@seth There's an error regarding the SQLite version number in the CVE text. It should read "in SQLite before 3.17.0" (and not 3.11.0)
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sqlite3 in Ubuntu. https://bugs.launchpad.net/bugs/1700937 Title: Heap-buffer overflow in nodeAcquire Status in sqlite3 package in Ubuntu: New Bug description: A heap-buffer overflow (sometimes a crash) can arise when running a SQL request on malformed sqlite3 databases such as the one attached to this ticket {{{ $ valgrind sqlite3 clusterfuzz-testcase-minimized-4960347410661376 "SELECT pkid FROM 'idx_byte_metadata_geometry' WHERE xmax > 0 AND xmin < 0 AND ymax > 0 AND ymin < 0" ==21234== Memcheck, a memory error detector ==21234== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==21234== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==21234== Command: sqlite3 clusterfuzz-testcase-minimized-4960347410661376 SELECT\ pkid\ FROM\ 'idx_byte_metadata_geometry'\ WHERE\ xmax\ \>\ 0\ AND\ xmin\ \<\ 0\ AND\ ymax\ \>\ 0\ AND\ ymin\ \<\ 0 ==21234== Invalid read of size 1 ==21234== at 0x1B3945: nodeAcquire (in /usr/bin/sqlite3) ==21234== by 0x1B5056: rtreeFilter (in /usr/bin/sqlite3) ==21234== by 0x186EAA: sqlite3VdbeExec (in /usr/bin/sqlite3) ==21234== by 0x190316: sqlite3_step (in /usr/bin/sqlite3) ==21234== by 0x11886F: shell_exec.constprop.12 (in /usr/bin/sqlite3) ==21234== by 0x114693: main (in /usr/bin/sqlite3) ==21234== Address 0x5ae5b00 is 0 bytes after a block of size 48 alloc'd ==21234== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21234== by 0x14C176: sqlite3MemMalloc (in /usr/bin/sqlite3) ==21234== by 0x128380: sqlite3Malloc (in /usr/bin/sqlite3) ==21234== by 0x1B38DF: nodeAcquire (in /usr/bin/sqlite3) ==21234== by 0x1B5056: rtreeFilter (in /usr/bin/sqlite3) ==21234== by 0x186EAA: sqlite3VdbeExec (in /usr/bin/sqlite3) ==21234== by 0x190316: sqlite3_step (in /usr/bin/sqlite3) ==21234== by 0x11886F: shell_exec.constprop.12 (in /usr/bin/sqlite3) ==21234== by 0x114693: main (in /usr/bin/sqlite3) }}} This bug is no longer reproducible with at least sqlite3 3.17 {{{ $ valgrind ~/install-sqlite-3.17.0/bin/sqlite3 clusterfuzz-testcase-minimized-4960347410661376 "SELECT pkid FROM 'idx_byte_metadata_geometry' WHERE xmax > 0 AND xmin < 0 AND ymax > 0 AND ymin < 0" ==21265== Memcheck, a memory error detector ==21265== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==21265== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==21265== Command: /home/even/install-sqlite-3.17.0/bin/sqlite3 clusterfuzz-testcase-minimized-4960347410661376 SELECT\ pkid\ FROM\ 'idx_byte_metadata_geometry'\ WHERE\ xmax\ \>\ 0\ AND\ xmin\ \<\ 0\ AND\ ymax\ \>\ 0\ AND\ ymin\ \<\ 0 ==21265== Error: database disk image is malformed }}} This bug has been originally uncovered by OSS-Fuzz when running on the GDAL library that uses libsqlite3: https://bugs.chromium.org/p/oss- fuzz/issues/detail?id=2405 (content not viewable during the grace period) ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: sqlite3 3.11.0-1ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-79.100-generic 4.4.67 Uname: Linux 4.4.0-79-generic x86_64 NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia ApportVersion: 2.20.1-0ubuntu2.6 Architecture: amd64 CurrentDesktop: GNOME-Flashback:Unity Date: Wed Jun 28 11:18:29 2017 InstallationDate: Installed on 2016-11-04 (235 days ago) InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719) SourcePackage: sqlite3 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
