      script_name(english:"RHEL 8 : sqlite (RHSA-2020:1810)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Red Hat host is missing one or more security updates.");
      script_set_attribute(attribute:"description", value:
    "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as
    referenced in the RHSA-2020:1810 advisory.
    
      - sqlite: fts3: improve shadow table corruption detection
        (CVE-2019-13752)
    
      - sqlite: fts3: incorrectly removed corruption check
        (CVE-2019-13753)
    
      - sqlite: mishandling of certain uses of SELECT DISTINCT
        involving a LEFT JOIN in flattenSubquery in select.c
        leads to a NULL pointer dereference (CVE-2019-19923)
    
      - sqlite: incorrect sqlite3WindowRewrite() error handling
        leads to mishandling certain parser-tree rewriting
        (CVE-2019-19924)
    
      - sqlite: zipfileUpdate in ext/misc/zipfile.c mishandles a
        NULL pathname during an update of a ZIP archive
        (CVE-2019-19925)
    
      - sqlite: mishandles certain uses of INSERT INTO in
        situations involving embedded '\0' characters in
        filenames (CVE-2019-19959)
    
      - sqlite: heap out-of-bound read in function rtreenode()
        (CVE-2019-8457)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/476.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/391.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/626.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/125.html");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:1810");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-13752");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-13753");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-19923");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-19924");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-19925");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-19959");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-8457");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1716881");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1781999");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1782000");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1788842");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1788846");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1788866");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1789595");
      script_set_attribute(attribute:"solution", value:
    "Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8457");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_cwe_id(20, 125, 391, 476, 626);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/30");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/28");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8::appstream");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8::baseos");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:lemon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sqlite");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sqlite-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sqlite-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sqlite-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sqlite-libs");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Red Hat Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    include('rpm.inc');
    
    if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item('Host/RedHat/release');
    if (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
    os_ver = os_ver[1];
    if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);
    
    if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item('Host/cpu');
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
    
    pkgs = [
        {'reference':'lemon-3.26.0-6.el8', 'cpu':'aarch64', 'release':'8'},
        {'reference':'lemon-3.26.0-6.el8', 'cpu':'s390x', 'release':'8'},
        {'reference':'lemon-3.26.0-6.el8', 'cpu':'x86_64', 'release':'8'},
        {'reference':'sqlite-3.26.0-6.el8', 'cpu':'aarch64', 'release':'8'},
        {'reference':'sqlite-3.26.0-6.el8', 'cpu':'i686', 'release':'8'},
        {'reference':'sqlite-3.26.0-6.el8', 'cpu':'s390x', 'release':'8'},
        {'reference':'sqlite-3.26.0-6.el8', 'cpu':'x86_64', 'release':'8'},
        {'reference':'sqlite-debugsource-3.26.0-6.el8', 'cpu':'aarch64', 'release':'8'},
        {'reference':'sqlite-debugsource-3.26.0-6.el8', 'cpu':'i686', 'release':'8'},
        {'reference':'sqlite-debugsource-3.26.0-6.el8', 'cpu':'s390x', 'release':'8'},
        {'reference':'sqlite-debugsource-3.26.0-6.el8', 'cpu':'x86_64', 'release':'8'},
        {'reference':'sqlite-devel-3.26.0-6.el8', 'cpu':'aarch64', 'release':'8'},
        {'reference':'sqlite-devel-3.26.0-6.el8', 'cpu':'i686', 'release':'8'},
        {'reference':'sqlite-devel-3.26.0-6.el8', 'cpu':'s390x', 'release':'8'},
        {'reference':'sqlite-devel-3.26.0-6.el8', 'cpu':'x86_64', 'release':'8'},
        {'reference':'sqlite-doc-3.26.0-6.el8', 'release':'8'},
        {'reference':'sqlite-libs-3.26.0-6.el8', 'cpu':'aarch64', 'release':'8'},
        {'reference':'sqlite-libs-3.26.0-6.el8', 'cpu':'i686', 'release':'8'},
        {'reference':'sqlite-libs-3.26.0-6.el8', 'cpu':'s390x', 'release':'8'},
        {'reference':'sqlite-libs-3.26.0-6.el8', 'cpu':'x86_64', 'release':'8'}
    ];
    
    flag = 0;
    foreach package_array ( pkgs ) {
      reference = NULL;
      release = NULL;
      sp = NULL;
      cpu = NULL;
      el_string = NULL;
      rpm_spec_vers_cmp = NULL;
      epoch = NULL;
      if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
      if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];
      if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
      if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
      if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
      if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
      if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
      if (reference && release) {
        if (rpm_spec_vers_cmp) {
          if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:TRUE)) flag++;
        }
        else
        {
          if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch)) flag++;
        }
      }
    }
    
    if (flag)
    {
      security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'lemon / sqlite / sqlite-debugsource / etc');
    }
    
