back to article Another remote-code execution hole in top database engine SQLite: How it works, and why not to totally freak out

Cisco Talos researchers have uncovered an SQLite use-after-free() vulnerability that could allow an attacker to, in theory, remotely execute code on an affected device. "An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0," said Talos in a blog post describing the vuln, …

  1. GnuTzu Silver badge

    Firefox?

    Might someone want to check which Firefox versions are affected if any?

  2. Phil Endecott Silver badge

    It would be interesting to know if any static analysis tools spotted this.

    Is sqlite getting free coverity scans?

    1. Def Silver badge

      I think I’ve seen warnings about this from static analysis tools in the past, but I can’t be certain.

      I almost never write pure C code these days (ironically, the one exception in recent years has been the SDK for the Oso Memory Profiler </shamelessplug>), and my memory manager for all my C++ projects has a debug mode that catches things like this on the rare occasions they happen.

  3. A random security guy

    Well, most smart-phones and man embedded systems use SQLite.

    SQLite is everywhere; in iPhones, Android, IoT systems, servers, etc.

    https://www.sqlite.org/famous.html

  4. YetAnotherJoeBlow
    Trollface

    Quit using C

    Sacrilege!

    1. Tim99 Silver badge
      Coat

      Re: Quit using C

      Exactly, it was one of the few ways that I found to produce a small executable without needing gigabytes of frameworks to produce a working program that would fit on a floppy disk - Ask kids these days, they have no idea, grumble...

      To be serious though, it is an excellent solution for a number of applications. I have found it to be a really good data depository for medium sized websites (i.e. most of them written for small/medium businesses) sqlite.org ..Queries Are Efficient...

      Mine's the one with "Using SQLite" in the pocket >>=====>

  5. Rich 2 Silver badge

    Stop using C

    So what do you suggest instead?

    Python? Written in C

    PHP? Written in C

    Go? ....you get the idea?

    Whenever anyone tries to claim that "C is dead. Nobody uses C anymore" they should remember that virtually all the other languages are written in it (or some derivirive of it such as C++)

    Besides, an ENOURMOUS amount of code is written every day in C/C++. And that's not changing any time soon.

    And ALL the useful stuff (stuff that makes the phone network work, or runs your TV, or makes the Internet work, or heart monitors, or....) is (guess what?) written in C

    1. Warm Braw Silver badge

      Re: Stop using C

      ALL the useful stuff (stuff that makes the phone network work, or runs your TV, or makes the Internet work, or heart monitors, or....) is (guess what?) written in C

      And that's the end of C-watch. Don't have nightmares, do sleep well.

      1. yoganmahew

        Re: Stop using C

        In other news...

        "It, realistically, requires the combination of an SQL injection flaw with this latest engine bug to do scary damage."

        That's the typical MO to exploit a bug, according to Mr. Gibson. There are plenty of partially patched systems and regular findings of squilly injection flaws - https://www.theregister.co.uk/2018/12/18/sqlite_vulnerability/

        So if you only upgraded to 3.26.0 or not much newer to fix December's injection flaw, you're now vulnerable to both flaws being used as a pair.

        1. ibmalone Silver badge

          Re: Stop using C

          Thought process: "How does one exploit SQL injection on SQLite, which is most often used for an application's private storage?"

          Follows link.

          "For Google, at least, the library backs Chrome's WebSQL database API."

          Oh, as you were then.

    2. A.P. Veening Silver badge

      Re: Stop using C

      So what do you suggest instead?

      How about assembly? And for real die-hards there still is the possibility to enter hex-code directly.

    3. Phil Endecott Silver badge

      Re: Stop using C

      > So what do you suggest instead?

      C++.

      1. Tim99 Silver badge
        Joke

        Re: Stop using C

        Phil, I think you needed to use the Joke icon >>======>

    4. Roland6 Silver badge
      Coat

      Re: Stop using C

      >So what do you suggest instead?

      Ada...

      But aks for a long extension to the deadline before starting...

      1. Ken Shabby Bronze badge
        Holmes

        Re: Stop using C

        I can write C in any language

        1. A.P. Veening Silver badge

          Re: Stop using C

          I can write C in any language

          O? Try Thai.

          1. DCFusor Silver badge

            Re: Stop using C

            You can write C in perl (I do) and since perl's unicode is really getting there, probably in Thai. I know

            a bunch of really obscure languages are now supported, even in perl5.

            https://www.youtube.com/watch?v=gmmVGPdcItM&t=1033s

            Regular expressions in any language now...(even if ones in my own language make my head hurt).

            Lower case Cherokee anyone?

          2. Ken Shabby Bronze badge

            Re: Stop using C

            Thai is easy, apart from the collation and byte versus display length of strings. Not worked there for a few years, but still have a few customers there

            Klingon, I grant you, would be a challenge, still not in Unicode.

    5. dbtx Bronze badge

      Re: Stop using C

      And stop keeping scalpels and bone saws and hypodermic needles and high pressure oxygen tanks and giant MRI magnets at the flippin' hospital. It's just stupidly dangerous and dangerously stupid.

    6. Def Silver badge

      Re: Stop using C

      ...is written every day in C/C++.

      Please stop doing this. :)

      Regardless of C++'s origins, C and C++ are two very different languages these days. Pretending they're still vaguely equal doesn't do either of them justice.

    7. Anonymous Coward
      Anonymous Coward

      Re: Stop using C

      > Go? ....you get the idea?

      Just to point out... Go is written in Go these days (last few years).

      It was originally written in C though, before a significant rewrite fixed that particular problem.

    8. GnuTzu Silver badge

      Re: Stop using C

      #define MULTI_PLATFORM_INSANITY

      Even Perl is infected, having different sized integer handling on different platforms, forcing one to use bigint to ensure uniform limits.

  6. Mike 137 Bronze badge

    "Patch and stop using C"

    How about learning to code securely in C? But after all you've only had 40 years to get round to this. I suppose it's easier to not learn to code securely in some other language.

    1. Roland6 Silver badge

      Re: "Patch and stop using C"

      >How about learning to code securely in C?

      Interesting concept - I always thought C was a powerful language and thus was insecure by design and hence should only be used by expert (and trustworthy?) programmers who understood the theory and practise of defensive programming.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019