Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"I've seen it. It's rubbish." -- Marvin the Paranoid Android

computers / comp.os.vms / Flaw in SQLite: CVE-2022-35737

SubjectAuthor
* Flaw in SQLite: CVE-2022-35737Stephen Hoffman
`* Re: Flaw in SQLite: CVE-2022-35737David Jones
 `* Re: Flaw in SQLite: CVE-2022-35737Craig A. Berry
  `* Re: Flaw in SQLite: CVE-2022-35737David Jones
   `- Re: Flaw in SQLite: CVE-2022-35737Neil Rieck

1
Flaw in SQLite: CVE-2022-35737

<tjehdc$2qpom$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=25377&group=comp.os.vms#25377

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!eternal-september.org!reader01.eternal-september.org!.POSTED!not-for-mail
From: seaoh...@hoffmanlabs.invalid (Stephen Hoffman)
Newsgroups: comp.os.vms
Subject: Flaw in SQLite: CVE-2022-35737
Date: Thu, 27 Oct 2022 14:07:40 -0400
Organization: HoffmanLabs LLC
Lines: 13
Message-ID: <tjehdc$2qpom$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: reader01.eternal-september.org; posting-host="7b3a613985e13de8141be8a65cad199e";
logging-data="2975510"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19qlxriXlT0rbK5MT+AceEP0XMX3XVEJEM="
User-Agent: Unison/2.2
Cancel-Lock: sha1:wQoH+a3ENGv3XxyfRqEiVbDK6ww=
 by: Stephen Hoffman - Thu, 27 Oct 2022 18:07 UTC

"Stranger Strings: An exploitable flaw in SQLite"

https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/

Effects SQLite 1.0.12 to 3.39.1, and is fixed in 3.39.2 and later.

Reportedly (potentially) exploitable. Patch your stuff.

--
Pure Personal Opinion | HoffmanLabs LLC

Re: Flaw in SQLite: CVE-2022-35737

<193501bd-d3a4-4f9a-b05d-3fc7179cc9c4n@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=25392&group=comp.os.vms#25392

  copy link   Newsgroups: comp.os.vms
X-Received: by 2002:a0c:9a0d:0:b0:4b1:982e:96d4 with SMTP id p13-20020a0c9a0d000000b004b1982e96d4mr6477722qvd.114.1667124466948;
Sun, 30 Oct 2022 03:07:46 -0700 (PDT)
X-Received: by 2002:a05:622a:13d1:b0:3a4:fb8e:f556 with SMTP id
p17-20020a05622a13d100b003a4fb8ef556mr6363361qtk.492.1667124466781; Sun, 30
Oct 2022 03:07:46 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!peer03.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.os.vms
Date: Sun, 30 Oct 2022 03:07:46 -0700 (PDT)
In-Reply-To: <tjehdc$2qpom$1@dont-email.me>
Injection-Info: google-groups.googlegroups.com; posting-host=104.231.150.181; posting-account=CO-_tAoAAACjjs2KLAw3xVKCy6Z_J3VK
NNTP-Posting-Host: 104.231.150.181
References: <tjehdc$2qpom$1@dont-email.me>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <193501bd-d3a4-4f9a-b05d-3fc7179cc9c4n@googlegroups.com>
Subject: Re: Flaw in SQLite: CVE-2022-35737
From: osuvma...@gmail.com (David Jones)
Injection-Date: Sun, 30 Oct 2022 10:07:46 +0000
Content-Type: text/plain; charset="UTF-8"
X-Received-Bytes: 1253
 by: David Jones - Sun, 30 Oct 2022 10:07 UTC

Note that the bug only applies if the application can generate a buffer larger than 2^31 bytes
as a printf argument, meaning it's practically not exploitable for 32-bit builds.

