diff --git a/sqlite-3.24.0-11-CVE-2020-13434.patch b/sqlite-3.24.0-11-CVE-2020-13434.patch new file mode 100644 index 0000000000000000000000000000000000000000..df754eade0ab92d9b49495585dfe3ef9a504eeec --- /dev/null +++ b/sqlite-3.24.0-11-CVE-2020-13434.patch @@ -0,0 +1,65 @@ +From 4f0a1ae44243b92d7e20ff1b263f39ef8e183b50 Mon Sep 17 00:00:00 2001 +From: Peibao Liu +Date: Fri, 29 May 2020 01:34:28 -0400 +Subject: [PATCH] Limit the "precision" of floating-point to text conversions + in the printf() function to 100,000,000. + +port from: +https://www.sqlite.org/src/info/d08d3405878d394e + +1. The printf() func was introduced in sqlite v3.8(6db7052eeefafdbf) +and in the current version this func is still not introduced, which +caused the test case printf-16.1 could not execute. So remove the test +case part of the upstream patch. +2. The modification of sqlite3VXPrintf() in this patch could cause the +printf-2.1.2.10 test case failure as this test case has already modified +in e7144ffd21294d7a commit. Just modify this test case to latest but do +not port the relevant patch. + +Signed-off-by: Peibao Liu +--- + src/printf.c | 12 ++++++++++++ + test/printf.test | 2 +- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff -Naur a/src/printf.c b/src/printf.c +--- a/src/printf.c 2020-06-23 03:01:16.783000000 +0000 ++++ b/src/printf.c 2020-06-23 03:51:18.644000000 +0000 +@@ -166,6 +166,13 @@ + #define etBUFSIZE SQLITE_PRINT_BUF_SIZE /* Size of the output buffer */ + + /* ++ * ** Hard limit on the precision of floating-point conversions. ++ * */ ++#ifndef SQLITE_PRINTF_PRECISION_LIMIT ++# define SQLITE_FP_PRECISION_LIMIT 100000000 ++#endif ++ ++/* + ** Render a string given by "fmt" into the StrAccum object. + */ + void sqlite3_str_vappendf( +@@ -471,6 +478,11 @@ + length = 0; + #else + if( precision<0 ) precision = 6; /* Set default precision */ ++#ifdef SQLITE_FP_PRECISION_LIMIT ++ if( precision>SQLITE_FP_PRECISION_LIMIT ){ ++ precision = SQLITE_FP_PRECISION_LIMIT; ++ } ++#endif + if( realvalue<0.0 ){ + realvalue = -realvalue; + prefix = '-'; +diff -Naur a/test/printf.test b/test/printf.test +--- a/test/printf.test 2020-06-23 03:01:16.963000000 +0000 ++++ b/test/printf.test 2020-06-23 03:52:25.410000000 +0000 +@@ -540,7 +540,7 @@ + } {abc: 1 1 (1e-20) :xyz} + do_test printf-2.1.2.10 { + sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20 +-} {abc: } ++} {} + do_test printf-2.1.3.1 { + sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0 + } {abc: (1.0) :xyz} diff --git a/sqlite-3.24.0-11-CVE-2020-13435.patch b/sqlite-3.24.0-11-CVE-2020-13435.patch new file mode 100644 index 0000000000000000000000000000000000000000..38b0e5bb3e46246cd89a5a417c23decac27a4313 --- /dev/null +++ b/sqlite-3.24.0-11-CVE-2020-13435.patch @@ -0,0 +1,41 @@ +From 6412131325fb2266c3faf0faea93c1d5a4e479a9 Mon Sep 17 00:00:00 2001 +From: Peibao Liu +Date: Fri, 29 May 2020 02:04:15 -0400 +Subject: [PATCH] Defensive code that tries to prevent a recurrence of + problems. + +port from: +https://www.sqlite.org/src/info/572105de1d44bca4 + +Signed-off-by: Peibao Liu +--- + src/expr.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff -Naur c/src/expr.c d/src/expr.c +--- c/src/expr.c 2020-06-23 03:05:10.871000000 +0000 ++++ d/src/expr.c 2020-06-23 03:15:14.426000000 +0000 +@@ -3542,7 +3542,10 @@ + switch( op ){ + case TK_AGG_COLUMN: { + AggInfo *pAggInfo = pExpr->pAggInfo; +- struct AggInfo_col *pCol = &pAggInfo->aCol[pExpr->iAgg]; ++ struct AggInfo_col *pCol; ++ assert( pAggInfo!