Описание
An integer overflow can be triggered in SQLite’s concat_ws() function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.
A flaw was found in SQLite’s concat_ws() function, where an integer overflow can be triggered. The resulting truncated integer can allocate a buffer. When SQLite writes the resulting string to the buffer, it uses the original, untruncated size, and a wild heap buffer overflow size of around 4GB can occur. This issue can result in arbitrary code execution.
Отчет
For Openshift, the bundled sqlite3.c does contain the affected concat_ws function, it is not included in the Rust bindings of the libsqlite3-sys crate, nor are there any indirect ways to call it. Therefore, this is dead code in this context, and Openshift is not affected.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | sqlite | Not affected | ||
| Red Hat Enterprise Linux 7 | sqlite | Not affected | ||
| Red Hat Enterprise Linux 8 | mingw-sqlite | Not affected | ||
| Red Hat Enterprise Linux 8 | rust-toolset:rhel8/rust | Not affected | ||
| Red Hat Enterprise Linux 8 | sqlite | Not affected | ||
| Red Hat Enterprise Linux 9 | rust | Not affected | ||
| Red Hat Enterprise Linux 9 | sqlite | Not affected | ||
| Red Hat OpenShift Container Platform 4 | rhcos | Not affected | ||
| Red Hat Enterprise Linux 10 | sqlite | Fixed | RHSA-2025:7517 | 13.05.2025 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2025:4459 | 05.05.2025 |
Показывать по
Дополнительная информация
Статус:
7.3 High
CVSS3
Связанные уязвимости
An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.
An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.
An integer overflow can be triggered in SQLite\u2019s `concat_ws()` fu ...
An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.
7.3 High
CVSS3