The SQLite database library has a high-severity vulnerability that was introduced as part of a code update that dates all the way back to October 2000. And might allow attackers to crash or take control of programmes. SQLite Database Library Reported a 22-Year-Old Vulnerability.

The 22-year-old bug, identified as CVE-2022-35737 (CVSS: 7.5), has been fixed in SQLite version 3.39.2, which was released on July 21, 2022. It affects versions 1.0.12 through 3.39.1. SQLite Database Library Reported a 22-Year-Old Vulnerability.

According to Trail of Bits researcher Andreas Kellas in a technical write-up released today. “CVE-2022-35737 is vulnerable on 64-bit computers, and exploitability relies on how the software is constructed.”

When the library is compiled without stack canaries, arbitrarily executed code is confirmed. However, when stack canaries are present, arbitrarily executed code is unconfirmed, and denial-of-service is always confirmed.

The most frequently used database engine is SQLite, which was developed in C. It comes pre-installed in popular web browsers including Google Chrome, Mozilla Firefox, and Apple Safari, as well as Android, iOS, Windows, and macOS.

When very large string inputs are supplied as parameters to the SQLite implementations of the printf procedures, which in turn employ another function to handle the string formatting (“sqlite3 str vappendf”), an integer overflow bug results. This vulnerability was found by Trail of Bits.

SQLite Database Issues

The requirement that the string contains the%Q,%q, or%w format replacement types is necessary for the flaw to be weaponized. Which could result in a software crash when user-controlled data is written outside of a stack-allocated buffer. SQLite Library Reported 22-Year-Old Vulnerability

“In the worst situation, it is conceivable to accomplish arbitrary code execution, or to make the computer hang and run (almost) indefinitely,” Kellas said. “If the format string contains the ‘!’ special character to enable Unicode character scanning.”

The vulnerability is also an illustration of how the development of 64-bit computer systems made a scenario that was previously thought to be unworkable decades ago—allocating 1GB strings as input—possible.

It’s a flaw that, given the predominance of 32-bit architectures. At the time it was written (dating back to 2000 in the SQLite source code). May not have been obvious at the time. SQLite Library Reported 22-Year-Old Vulnerability.