Heap-based buffer overflow in sqlite (Alpine package)



Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-10989
CWE-ID CWE-122
Exploitation vector Local
Public exploit N/A
Vulnerable software
 sqlite (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Heap-based buffer overflow

EUVDB-ID: #VU18574

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-10989

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a local user to crash the application or gain access to sensitive data.

The vulnerability exists due to a boundary error in the getNodeSize() function in ext/rtree/rtree.c when handling undersized RTree blobs. A local user can supply a specially crafted database to the affected application, trigger heap-based out of bounds read and crash the application or gain access to sensitive data.


Mitigation

Install update from vendor's website.

Vulnerable software versions

sqlite (Alpine package): 3.8.10.2-r0 - 3.20.0-r0

CPE2.3 External links

https://git.alpinelinux.org/aports/commit/?id=d0e6ab95d3bd62ff2a28b3f6bfbbc29a01b4c70e
https://git.alpinelinux.org/aports/commit/?id=fce8469b84986c40de6a743e86f8b87430b168dd
https://git.alpinelinux.org/aports/commit/?id=fdb75990b02bc777508a5a27ce0a01f817a98630
https://git.alpinelinux.org/aports/commit/?id=0e92484dd3ebdd8c9d7a7bc37c0c2e58a50d4f3a
https://git.alpinelinux.org/aports/commit/?id=a507c7f7a82e3b9b26ce174796a611ba6f29fd15


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###