PT-2015-6222 · Sqlite+5 · Sqlite+5

Michal Zalewski

·

Published

2015-04-24

·

Updated

2024-06-15

·

CVE-2015-3416

CVSS v2.0

7.5

High

VectorAV:N/AC:L/Au:N/C:P/I:P/A:P
Name of the Vulnerable Software and Affected Versions SQLite versions prior to 3.8.9
Description The issue concerns the sqlite3VXPrintf function in printf.c, which does not properly handle precision and width values during floating-point conversions. This can be exploited by context-dependent attackers to cause a denial of service, specifically an integer overflow and stack-based buffer overflow, or possibly have other unspecified impacts. The attack can be carried out via large integers in a crafted printf function call in a SELECT statement.
Recommendations For versions prior to 3.8.9, update to version 3.8.9 or later to resolve the issue.

Fix

DoS

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-190

Related Identifiers

ALT-PU-2015-1413
CESA-2015_1634
CESA-2015_1635
CVE-2015-3416
DSA-3252-1
DSA-3252-2
MGASA-2015-0234
OPENSUSE-SU-2024:10290-1
OPENSUSE-SU-2024:10344-1
RHSA-2015:1634
RHSA-2015:1635
RHSA-2015_1634
RHSA-2015_1635
USN-2698-1

Affected Products

Alt Linux
Centos
Red Hat
Sqlite
Ubuntu
Itunes