Experts disclosed a 22-year-old bug in popular SQLite Database library

A high-severity vulnerability, tracked as CVE-2022-35737, has been disclosed in the SQLite database library.

The security expert Andreas Kellas detailed a high-severity vulnerability, tracked as CVE-2022-35737 (CVSS score: 7.5), in the SQLite database library, which was introduced in October 2000.

The CVE-2022-35737 flaw is an integer overflow issue that impacts SQLite versions 1.0.12 through 3.39.1. The vulnerability was addressed with the release of version 3.39.2 on July 21, 2022.

“SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.” reads the advisory.

An attacker can trigger the issue to execute arbitrary code on the affected system.

“CVE-2022-35737 is exploitable on 64-bit systems, and exploitability depends on how the program is compiled; arbitrary code execution is confirmed when the library is compiled without stack canaries, but unconfirmed when stack canaries are present, and denial-of-service is confirmed in all cases.” Kellas wrote.

The expert explained that in order to exploit the CVE-2022-35737 flaw, attackers have to pass large string inputs to the SQLite implementations of the printf functions and the format string contains the %Q, %q, or %w format substitution types.

The vulnerability ties the way a function, named “sqlite3_str_vappendf,” called by printf handles the string formatting.

A signed integer overflow is triggered when the sqlite3_str_vappendf function receives a large string and when the format substitution type is %q, %Q, or %w.

The researchers also discovered that if the format string contains the ! special character to enable unicode character scanning, then it is possible to achieve arbitrary code execution in the worst case, or to cause a DoS condition.

“it’s a bug that may not have seemed like an error at the time that it was written (dating back to 2000 in the SQLite source code) when systems were primarily 32-bit architectu” Kellas concluded.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SQLite)

[adrotate banner=”5″]

[adrotate banner=”13″]