Re: Flaw in SQLite: CVE-2022-35737

<tjms0p$9n0i$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=25396&group=comp.os.vms#25396

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!paganini.bofh.team!eternal-september.org!reader01.eternal-september.org!.POSTED!not-for-mail
From: craigbe...@nospam.mac.com (Craig A. Berry)
Newsgroups: comp.os.vms
Subject: Re: Flaw in SQLite: CVE-2022-35737
Date: Sun, 30 Oct 2022 16:57:44 -0500
Organization: A noiseless patient Spider
Lines: 23
Message-ID: <tjms0p$9n0i$1@dont-email.me>
References: <193501bd-d3a4-4f9a-b05d-3fc7179cc9c4n@googlegroups.com>
<memo.20221030181418.15616V@jgd.cix.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sun, 30 Oct 2022 21:57:45 -0000 (UTC)
Injection-Info: reader01.eternal-september.org; posting-host="2c8a16fcedd5e5667e569f338387704c";
logging-data="318482"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19Qb1z47DA5zd98NhopOLuczQn26zVTrmc="
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0)
Gecko/20100101 Thunderbird/102.4.1
Cancel-Lock: sha1:baMP2YEDD3TVrTsk5EHZQuOQAnA=
In-Reply-To: <memo.20221030181418.15616V@jgd.cix.co.uk>
Content-Language: en-US
 by: Craig A. Berry - Sun, 30 Oct 2022 21:57 UTC

On 10/30/22 1:14 PM, John Dallman wrote:
> In article <193501bd-d3a4-4f9a-b05d-3fc7179cc9c4n@googlegroups.com>,
> osuvman50@gmail.com (David Jones) wrote:
>
>> Note that the bug only applies if the application can generate a
>> buffer larger than 2^31 bytes as a printf argument, meaning it's
>> practically not exploitable for 32-bit builds.
>
> Quite a lot of software has dropped its 32-bit builds, and nobody would
> want to have different versions of SQLite between their 32- and 64-bit
> builds. In the Linux and Windows worlds, there isn't all that much
> software left that's 32-bit-only. It's extinct on iOS and macOS, with
> Android heading that way quite fast.
>
> I checked on one of work's products that I remembered used SQLite, and
> was pleased to discover it has been removed two years ago.

I don't know what the pointer sizes are on the builds of SQLite for VMS,
but even with 64-bit pointers I'm pretty sure the size of a single
object is limited to 2GB on VMS. It would take some work to figure out
whether that in itself defeats the exploit or just creates a different
failure pattern.

Re: Flaw in SQLite: CVE-2022-35737

<832793b3-b87a-4aa8-bc9c-0cefbdc9a708n@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=25398&group=comp.os.vms#25398

  copy link   Newsgroups: comp.os.vms
X-Received: by 2002:a05:6214:1cc2:b0:4bb:c676:5bda with SMTP id g2-20020a0562141cc200b004bbc6765bdamr7572444qvd.0.1667178726149;
Sun, 30 Oct 2022 18:12:06 -0700 (PDT)
X-Received: by 2002:ad4:4ea2:0:b0:4b7:e8a3:e043 with SMTP id
ed2-20020ad44ea2000000b004b7e8a3e043mr8854312qvb.34.1667178725967; Sun, 30
Oct 2022 18:12:05 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!peer03.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.os.vms
Date: Sun, 30 Oct 2022 18:12:05 -0700 (PDT)
In-Reply-To: <tjms0p$9n0i$1@dont-email.me>
Injection-Info: google-groups.googlegroups.com; posting-host=104.231.150.181; posting-account=CO-_tAoAAACjjs2KLAw3xVKCy6Z_J3VK
NNTP-Posting-Host: 104.231.150.181
References: <193501bd-d3a4-4f9a-b05d-3fc7179cc9c4n@googlegroups.com>
<memo.20221030181418.15616V@jgd.cix.co.uk> <tjms0p$9n0i$1@dont-email.me>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <832793b3-b87a-4aa8-bc9c-0cefbdc9a708n@googlegroups.com>
Subject: Re: Flaw in SQLite: CVE-2022-35737
From: osuvma...@gmail.com (David Jones)
Injection-Date: Mon, 31 Oct 2022 01:12:06 +0000
Content-Type: text/plain; charset="UTF-8"
X-Received-Bytes: 1825
 by: David Jones - Mon, 31 Oct 2022 01:12 UTC

