SB2019101150 - Division by zero in sqlite (Alpine package)
Published: October 11, 2019 Updated: June 20, 2021
Security Bulletin ID
SB2019101150
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Division by zero (CVE-ID: CVE-2019-16168)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a division by zero error within the whereLoopAddBtreeIndex in sqlite3.c due to improper input validation in the sqlite_stat1 sz field. A remote attacker can pass specially crafted data to the application, trigger division by zero error and crash the vulnerable application.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=0aa5cea84fa7029c83cff7e6fab3046d80aa65e0
- https://git.alpinelinux.org/aports/commit/?id=1833ad9258bf53ebd1f42ccecc5bbf2696c7e19a
- https://git.alpinelinux.org/aports/commit/?id=18528a54c8a02fb5f59a2e8fb70ec0b83486acc6
- https://git.alpinelinux.org/aports/commit/?id=d5f87185a9e0878348a7b8340fbff4677e23d996