=0 ); ++ assert( pExpr->iAgg>=0 && pExpr->iAggnColumn ); ++ pCol = &pAggInfo->aCol[pExpr->iAgg]; + if( !pAggInfo->directMode ){ + assert( pCol->iMem>0 ); + return pCol->iMem; +@@ -3761,7 +3764,10 @@ + } + case TK_AGG_FUNCTION: { + AggInfo *pInfo = pExpr->pAggInfo; +- if( pInfo==0 ){ ++ if( pInfo==0 ++ || NEVER(pExpr->iAgg<0) ++ || NEVER(pExpr->iAgg>=pInfo->nFunc) ++ ){ + assert( !ExprHasProperty(pExpr, EP_IntValue) ); + sqlite3ErrorMsg(pParse, "misuse of aggregate: %s()", pExpr->u.zToken); + }else{ diff --git a/sqlite-3.24.0-11-CVE-2020-13630.patch b/sqlite-3.24.0-11-CVE-2020-13630.patch new file mode 100644 index 0000000000000000000000000000000000000000..78afc534c177d9cc4442e05b83b33677626377c2 --- /dev/null +++ b/sqlite-3.24.0-11-CVE-2020-13630.patch @@ -0,0 +1,25 @@ +From 3528b0de3aa5fefc4cb91599c920e2c9d6c2ffc3 Mon Sep 17 00:00:00 2001 +From: yanglongkang +Date: Thu, 11 Jun 2020 19:21:35 +0000 +Subject: [PATCH] sqlite: fix CVE-2020-13630 + +Fix a use-after-free bug in the fts3 snippet() function. +https://sqlite.org/src/info/0d69f76f0865f962 + +Signed-off-by: dan +Signed-off-by: yanglongkang +--- + ext/fts3/fts3.c | 1 + + 1 file changed, 1 insertion(+) + +diff -Naur e/ext/fts3/fts3.c f/ext/fts3/fts3.c +--- e/ext/fts3/fts3.c 2020-06-23 03:05:29.962000000 +0000 ++++ f/ext/fts3/fts3.c 2020-06-23 03:25:15.587000000 +0000 +@@ -5192,6 +5192,7 @@ + fts3EvalNextRow(pCsr, pLeft, pRc); + } + } ++ pRight->bEof = pLeft->bEof = 1; + } + } + break; diff --git a/sqlite-3.24.0-11-CVE-2020-13632.patch b/sqlite-3.24.0-11-CVE-2020-13632.patch new file mode 100644 index 0000000000000000000000000000000000000000..6b3e5c2803c81f723e568e731df733ea78a7f802 --- /dev/null +++ b/sqlite-3.24.0-11-CVE-2020-13632.patch @@ -0,0 +1,26 @@ +From 3528b0de3aa5fefc4cb91599c920e2c9d6c2ffc3 Mon Sep 17 00:00:00 2001 +From: yanglongkang +Date: Thu, 11 Jun 2020 19:21:35 +0000 +Subject: [PATCH] sqlite: fix CVE-2020-13632 + +Fix a null pointer deference that can occur on a strange matchinfo() query. +https://sqlite.org/src/info/a4dd148928ea65bd + +Signed-off-by: drh +Signed-off-by: yanglongkang +--- + ext/fts3/fts3_snippet.c | 1 + + 1 file changed, 1 insertion(+) + +diff -Naur 1/ext/fts3/fts3_snippet.c 2/ext/fts3/fts3_snippet.c +--- 1/ext/fts3/fts3_snippet.c 2020-06-23 03:05:55.432000000 +0000 ++++ 2/ext/fts3/fts3_snippet.c 2020-06-23 03:32:44.272000000 +0000 +@@ -869,7 +869,7 @@ + iStart = pExpr->iPhrase * ((p->nCol + 31) / 32); + } + +- while( 1 ){ ++ if( pIter ) while( 1 ){ + int nHit = fts3ColumnlistCount(&pIter); + if( (pPhrase->iColumn>=pTab->nColumn || pPhrase->iColumn==iCol) ){ + if( p->flag==FTS3_MATCHINFO_LHITS ){ diff --git a/sqlite.spec b/sqlite.spec index 207b2cca7fa30b9837711470ff2455d8a42e0464..19a938847a7b5adf88947a58afe224f48a8ccce3 100644 --- a/sqlite.spec +++ b/sqlite.spec @@ -6,7 +6,7 @@ Name: sqlite Version: 3.24.0 -Release: 10 +Release: 11 Summary: Embeded SQL database License: Public Domain URL: http://www.sqlite.org/ @@ -77,6 +77,10 @@ Patch6054: 6054-Fix-the-zipfile-function-in-the-zipfile-extension-so.patch Patch6055: 6055-Fix-CVE-2018-20505.patch Patch6056: 6056-Fix-CVE-2020-9327.patch Patch6057: 6057-Fix-CVE-2020-11655.patch +Patch6058: sqlite-3.24.0-11-CVE-2020-13434.patch +Patch6059: sqlite-3.24.0-11-CVE-2020-13435.patch +Patch6060: sqlite-3.24.0-11-CVE-2020-13630.patch +Patch6061: sqlite-3.24.0-11-CVE-2020-13632.patch BuildRequires: gcc autoconf tcl tcl-devel BuildRequires: ncurses-devel readline-devel glibc-devel @@ -180,6 +184,10 @@ This contains man files and HTML files for the using of sqlite. %patch6055 -p1 %patch6056 -p1 %patch6057 -p1 +%patch6058 -p1 +%patch6059 -p1 +%patch6060 -p1 +%patch6061 -p1 rm -f %{name}-doc-%{extver}/sqlite.css~ || : @@ -250,6 +258,12 @@ make test %{_mandir}/man*/* %changelog +* Tue Jun 23 2020 yanglongkang - 3.24.0-11 +- Type:cves +- ID:CVE-2020-13434 CVE-2020-13435 CVE-2020-13630 CVE-2020-13632 +- SUG:NA +- DESC:fix CVE-2020-13434 CVE-2020-13435 CVE-2020-13630 CVE-2020-13632 + * Sun Apr 19 2020 ethan848 - Type:enhancement - ID:NA