diff --git a/sqlite-3.24.0-10.h1-CVE-2020-13434.patch b/sqlite-3.24.0-10.h1-CVE-2020-13434.patch new file mode 100644 index 0000000000000000000000000000000000000000..4d3c5a70485d3b9d81e169bcbd72089880045095 --- /dev/null +++ b/sqlite-3.24.0-10.h1-CVE-2020-13434.patch @@ -0,0 +1,65 @@ +From 4f0a1ae44243b92d7e20ff1b263f39ef8e183b50 Mon Sep 17 00:00:00 2001 +From: Peibao Liu +Date: Fri, 29 May 2020 01:34:28 -0400 +Subject: [PATCH] Limit the "precision" of floating-point to text conversions + in the printf() function to 100,000,000. + +port from: +https://www.sqlite.org/src/info/d08d3405878d394e + +1. The printf() func was introduced in sqlite v3.8(6db7052eeefafdbf) +and in the current version this func is still not introduced, which +caused the test case printf-16.1 could not execute. So remove the test +case part of the upstream patch. +2. The modification of sqlite3VXPrintf() in this patch could cause the +printf-2.1.2.10 test case failure as this test case has already modified +in e7144ffd21294d7a commit. Just modify this test case to latest but do +not port the relevant patch. + +Signed-off-by: Peibao Liu +--- + src/printf.c | 12 ++++++++++++ + test/printf.test | 2 +- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff -Naur a/src/printf.c b/src/printf.c +--- a/src/printf.c 2020-06-03 00:05:56.360000000 +0800 ++++ b/src/printf.c 2020-06-03 02:34:58.738000000 +0800 +@@ -195,6 +195,13 @@ + #define etBUFSIZE SQLITE_PRINT_BUF_SIZE /* Size of the output buffer */ + + /* ++ * ** Hard limit on the precision of floating-point conversions. ++ * */ ++#ifndef SQLITE_PRINTF_PRECISION_LIMIT ++# define SQLITE_FP_PRECISION_LIMIT 100000000 ++#endif ++ ++/* + ** Render a string given by "fmt" into the StrAccum object. + */ + void sqlite3_str_vappendf( +@@ -515,6 +522,11 @@ + length = 0; + #else + if( precision<0 ) precision = 6; /* Set default precision */ ++#ifdef SQLITE_FP_PRECISION_LIMIT ++ if( precision>SQLITE_FP_PRECISION_LIMIT ){ ++ precision = SQLITE_FP_PRECISION_LIMIT; ++ } ++#endif + if( realvalue<0.0 ){ + realvalue = -realvalue; + prefix = '-'; +diff -Naur a/test/printf.test b/test/printf.test +--- a/test/printf.test 2020-06-19 10:37:43.117000000 -0400 ++++ b/test/printf.test 2020-06-19 10:36:52.621000000 -0400 +@@ -540,7 +540,7 @@ + } {abc: 1 1 (1e-20) :xyz} + do_test printf-2.1.2.10 { + sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20 +-} {abc: } ++} {} + do_test printf-2.1.3.1 { + sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0 + } {abc: (1.0) :xyz} \ No newline at end of file diff --git a/sqlite-3.24.0-10.h1-CVE-2020-13435.patch b/sqlite-3.24.0-10.h1-CVE-2020-13435.patch new file mode 100644 index 0000000000000000000000000000000000000000..eba41ea631b28464c772a357f50b394ef516ab3b --- /dev/null +++ b/sqlite-3.24.0-10.h1-CVE-2020-13435.patch @@ -0,0 +1,41 @@ +From 6412131325fb2266c3faf0faea93c1d5a4e479a9 Mon Sep 17 00:00:00 2001 +From: Peibao Liu +Date: Fri, 29 May 2020 02:04:15 -0400 +Subject: [PATCH] Defensive code that tries to prevent a recurrence of + problems. + +port from: +https://www.sqlite.org/src/info/572105de1d44bca4 + +Signed-off-by: Peibao Liu +--- + src/expr.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff -Naur e/src/expr.c f/src/expr.c +--- e/src/expr.c 2020-06-11 20:39:01.932000000 -0400 ++++ f/src/expr.c 2020-06-11 21:05:03.128000000 -0400 +@@ -3542,7 +3542,10 @@ + switch( op ){ + case TK_AGG_COLUMN: { + AggInfo *pAggInfo = pExpr->pAggInfo; +- struct AggInfo_col *pCol = &pAggInfo->aCol[pExpr->iAgg]; ++ struct AggInfo_col *pCol; ++ assert( pAggInfo!=0 ); ++ assert( pExpr->iAgg>=0 && pExpr->iAggnColumn ); ++ pCol = &pAggInfo->aCol[pExpr->iAgg]; + if( !pAggInfo->directMode ){ + assert( pCol->iMem>0 ); + return pCol->iMem; +@@ -3761,7 +3764,10 @@ + } + case TK_AGG_FUNCTION: { + AggInfo *pInfo = pExpr->pAggInfo; +- if( pInfo==0 ){ ++ if( pInfo==0 ++ || NEVER(pExpr->iAgg<0) ++ || NEVER(pExpr->iAgg>=pInfo->nFunc) ++ ){ + assert( !ExprHasProperty(pExpr, EP_IntValue) ); + sqlite3ErrorMsg(pParse, "misuse of aggregate: %s()", pExpr->u.zToken); + }else{ diff --git a/sqlite-3.24.0-10.h1-CVE-2020-13630.patch b/sqlite-3.24.0-10.h1-CVE-2020-13630.patch new file mode 100644 index 0000000000000000000000000000000000000000..f4e6a0026a33e2bc67cb53bdc658660d50824a87 --- /dev/null +++ b/sqlite-3.24.0-10.h1-CVE-2020-13630.patch @@ -0,0 +1,25 @@ +From 3528b0de3aa5fefc4cb91599c920e2c9d6c2ffc3 Mon Sep 17 00:00:00 2001 +From: yanglongkang +Date: Thu, 11 Jun 2020 19:21:35 +0000 +Subject: [PATCH] sqlite: fix CVE-2020-13630 + +Fix a use-after-free bug in the fts3 snippet() function. +https://sqlite.org/src/info/0d69f76f0865f962 + +Signed-off-by: dan +Signed-off-by: yanglongkang +--- + ext/fts3/fts3.c | 1 + + 1 file changed, 1 insertion(+) + +diff -Naur a/ext/fts3/fts3.c b/ext/fts3/fts3.c +--- a/ext/fts3/fts3.c 2020-06-10 15:02:47.477000000 -0400 ++++ b/ext/fts3/fts3.c 2020-06-10 15:05:05.950000000 -0400 +@@ -5192,6 +5192,7 @@ + fts3EvalNextRow(pCsr, pLeft, pRc); + } + } ++ pRight->bEof = pLeft->bEof = 1; + } + } + break; diff --git a/sqlite-3.24.0-10.h1-CVE-2020-13632.patch b/sqlite-3.24.0-10.h1-CVE-2020-13632.patch new file mode 100644 index 0000000000000000000000000000000000000000..9314482804a4588e0baef0722dabcbdf2f3cf14c --- /dev/null +++ b/sqlite-3.24.0-10.h1-CVE-2020-13632.patch @@ -0,0 +1,66 @@ +From 3528b0de3aa5fefc4cb91599c920e2c9d6c2ffc3 Mon Sep 17 00:00:00 2001 +From: yanglongkang +Date: Thu, 11 Jun 2020 19:21:35 +0000 +Subject: [PATCH] sqlite: fix CVE-2020-13632 + +Fix a null pointer deference that can occur on a strange matchinfo() query. +https://sqlite.org/src/info/a4dd148928ea65bd + +Signed-off-by: drh +Signed-off-by: yanglongkang +--- + ext/fts3/fts3_snippet.c | 1 + + test/fts3matchinfo2.test | 35 + + 2 file changed, 2 insertion(+) + +diff -Naur c/ext/fts3/fts3_snippet.c d/ext/fts3/fts3_snippet.c +--- c/ext/fts3/fts3_snippet.c 2020-06-10 15:48:25.126000000 -0400 ++++ d/ext/fts3/fts3_snippet.c 2020-06-10 15:52:01.316000000 -0400 +@@ -869,7 +869,7 @@ + iStart = pExpr->iPhrase * ((p->nCol + 31) / 32); + } + +- while( 1 ){ ++ if( pIter ) while( 1 ){ + int nHit = fts3ColumnlistCount(&pIter); + if( (pPhrase->iColumn>=pTab->nColumn || pPhrase->iColumn==iCol) ){ + if( p->flag==FTS3_MATCHINFO_LHITS ){ +diff -Naur c/test/fts3matchinfo2.test d/test/fts3matchinfo2.test +--- c/test/fts3matchinfo2.test 1969-12-31 19:00:00.000000000 -0500 ++++ d/test/fts3matchinfo2.test 2020-06-10 15:54:00.964000000 -0400 +@@ -0,0 +1,35 @@ ++# 2020-05-14 ++# ++# The author disclaims copyright to this source code. In place of ++# a legal notice, here is a blessing: ++# ++# May you do good and not evil. ++# May you find forgiveness for yourself and forgive others. ++# May you share freely, never taking more than you give. ++# ++#*********************************************************************** ++# This file implements regression tests for the FTS3 module. The focus ++# of this file is tables created with the "matchinfo=fts3" option. ++# ++ ++set testdir [file dirname $argv0] ++source $testdir/tester.tcl ++ ++# If SQLITE_ENABLE_FTS3 is not defined, omit this file. ++ifcapable !fts3 { finish_test ; return } ++ ++set sqlite_fts3_enable_parentheses 1 ++ ++# Crash case found by cyg0810 at gmail.com 2020-05-14. Reported to ++# chromium (which is not vulnerable) who kindly referred it to us. ++# ++do_execsql_test 1.0 { ++ CREATE TABLE t_content(col0 INTEGER); ++ CREATE VIRTUAL TABLE t0 USING fts3(col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY); ++ INSERT INTO t0 VALUES (1, '1234','aaaa','bbbb'); ++ SELECT hex(matchinfo(t0,'yxy')) FROM t0 WHERE t0 MATCH x'2b0a312b0a312a312a2a0b5d0a0b0b0a312a0a0b0b0a312a0b310a392a0b0a27312a2a0b5d0a312a0b310a31315d0b310a312a316d2a0b313b15bceaa50a312a0b0a27312a2a0b5d0a312a0b310a312b0b2a310a312a0b2a0b2a0b2e5d0a0bff313336e34a2a312a0b0a3c310b0a0b4b4b0b4b2a4bec40322b2a0b310a0a312a0a0a0a0a0a0a0a0a0b310a312a2a2a0b5d0a0b0b0a312a0b310a312a0b0a4e4541530b310a5df5ced70a0a0a0a0a4f520a0a0a0a0a0a0a312a0b0a4e4541520b310a5d616161610a0a0a0a4f520a0a0a0a0a0a312b0a312a312a0a0a0a0a0a0a004a0b0a310b220a0b0a310a4a22310a0b0a7e6fe0e0e030e0e0e0e0e01176e02000e0e0e0e0e01131320226310a0b0a310a4a22310a0b0a310a766f8b8b4ee0e0300ae0090909090909090909090909090909090909090909090909090909090909090947aaaa540b09090909090909090909090909090909090909090909090909090909090909fae0e0f2f22164e0e0f273e07fefefef7d6dfafafafa6d6d6d6d'; ++} {/000000.*0000000/} ++ ++ ++set sqlite_fts3_enable_parentheses 0 ++finish_test diff --git a/sqlite.spec b/sqlite.spec index 207b2cca7fa30b9837711470ff2455d8a42e0464..0cf477d62d08aac0b125f7c52b55847a7ccc6f97 100644 --- a/sqlite.spec +++ b/sqlite.spec @@ -6,7 +6,7 @@ Name: sqlite Version: 3.24.0 -Release: 10 +Release: 10.h1 Summary: Embeded SQL database License: Public Domain URL: http://www.sqlite.org/ @@ -77,6 +77,10 @@ Patch6054: 6054-Fix-the-zipfile-function-in-the-zipfile-extension-so.patch Patch6055: 6055-Fix-CVE-2018-20505.patch Patch6056: 6056-Fix-CVE-2020-9327.patch Patch6057: 6057-Fix-CVE-2020-11655.patch +Patch6058: sqlite-3.24.0-10.h1-CVE-2020-13434.patch +Patch6059: sqlite-3.24.0-10.h1-CVE-2020-13435.patch +Patch6060: sqlite-3.24.0-10.h1-CVE-2020-13630.patch +Patch6061: sqlite-3.24.0-10.h1-CVE-2020-13632.patch BuildRequires: gcc autoconf tcl tcl-devel BuildRequires: ncurses-devel readline-devel glibc-devel @@ -180,6 +184,10 @@ This contains man files and HTML files for the using of sqlite. %patch6055 -p1 %patch6056 -p1 %patch6057 -p1 +%patch6058 -p1 +%patch6059 -p1 +%patch6060 -p1 +%patch6061 -p1 rm -f %{name}-doc-%{extver}/sqlite.css~ || : @@ -250,6 +258,12 @@ make test %{_mandir}/man*/* %changelog +* Mon Jun 22 2020 yanglongkang - 3.24.0-10.h1 +- Type:cves +- ID:CVE-2020-13630 CVE-2020-13632 CVE-2020-13434 CVE-2020-13435 +- SUG:NA +- DESC:fix CVE-2020-13630 CVE-2020-13632 CVE-2020-13434 CVE-2020-13435 + * Sun Apr 19 2020 ethan848 - Type:enhancement - ID:NA