oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

SQLite - Integer Overflow in FTS5 Extension [CVE-2025-7709]

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 5 Sep 2025 17:29:25 -0700
https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g
was published on August 15, and states:


Summary
-------
An integer overflow exists in the FTS5 extension. It occurs when the size of an
array of tombstone pointers is calculated and truncated into a 32-bit integer.
A pointer to partially controlled data can then be written out of bounds.

Severity
--------
Moderate - The overflow can be triggered by either an attacker who is able to
execute arbitrary queries or an attacker that can make an application process
a controlled SQLite DB file.

Proof of Concept
----------------

echo "SELECT * FROM articles WHERE articles MATCH 'whatever'" | ./sqlite3 /tmp/poc.sql
=================================================================
==3811642==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5030000012f0 at pc 0x55eafca6599b bp 
0x7ffdd1591570 sp 0x7ffdd1591568
READ of size 8 at 0x5030000012f0 thread T0

Fix can be found here: https://sqlite.org/src/info/63595b74956a9391

Timeline
--------
Date reported: 07/15/2025
Date fixed: 07/16/2025
Date disclosed: 08/15/2025


See the above URL for Further Analysis.

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Previous By Date Next
Previous By Thread Next

Current thread: