SQLite database engine has been patched with a high severity vulnerability that attackers could exploit to crash or control programs that rely on the software. They have revised the software with a patch to defend against the flaw which is difficult to exploit
A vulnerability tracked as CVE-2022-35737, scoring a CVSS severity score of 7.5. that was disclosed last month is 22 years old, introduced in SQLite version 1.0.12, a 2000 release that landed when the software was primarily based on 32-bit architectures and highlighted how initially secure functionality could have unintended consequences much further down the line.
The vulnerability is exploitable on 64-bit systems when large string inputs contain %Q, %q, or %w format substitution types that – in this scenario – might cause programs to crash or worse.
The root cause of the problem was the use of signed 32-bit integers as a byte index into the input string and to compute the size of the output string. When an input string was large enough, the integer would overflow, and “all kinds of problems” ensued.
However, the potential impact of the flaw appears to be limited. It is not possible to reach the vulnerability for malicious purposes via SQL inputs or by-passing SQLite a malformed database file.
An attacker would have to abuse the use the sqlite3_mprintf() function – or “similar C-level interfaces with a format string that includes one of the non-standard conversion symbols, and then pass in a string that is over 2GB in size”.
The patched SQLite version, v3.39.2, was released on July 21.