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-2_0-0204_SQLITE.NASL
    descriptionAn update of the sqlite package has been released.
    last seen2020-03-17
    modified2020-02-06
    plugin id133500
    published2020-02-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133500
    titlePhoton OS 2.0: Sqlite PHSA-2020-2.0-0204
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-3_0-0055_SQLITE.NASL
    descriptionAn update of the sqlite package has been released.
    last seen2020-03-17
    modified2020-02-06
    plugin id133506
    published2020-02-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133506
    titlePhoton OS 3.0: Sqlite PHSA-2020-3.0-0055
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4298-1.NASL
    descriptionIt was discovered that SQLite incorrectly handled certain shadow tables. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-13734, CVE-2019-13750, CVE-2019-13753) It was discovered that SQLite incorrectly handled certain corrupt records. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-13751) It was discovered that SQLite incorrectly handled certain queries. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.10. (CVE-2019-19880) It was discovered that SQLite incorrectly handled certain queries. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-2019-19923) It was discovered that SQLite incorrectly handled parser tree rewriting. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.10. (CVE-2019-19924) It was discovered that SQLite incorrectly handled certain ZIP archives. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-2019-19925, CVE-2019-19959) It was discovered that SQLite incorrectly handled errors during parsing. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-19926) It was discovered that SQLite incorrectly handled parsing errors. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-20218) It was discovered that SQLite incorrectly handled generated column optimizations. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-2020-9327). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2020-03-11
    plugin id134402
    published2020-03-11
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134402
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.10 : sqlite3 vulnerabilities (USN-4298-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1180.NASL
    descriptionAccording to the versions of the sqlite packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.(CVE-2019-19926) - flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).(CVE-2019-19923) - SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling.(CVE-2019-19924) - zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.(CVE-2019-19925) - In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.(CVE-2019-9936) - In SQLite 3.27.2, interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL Pointer Dereference in fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and ext/fts5/fts5_index.c.(CVE-2019-9937) - selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.(CVE-2019-20218) - ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded
    last seen2020-05-03
    modified2020-02-25
    plugin id134014
    published2020-02-25
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134014
    titleEulerOS 2.0 SP8 : sqlite (EulerOS-SA-2020-1180)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1364.NASL
    descriptionAccording to the versions of the sqlite packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In SQLite 3.27.2, interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL Pointer Dereference in fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and ext/fts5/fts5_index.c.(CVE-2019-9937) - In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.(CVE-2019-9936) - zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.(CVE-2019-19925) - SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling.(CVE-2019-19924) - flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).(CVE-2019-19923) - multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.(CVE-2019-19926) - selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.(CVE-2019-20218) - ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded
    last seen2020-04-07
    modified2020-04-02
    plugin id135151
    published2020-04-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135151
    titleEulerOS Virtualization for ARM 64 3.0.6.0 : sqlite (EulerOS-SA-2020-1364)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-1_0-0270_SQLITE.NASL
    descriptionAn update of the sqlite package has been released.
    last seen2020-03-17
    modified2020-02-06
    plugin id133503
    published2020-02-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133503
    titlePhoton OS 1.0: Sqlite PHSA-2020-1.0-0270

Redhat

rpms
  • lemon-0:3.26.0-6.el8
  • lemon-debuginfo-0:3.26.0-6.el8
  • sqlite-0:3.26.0-6.el8
  • sqlite-analyzer-debuginfo-0:3.26.0-6.el8
  • sqlite-debuginfo-0:3.26.0-6.el8
  • sqlite-debugsource-0:3.26.0-6.el8
  • sqlite-devel-0:3.26.0-6.el8
  • sqlite-doc-0:3.26.0-6.el8
  • sqlite-libs-0:3.26.0-6.el8
  • sqlite-libs-debuginfo-0:3.26.0-6.el8
  • sqlite-tcl-debuginfo-0:3.26.0-6.el8