SQLite developers need to push the patch

Tempfile permissions a can of worms

SQLite has pushed out an update to fix a local tempfile bug, to address concerns that the bug could be exploitable beyond the merely local.

The bug was found by KoreLogic and reported to the popular open source database project, before being published at Full Disclosure.

The issue is that SQLite creates its tempfiles in a directory with incorrect permissions. It's not a Heartbleed-level vuln, but SQLite is deeply embedded in other packages, so the concern is that they might show insecure behaviours without knowing.

What KoreLogic worked out is that there are cases where that could be taken advantage of by attacks beyond SQLite: “this might in turn cause software that uses SQLite libraries to behave in unsafe ways, leaking sensitive data, opening up SQLite libraries to attack by deliberately corrupted tempfiles, etc.”

As their worst-case-example, the researchers point out that a careless chdir() in a program writing data in SQLite could leave it somewhere attackable, “such as an NFS or SMB network share (allowing network capture), or a removable device which will later leave the user's physical control (leaving on-disk residue, possibly mitigated by SQLite's SECURE_DELETE settings)”.

Since SQLite is used all over the place – by Adobe, Apple, Dropbox, Firefox, Android, Chrome, Microsoft and a bunch of others – it's a noteworthy bug, even if it's not yet been exploited.

The fix is in version 3.13.0, here. ®


Biting the hand that feeds IT © 1998–2017