Unfixed vulnerabilities along with the forked codebase of sqlite in src/box/sql/ #8849
fullwaywang
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi there. I am a researcher in security and vulnerabilities. Recently I have been studying CVEs in OSS and their existence in downstream projects.
While modeling CVEs in sqlite3 and searching for vulnerable, cognate code across GitHub, I found this project. The codes in
src/box/sql/
turned out to be a copy of sqlite3 with the baseline version from which it forked unknown. However, the legal announcements within the code files had been replaced, and symbols like function names had been carefully modified. Many individual modifications had been made on this codebase, which made it hard to map the modified functions to the original.After some manual examination, I found out some CVEs which had been fixed in upstream sqlite3 did exist in tarantool, judging from vulnerable code contexts. For example, a patch fixing CVE-2020-13435 is commit 0934d64 in function
sqlite3ExprCodeTarget
:Which is apparently a patch against out-of-bound accessing of array. Examining the context in function
sqlExprCodeTarget
I got:Though the context differed, the defect made sense anyway.
Honestly speaking I am totally unfamiliar with this project, and the role of the codes in
src/box/sql/
is not clear to me. Would you make some investigation into the existence and exploitability of sqlite3 vulnerabilities, and probably merge upstream patches or switch to the upstream codes in the future?Beta Was this translation helpful? Give feedback.
All reactions