Mandriva Linux Security Advisory : sqlite3 (MDVSA-2015:217)

high Nessus Plugin ID 83169

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

Multiple vulnerabilities has been found and corrected in sqlite3 :

SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE at the end of a SELECT statement (CVE-2015-3414).

The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0 O>O) in a CREATE TABLE statement (CVE-2015-3415).

The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement (CVE-2015-3416).

The updated packages provides a solution for these security issues.

Solution

Update the affected packages.

See Also

https://bugzilla.redhat.com/show_bug.cgi?id=1212353

https://bugzilla.redhat.com/show_bug.cgi?id=1212356

https://bugzilla.redhat.com/show_bug.cgi?id=1212357

Plugin Details

Severity: High

ID: 83169

File Name: mandriva_MDVSA-2015-217.nasl

Version: 2.6

Type: local

Published: 5/1/2015

Updated: 1/14/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:lemon, p-cpe:/a:mandriva:linux:lib64sqlite3-devel, p-cpe:/a:mandriva:linux:lib64sqlite3-static-devel, p-cpe:/a:mandriva:linux:lib64sqlite3_0, p-cpe:/a:mandriva:linux:sqlite3-tcl, p-cpe:/a:mandriva:linux:sqlite3-tools, cpe:/o:mandriva:business_server:1, cpe:/o:mandriva:business_server:2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 4/30/2015

Reference Information

CVE: CVE-2015-3414, CVE-2015-3415, CVE-2015-3416

MDVSA: 2015:217