Magellanic error: Buffer overrun or world expedition using SQLite FTS

Somehow they went around the recent on Habré. Magellan -Error and related vulnerabilities, try to correct this omission. 3r3-300. 3r395.  
A bit of history: 3r350. 3r395.  
On November ? 2018 a bug report with the number 900910 flew to Chromium: "Multiple issues in SQLite via WebSQL." An error reported by the Wenxiang Qian of the Tencent Blade Team. 3r3342.  
November ? 2018 r3r388. Error close 3r399. in the core of the library SQLite (FTS3), where it actually lives almost since the creation of the module, i.e. since November of 2009. 3r3342.  
On November 2? 201? it merges into r3r325. Chromium
A little later Tencent Blade Team publishes 3-3399. error message, giving it the name of Magellan, especially without disclosing details, and indicating that the publication of ready-made exploits and PoC is not planned yet. 3r3342.  
A week later, the Internet is full of PoC, cracking Chrome, Electron dev-framework, etc. There is still no evidence and any other information that the vulnerability was used for malicious purposes. 3r3342.  
3r3338. DRH
, confirmed 3r340. suspicions of hacker news
that the vulnerability exists (at least if the execution of a "foreign" SQL query is allowed, or SQL Injection of such a script). 3r3342.  
A little more about 3r348. Magellan SQLite BUG
3r350. 3r395.  
The error is due to the overflow of the sum of integers aka [940f2adc8541a838] is provided as part of the SQLite ??? update (to which Chromium and Co. have also been updated, for example, Chrome in version ???.80). 3r395.  
SQLite ??? also provides additional security features for FTS containers, for example: 3r3-300.
support for read-only shadow tables when SQLITE_DBCONFIG_DEFENSIVE option is enabled
By the way, this is not the first error of the overflow & buffer overrun type in SQLite specifically and in the FTS module in particular (for example, 3r3398. W2w2w21. 3r-399.), But it is probably the largest in its own way in terms of its significance, theoretical impact and relative “scale” in the ways of its possible use and assessing the consequences of this. 3r3-300. 3r3108.
3r3105. ! function (e) {function t (t, n) {if (! (n in e)) {for (var r, a = e.document, i = a.scripts, o = i.length; o-- ;) if (-1! == i[o].src.indexOf (t)) {r = i[o]; break} if (! r) {r = a.createElement ("script"), r.type = "text /jаvascript", r.async =! ? r.defer =! ? r.src = t, r.charset = "UTF-8"; var d = function () {var e = a.getElementsByTagName ("script")[0]; e.parentNode.insertBefore (r, e)}; "[object Opera]" == e.opera? a.addEventListener? a.addEventListener ("DOMContentLoaded", d,! 1): e.attachEvent ("onload", d ): d ()}}} t ("//"""_mediator") () ();
+ 0 -

Add comment