[v3.0] sqlite: does not properly implement the dequoting of collation-sequence names or comparison operators and does not properly handle precision and width values during floating-point conversions (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416)
the following vulnerabilities were published for sqlite3.
CVE-2015-34140: | SQLite before 3.8.9 does not properly implement the dequoting of | collation-sequence names, which allows context-dependent attackers to | cause a denial of service (uninitialized memory access and application | crash) or possibly have unspecified other impact via a crafted COLLATE | clause, as demonstrated by COLLATE“”“”“”“” at the end of a SELECT | statement.
CVE-2015-34151: | The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not | properly implement comparison operators, which allows | context-dependent attackers to cause a denial of service (invalid free | operation) or possibly have unspecified other impact via a crafted | CHECK clause, as demonstrated by CHECK in a CREATE TABLE | statement.
CVE-2015-34162: | The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does | not properly handle precision and width values during floating-point | conversions, which allows context-dependent attackers to cause a | denial of service (integer overflow and stack-based buffer overflow) | or possibly have unspecified other impact via large integers in a | crafted printf function call in a SELECT statement.
Reference: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783968
(from redmine: issue id 4305, created on 2015-06-12, closed on 2015-08-07)
- Relations:
- parent #4303 (closed)
- Changesets:
- Revision 3cdb045a by Natanael Copa on 2015-08-07T07:47:40Z:
main/sqlite: security upgrade to 3.8.10.2
CVE-2015-3414 use of uninitialized memory when parsing collation
sequences in src/where.c
CVE-2015-3415 invalid free() in src/vdbe.c
CVE-2015-3416 stack buffer overflow in src/printf.c
fixes #4305