PT-2012-22: Format String Vulnerability in SQLite
Version: 3.7.13 and earlier
Operation system: OS/2 (eComStation)
Severity level: Medium
Impact: Denial of Service
Access Vector: Local
Base Score: 5.5
CVE: not assign
SQLite is a lightweight embedded relational database.
The specialists of the Positive Research center have detected format string vulnerability in SQLite.
While opening a file via SQLite on the OS/2 operating system (eComStation), the path, to be converted from a relative one to an absolute one, is handled by the os2FullPathname function. As part of the function’s execution process, the path gets into the sqlite3_snprintf function as a format string, and not as an argument for a format string. This allows attackers to use escape sequences in the format string.
The vulnerability is in the file /sqlite3.c.
Vulnerable code fragment:
static int os2FullPathname(
const char *zRelative, /* Possibly relative input path */
char *zFull /* Output buffer */
char *zRelativeCp = convertUtf8PathToCp( zRelative );
APIRET rc = DosQueryPathInfo( (PSZ)zRelativeCp, FIL_QUERYFULLNAME,
zFullCp, CCHMAXPATH );
free( zRelativeCp );
zFullUTF = convertCpPathToUtf8( zFullCp );
sqlite3_snprintf( nFull, zFull, zFullUTF );
Opening the database named "%s%s%s%s%s%s%s" will trigger SQLite failure.
How to fix
From June 21, 2012 the vendor does not support SQLite for OS/2. Version 3.7.13 and earlier are vulnerable.
10.07.2012 - Vendor is notified
06.09.2012 - Public disclosure
The vulnerabilities has discovered by Sergey Bobrov, Positive Research Center (Positive Technologies Company)
Reports on the vulnerabilities previously discovered by Positive Research: