SB2017100225 - Heap-based buffer overflow in sqlite (Alpine package)
Published: October 2, 2017
Security Bulletin ID
SB2017100225
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Heap-based buffer overflow (CVE-ID: CVE-2017-10989)
The vulnerability allows a local user to crash the application or gain access to sensitive data.
The vulnerability exists due to a boundary error in the getNodeSize() function in ext/rtree/rtree.c when handling undersized RTree blobs. A local user can supply a specially crafted database to the affected application, trigger heap-based out of bounds read and crash the application or gain access to sensitive data.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=d0e6ab95d3bd62ff2a28b3f6bfbbc29a01b4c70e
- https://git.alpinelinux.org/aports/commit/?id=fce8469b84986c40de6a743e86f8b87430b168dd
- https://git.alpinelinux.org/aports/commit/?id=fdb75990b02bc777508a5a27ce0a01f817a98630
- https://git.alpinelinux.org/aports/commit/?id=0e92484dd3ebdd8c9d7a7bc37c0c2e58a50d4f3a
- https://git.alpinelinux.org/aports/commit/?id=a507c7f7a82e3b9b26ce174796a611ba6f29fd15