On Sunday, October 30, 2022 at 5:57:49 PM UTC-4, Craig A. Berry wrote:
> I don't know what the pointer sizes are on the builds of SQLite for VMS,
> but even with 64-bit pointers I'm pretty sure the size of a single
> object is limited to 2GB on VMS. It would take some work to figure out
> whether that in itself defeats the exploit or just creates a different
> failure pattern.

The default VMS build is 32-bit but you do have the option to build 64-bit
versions of the images and libraries. The alternate versions have "64" appended
to the file name or type (e.g. sqlite3shr64.exe, sqlite3.olb64) so can co-exist
with the regular build.

Re: Flaw in SQLite: CVE-2022-35737

<17e6ca2f-4c18-45cd-b885-30bcfc4ab80cn@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=25399&group=comp.os.vms#25399

  copy link   Newsgroups: comp.os.vms
X-Received: by 2002:ac8:5948:0:b0:3a5:23b9:1e19 with SMTP id 8-20020ac85948000000b003a523b91e19mr3866421qtz.194.1667211787920;
Mon, 31 Oct 2022 03:23:07 -0700 (PDT)
X-Received: by 2002:a05:620a:2686:b0:6f5:5af5:2be5 with SMTP id
c6-20020a05620a268600b006f55af52be5mr8534664qkp.130.1667211787749; Mon, 31
Oct 2022 03:23:07 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.os.vms
Date: Mon, 31 Oct 2022 03:23:07 -0700 (PDT)
In-Reply-To: <832793b3-b87a-4aa8-bc9c-0cefbdc9a708n@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=70.31.97.35; posting-account=QqCTBgkAAACie99dBE6oFauYH8hE6sk0
NNTP-Posting-Host: 70.31.97.35
References: <193501bd-d3a4-4f9a-b05d-3fc7179cc9c4n@googlegroups.com>
<memo.20221030181418.15616V@jgd.cix.co.uk> <tjms0p$9n0i$1@dont-email.me> <832793b3-b87a-4aa8-bc9c-0cefbdc9a708n@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <17e6ca2f-4c18-45cd-b885-30bcfc4ab80cn@googlegroups.com>
Subject: Re: Flaw in SQLite: CVE-2022-35737
From: n.ri...@bell.net (Neil Rieck)
Injection-Date: Mon, 31 Oct 2022 10:23:07 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 2604
 by: Neil Rieck - Mon, 31 Oct 2022 10:23 UTC

On Sunday, October 30, 2022 at 9:12:07 PM UTC-4, osuv...@gmail.com wrote:
> On Sunday, October 30, 2022 at 5:57:49 PM UTC-4, Craig A. Berry wrote:
> > I don't know what the pointer sizes are on the builds of SQLite for VMS,
> > but even with 64-bit pointers I'm pretty sure the size of a single
> > object is limited to 2GB on VMS. It would take some work to figure out
> > whether that in itself defeats the exploit or just creates a different
> > failure pattern.
> The default VMS build is 32-bit but you do have the option to build 64-bit
> versions of the images and libraries. The alternate versions have "64" appended
> to the file name or type (e.g. sqlite3shr64.exe, sqlite3.olb64) so can co-exist
> with the regular build.

Not sure how much of the OpenVMS ecosystem is exposed to SQLite (I suspect it is very tiny) but SQLite exists almost everywhere else in the computer world including Linux, smart TVs, and smart phones (Android is a stripped-down version of Linux) to only name three. In fact, anyone who has ever worked with the dynamic duo of yum and rpm on Linux will know that SQLite is at their center where it keeps track of dependencies during an upgrade.

Neil Rieck
Waterloo, Ontario, Canada.
http://neilrieck.net

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor