FOR a while now, people have been pointing out that security vulnerability reports, especially to the National Vulnerability Database, are getting inflated way beyond their actual level of severity. The SQLite team especially warn about this. Here's a good example: https://sqlite.org/forum/forumpost/d2415641c8
Richard Hipp says:
CVE-2023-36191 was written against this bug, 20 days after the bug was fixed. This post is to refute that CVE.
The error is a bug. It has been fixed. But it is not a vulnerability. You may safely ignore the CVE. Key points:...
The behavior is the same after the bug fix as it was before - the program issues an error message and stops. The "fix" just makes the error message a little nicer. Instead of printing "Segmentation Fault", it prints "Error: missing argument to --nonce" and then calls exit(1).
Here's the description in bug report filed to the Red Hat Bugzilla:
A segmentation fault was discovered in SQLite. This issue exists due to a boundary error within the /sqlite3_aflpp/shell.c which could allow a local user to send a specially crafted request to the database to trigger memory corruption and perform a denial of service (DoS) attack.
Yeah, the local user could perform a denial of service attack against themselves by passing a bad argument to the sqlite3 CLI tool and making it exit immediately. But 'specially crafted request to the database'? Come on. Here's the 'specially crafted' request:
% sqlite3 -nonce
zsh: segmentation fault sqlite3 -nonce
This never even reaches the database. The CLI exits immediately. These are the kinds of vulnerabilities that are getting filed nowadays: https://nvd.nist.gov/vuln/detail/CVE-2023-36191
This is described as:
sqlite3 v3.40.1 was discovered to contain a segmentation violation at /sqlite3_aflpp/shell.c.
What it fails to mention is that it's a segfault in the CLI tool which causes it to exit immediately. I mean sure, if you explicitly pass the incorrect -nonce flag to the tool, you can make it crap out and it will fail whatever script or interactive work you wanted to do. But is this a vulnerability? Come on.
Top comments (0)