php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #77541 SQLite < 3.26.0 - Possible magellan vulnerability
Submitted: 2019-01-29 15:36 UTC Modified: 2019-01-29 16:36 UTC
From: myskina at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: PDO SQLite
PHP Version: 7.3.1 OS: Windows 7 x64
Private report: No CVE-ID: None
View Developer Edit
 [2019-01-29 15:36 UTC] myskina at gmail dot com 
Description:
------------
This vulnerability in SQLite has been discussed on some sites:
https://thehackernews.com/2018/12/sqlite-vulnerability.html
https://www.securityweek.com/code-execution-flaw-sqlite-affects-chrome-other-software
https://news.ycombinator.com/item?id=18686305
https://nakedsecurity.sophos.com/2018/12/19/sqlite-creator-fires-back-at-tencents-bug-hunters/

PHP version 7.3.1's pdo_sqlite currently uses SQLite 3.24.0.

According to SQLite's creator to be able to use this vulnerability, you need a combination of things. You have to be able to execute arbitrary SQL and you have to have FTS3 enabled, and in those cases you can get a remote code execution.

Is SQLite in PHP 7.3.1 available with FTS3 on some OS?

Is PHP vulnerable?

Is an update to a version of SQLite that is at least 3.26.0 or earlier needed or planned in a future release?

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-29 16:16 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Type: Security +Type: Bug -Assigned To: +Assigned To: cmb
 [2019-01-29 16:16 UTC] cmb@php.net 
This is basically a duplicate of bug #77305.
 [2019-01-29 16:30 UTC] myskina at gmail dot com
-Status: Duplicate +Status: Closed
 [2019-01-29 16:30 UTC] myskina at gmail dot com 
Oh. I didn't find the other bug report when I searched for related issues before submitting.

I'll close this one.
 [2019-01-29 16:36 UTC] cmb@php.net
-Status: Closed +Status: Duplicate
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 11:01:30 2024 UTC