oss-sec mailing list archives

SQLite Tempdir Selection Vulnerability

From: Andreas Stieger <astieger () suse com>
Date: Fri, 1 Jul 2016 19:46:27 +0200

Posted on FD:

KL-001-2016-003 : SQLite Tempdir Selection Vulnerability

Title: SQLite Tempdir Selection Vulnerability
Advisory ID: KL-001-2016-003
Publication Date: 2016.07.01
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt


1. Vulnerability Details

     Affected Vendor: SQLite/Hwaci
     Affected Product: SQLite
     Affected Version: All versions prior to 3.13.0
     Platform: UNIX, GNU/Linux
     CWE Classification: CWE-379: Creation of Temporary File in Directory
                         with Incorrect Permissions
     Impact: Data Leakage
     Attack vector: Local


Release notes say:

Change the temporary directory search algorithm
<http://www.sqlite.org/tempfiles.html#tempdir> on Unix to allow
directories with write and execute permission, but without read
permission, to serve as temporary directories. Apply this same
standard to the "." fallback directory.



The covering commits seem to be:

http://www.sqlite.org/cgi/src/info/67985761aa93fb61
Change the temporary directory search algorithm on unix so that directories with only -wx permission are allowed. And 
do not allow "." to be returned if it lacks -wx permission. 

http://www.sqlite.org/cgi/src/info/b38fe522cfc971b3
Fix the fix to the temporary directory search algorithm so that it continues to return "." as a fallback if that 
directory has the correct permissions. 

http://www.sqlite.org/cgi/src/info/614bb709d34e1148
Fix the temporary directory search algorithm for unix so that it fails gracefully even if all candidate directories are 
inaccessible. This fixes a bug that was introduced by check-in [9b8fec60d8e].


Can a CVE please be assigned for this issue?

Thanks,
Andreas


-- 
Andreas Stieger <astieger () suse com>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

SQLite Tempdir Selection Vulnerability Andreas Stieger (Jul 01)
- Re: SQLite Tempdir Selection Vulnerability cve-assign (Jul 01)