SQLite 3.13.0, released at the end of May, contained a fix for a potentially dangerous vulnerability that could be used to leak sensitive data from SQLite temporary files.
While SQLite is not the first name that comes to mind when you say “database,” this is one of those crucial projects that are used all over the place in various desktop or Web-based products from companies like Adobe, Google, Microsoft, Mozilla, but also many others.
According to security researchers from KoreLogic, all SQLite versions prior to 3.13.0 contained an information disclosure issue that originated in the way the database selected the directory where to store temporary files, used to save data that’s in transit through the database.
Failing SQLite checks may change temp file location
Researchers say that SQLite would carry out a series of checks on the app’s desired location to store temporary files. If these checks failed, SQLite would store temporary files in the “.” path, which was the app’s current folder.
“[T]his [vulnerability] could lead to insecure behavior by some application using SQLite under these conditions,” KoreLogic explains.
Researchers explain that SQLite-based applications could write temporary files on NFS or SMB network shares, making data capture possible, or on removable drives, which can be taken out of the user’s physical control.
Updating all vulnerable SQLite-based applications will take a while
These temporary files can, in theory, contain sensitive data not meant to be shared outside the original application’s scope. For example, Web traffic for browsers or details about downloaded files for a BitTorrent client.
Updating all apps using older SQLite databases should take a while. In the meantime, developers should review their code based on.
Just like the latest, , , and vulnerabilities, this shows once again how difficult it is to properly secure software that’s based on multiple open-source packages.