A high-severity vulnerability has been disclosed within the SQLite database library, which was launched as a part of a code change relationship all the best way again to October 2000 and will allow attackers to crash or management packages.
Tracked as CVE-2022-35737 (CVSS rating: 7.5), the 22-year-old subject impacts SQLite variations 1.0.12 via 3.39.1, and has been addressed in model 3.39.2 launched on July 21, 2022.
“CVE-2022-35737 is exploitable on 64-bit methods, and exploitability is dependent upon how this system is compiled,” Path of Bits researcher Andreas Kellas stated in a technical write-up printed at present.
“Arbitrary code execution is confirmed when the library is compiled with out stack canaries, however unconfirmed when stack canaries are current, and denial-of-service is confirmed in all instances.”
Programmed in C, SQLite is the most generally used database engine, included by default in Android, iOS, Home windows, and macOS, in addition to widespread internet browsers similar to Google Chrome, Mozilla Firefox, and Apple Safari.
The vulnerability found by Path of Bits considerations an integer overflow bug that happens when extraordinarily giant string inputs are handed as parameters to the SQLite implementations of the printf features, which, in flip, make use of one other perform to deal with the string formatting (“sqlite3_str_vappendf“).
Nonetheless, a profitable weaponization of the flaw banks on the prerequisite that the string incorporates the %Q, %q, or %w format substitution varieties, probably resulting in a program crash when user-controlled information is written past the bounds of a stack-allocated buffer.
“If the format string incorporates the ‘!’ particular character to allow unicode character scanning, then it’s attainable to attain arbitrary code execution within the worst case, or to trigger this system to hold and loop (practically) indefinitely,” Kellas defined.
The vulnerability can be an instance of a state of affairs that was as soon as deemed impractical a long time in the past — allocating 1GB strings as enter — rendered possible with the appearance of 64-bit computing methods.
“It is a bug that will not have appeared like an error on the time that it was written (relationship again to 2000 within the SQLite supply code) when methods have been primarily 32-bit architectures,” Kellas stated.
