From e7c5b98870bddc235422bdd3b26b61e0d2586ab2 Mon Sep 17 00:00:00 2001 From: xinghe_1 Date: Tue, 23 Jun 2020 15:06:01 +0800 Subject: [PATCH 1/7] 1 --- sqlite-3.24.0-10.h1-CVE-2020-13434.patch | 65 ++++++++++++++++++++++++ sqlite-3.24.0-10.h1-CVE-2020-13435.patch | 41 +++++++++++++++ sqlite-3.24.0-10.h1-CVE-2020-13630.patch | 25 +++++++++ sqlite-3.24.0-10.h1-CVE-2020-13632.patch | 26 ++++++++++ sqlite.spec | 16 +++++- 5 files changed, 172 insertions(+), 1 deletion(-) create mode 100644 sqlite-3.24.0-10.h1-CVE-2020-13434.patch create mode 100644 sqlite-3.24.0-10.h1-CVE-2020-13435.patch create mode 100644 sqlite-3.24.0-10.h1-CVE-2020-13630.patch create mode 100644 sqlite-3.24.0-10.h1-CVE-2020-13632.patch diff --git a/sqlite-3.24.0-10.h1-CVE-2020-13434.patch b/sqlite-3.24.0-10.h1-CVE-2020-13434.patch new file mode 100644 index 0000000..df754ea --- /dev/null +++ b/sqlite-3.24.0-10.h1-CVE-2020-13434.patch @@ -0,0 +1,65 @@ +From 4f0a1ae44243b92d7e20ff1b263f39ef8e183b50 Mon Sep 17 00:00:00 2001 +From: Peibao Liu +Date: Fri, 29 May 2020 01:34:28 -0400 +Subject: [PATCH] Limit the "precision" of floating-point to text conversions + in the printf() function to 100,000,000. + +port from: +https://www.sqlite.org/src/info/d08d3405878d394e + +1. The printf() func was introduced in sqlite v3.8(6db7052eeefafdbf) +and in the current version this func is still not introduced, which +caused the test case printf-16.1 could not execute. So remove the test +case part of the upstream patch. +2. The modification of sqlite3VXPrintf() in this patch could cause the +printf-2.1.2.10 test case failure as this test case has already modified +in e7144ffd21294d7a commit. Just modify this test case to latest but do +not port the relevant patch. + +Signed-off-by: Peibao Liu +--- + src/printf.c | 12 ++++++++++++ + test/printf.test | 2 +- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff -Naur a/src/printf.c b/src/printf.c +--- a/src/printf.c 2020-06-23 03:01:16.783000000 +0000 ++++ b/src/printf.c 2020-06-23 03:51:18.644000000 +0000 +@@ -166,6 +166,13 @@ + #define etBUFSIZE SQLITE_PRINT_BUF_SIZE /* Size of the output buffer */ + + /* ++ * ** Hard limit on the precision of floating-point conversions. ++ * */ ++#ifndef SQLITE_PRINTF_PRECISION_LIMIT ++# define SQLITE_FP_PRECISION_LIMIT 100000000 ++#endif ++ ++/* + ** Render a string given by "fmt" into the StrAccum object. + */ + void sqlite3_str_vappendf( +@@ -471,6 +478,11 @@ + length = 0; + #else + if( precision<0 ) precision = 6; /* Set default precision */ ++#ifdef SQLITE_FP_PRECISION_LIMIT ++ if( precision>SQLITE_FP_PRECISION_LIMIT ){ ++ precision = SQLITE_FP_PRECISION_LIMIT; ++ } ++#endif + if( realvalue<0.0 ){ + realvalue = -realvalue; + prefix = '-'; +diff -Naur a/test/printf.test b/test/printf.test +--- a/test/printf.test 2020-06-23 03:01:16.963000000 +0000 ++++ b/test/printf.test 2020-06-23 03:52:25.410000000 +0000 +@@ -540,7 +540,7 @@ + } {abc: 1 1 (1e-20) :xyz} + do_test printf-2.1.2.10 { + sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20 +-} {abc: } ++} {} + do_test printf-2.1.3.1 { + sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0 + } {abc: (1.0) :xyz} diff --git a/sqlite-3.24.0-10.h1-CVE-2020-13435.patch b/sqlite-3.24.0-10.h1-CVE-2020-13435.patch new file mode 100644 index 0000000..38b0e5b --- /dev/null +++ b/sqlite-3.24.0-10.h1-CVE-2020-13435.patch @@ -0,0 +1,41 @@ +From 6412131325fb2266c3faf0faea93c1d5a4e479a9 Mon Sep 17 00:00:00 2001 +From: Peibao Liu +Date: Fri, 29 May 2020 02:04:15 -0400 +Subject: [PATCH] Defensive code that tries to prevent a recurrence of + problems. + +port from: +https://www.sqlite.org/src/info/572105de1d44bca4 + +Signed-off-by: Peibao Liu +--- + src/expr.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff -Naur c/src/expr.c d/src/expr.c +--- c/src/expr.c 2020-06-23 03:05:10.871000000 +0000 ++++ d/src/expr.c 2020-06-23 03:15:14.426000000 +0000 +@@ -3542,7 +3542,10 @@ + switch( op ){ + case TK_AGG_COLUMN: { + AggInfo *pAggInfo = pExpr->pAggInfo; +- struct AggInfo_col *pCol = &pAggInfo->aCol[pExpr->iAgg]; ++ struct AggInfo_col *pCol; ++ assert( pAggInfo!=0 ); ++ assert( pExpr->iAgg>=0 && pExpr->iAggnColumn ); ++ pCol = &pAggInfo->aCol[pExpr->iAgg]; + if( !pAggInfo->directMode ){ + assert( pCol->iMem>0 ); + return pCol->iMem; +@@ -3761,7 +3764,10 @@ + } + case TK_AGG_FUNCTION: { + AggInfo *pInfo = pExpr->pAggInfo; +- if( pInfo==0 ){ ++ if( pInfo==0 ++ || NEVER(pExpr->iAgg<0) ++ || NEVER(pExpr->iAgg>=pInfo->nFunc) ++ ){ + assert( !ExprHasProperty(pExpr, EP_IntValue) ); + sqlite3ErrorMsg(pParse, "misuse of aggregate: %s()", pExpr->u.zToken); + }else{ diff --git a/sqlite-3.24.0-10.h1-CVE-2020-13630.patch b/sqlite-3.24.0-10.h1-CVE-2020-13630.patch new file mode 100644 index 0000000..78afc53 --- /dev/null +++ b/sqlite-3.24.0-10.h1-CVE-2020-13630.patch @@ -0,0 +1,25 @@ +From 3528b0de3aa5fefc4cb91599c920e2c9d6c2ffc3 Mon Sep 17 00:00:00 2001 +From: yanglongkang +Date: Thu, 11 Jun 2020 19:21:35 +0000 +Subject: [PATCH] sqlite: fix CVE-2020-13630 + +Fix a use-after-free bug in the fts3 snippet() function. +https://sqlite.org/src/info/0d69f76f0865f962 + +Signed-off-by: dan +Signed-off-by: yanglongkang +--- + ext/fts3/fts3.c | 1 + + 1 file changed, 1 insertion(+) + +diff -Naur e/ext/fts3/fts3.c f/ext/fts3/fts3.c +--- e/ext/fts3/fts3.c 2020-06-23 03:05:29.962000000 +0000 ++++ f/ext/fts3/fts3.c 2020-06-23 03:25:15.587000000 +0000 +@@ -5192,6 +5192,7 @@ + fts3EvalNextRow(pCsr, pLeft, pRc); + } + } ++ pRight->bEof = pLeft->bEof = 1; + } + } + break; diff --git a/sqlite-3.24.0-10.h1-CVE-2020-13632.patch b/sqlite-3.24.0-10.h1-CVE-2020-13632.patch new file mode 100644 index 0000000..6b3e5c2 --- /dev/null +++ b/sqlite-3.24.0-10.h1-CVE-2020-13632.patch @@ -0,0 +1,26 @@ +From 3528b0de3aa5fefc4cb91599c920e2c9d6c2ffc3 Mon Sep 17 00:00:00 2001 +From: yanglongkang +Date: Thu, 11 Jun 2020 19:21:35 +0000 +Subject: [PATCH] sqlite: fix CVE-2020-13632 + +Fix a null pointer deference that can occur on a strange matchinfo() query. +https://sqlite.org/src/info/a4dd148928ea65bd + +Signed-off-by: drh +Signed-off-by: yanglongkang +--- + ext/fts3/fts3_snippet.c | 1 + + 1 file changed, 1 insertion(+) + +diff -Naur 1/ext/fts3/fts3_snippet.c 2/ext/fts3/fts3_snippet.c +--- 1/ext/fts3/fts3_snippet.c 2020-06-23 03:05:55.432000000 +0000 ++++ 2/ext/fts3/fts3_snippet.c 2020-06-23 03:32:44.272000000 +0000 +@@ -869,7 +869,7 @@ + iStart = pExpr->iPhrase * ((p->nCol + 31) / 32); + } + +- while( 1 ){ ++ if( pIter ) while( 1 ){ + int nHit = fts3ColumnlistCount(&pIter); + if( (pPhrase->iColumn>=pTab->nColumn || pPhrase->iColumn==iCol) ){ + if( p->flag==FTS3_MATCHINFO_LHITS ){ diff --git a/sqlite.spec b/sqlite.spec index 207b2cc..4cf4c7e 100644 --- a/sqlite.spec +++ b/sqlite.spec @@ -6,7 +6,7 @@ Name: sqlite Version: 3.24.0 -Release: 10 +Release: 11 Summary: Embeded SQL database License: Public Domain URL: http://www.sqlite.org/ @@ -77,6 +77,10 @@ Patch6054: 6054-Fix-the-zipfile-function-in-the-zipfile-extension-so.patch Patch6055: 6055-Fix-CVE-2018-20505.patch Patch6056: 6056-Fix-CVE-2020-9327.patch Patch6057: 6057-Fix-CVE-2020-11655.patch +Patch6058: sqlite-3.24.0-10.h1-CVE-2020-13434.patch +Patch6059: sqlite-3.24.0-10.h1-CVE-2020-13435.patch +Patch6060: sqlite-3.24.0-10.h1-CVE-2020-13630.patch +Patch6061: sqlite-3.24.0-10.h1-CVE-2020-13632.patch BuildRequires: gcc autoconf tcl tcl-devel BuildRequires: ncurses-devel readline-devel glibc-devel @@ -180,6 +184,10 @@ This contains man files and HTML files for the using of sqlite. %patch6055 -p1 %patch6056 -p1 %patch6057 -p1 +%patch6058 -p1 +%patch6059 -p1 +%patch6060 -p1 +%patch6061 -p1 rm -f %{name}-doc-%{extver}/sqlite.css~ || : @@ -250,6 +258,12 @@ make test %{_mandir}/man*/* %changelog +* Tue Jun 23 2020 yanglongkang - 3.24.0-11 +- Type:cves +- ID:CVE-2020-13434 CVE-2020-13435 CVE-2020-13630 CVE-2020-13632 +- SUG:NA +- DESC:fix CVE-2020-13434 CVE-2020-13435 CVE-2020-13630 CVE-2020-13632 + * Sun Apr 19 2020 ethan848 - Type:enhancement - ID:NA -- Gitee From 98fd4c54c1a497ba0b9eabdf9d46c275dbd9eb1d Mon Sep 17 00:00:00 2001 From: xinghe_1 Date: Tue, 23 Jun 2020 15:08:25 +0800 Subject: [PATCH 2/7] 1 --- sqlite-3.24.0-11-CVE-2020-13434.patch | 65 +++++++++++++++++++++++++++ sqlite-3.24.0-11-CVE-2020-13435.patch | 41 +++++++++++++++++ sqlite-3.24.0-11-CVE-2020-13630.patch | 25 +++++++++++ sqlite-3.24.0-11-CVE-2020-13632.patch | 26 +++++++++++ 4 files changed, 157 insertions(+) create mode 100644 sqlite-3.24.0-11-CVE-2020-13434.patch create mode 100644 sqlite-3.24.0-11-CVE-2020-13435.patch create mode 100644 sqlite-3.24.0-11-CVE-2020-13630.patch create mode 100644 sqlite-3.24.0-11-CVE-2020-13632.patch diff --git a/sqlite-3.24.0-11-CVE-2020-13434.patch b/sqlite-3.24.0-11-CVE-2020-13434.patch new file mode 100644 index 0000000..df754ea --- /dev/null +++ b/sqlite-3.24.0-11-CVE-2020-13434.patch @@ -0,0 +1,65 @@ +From 4f0a1ae44243b92d7e20ff1b263f39ef8e183b50 Mon Sep 17 00:00:00 2001 +From: Peibao Liu +Date: Fri, 29 May 2020 01:34:28 -0400 +Subject: [PATCH] Limit the "precision" of floating-point to text conversions + in the printf() function to 100,000,000. + +port from: +https://www.sqlite.org/src/info/d08d3405878d394e + +1. The printf() func was introduced in sqlite v3.8(6db7052eeefafdbf) +and in the current version this func is still not introduced, which +caused the test case printf-16.1 could not execute. So remove the test +case part of the upstream patch. +2. The modification of sqlite3VXPrintf() in this patch could cause the +printf-2.1.2.10 test case failure as this test case has already modified +in e7144ffd21294d7a commit. Just modify this test case to latest but do +not port the relevant patch. + +Signed-off-by: Peibao Liu +--- + src/printf.c | 12 ++++++++++++ + test/printf.test | 2 +- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff -Naur a/src/printf.c b/src/printf.c +--- a/src/printf.c 2020-06-23 03:01:16.783000000 +0000 ++++ b/src/printf.c 2020-06-23 03:51:18.644000000 +0000 +@@ -166,6 +166,13 @@ + #define etBUFSIZE SQLITE_PRINT_BUF_SIZE /* Size of the output buffer */ + + /* ++ * ** Hard limit on the precision of floating-point conversions. ++ * */ ++#ifndef SQLITE_PRINTF_PRECISION_LIMIT ++# define SQLITE_FP_PRECISION_LIMIT 100000000 ++#endif ++ ++/* + ** Render a string given by "fmt" into the StrAccum object. + */ + void sqlite3_str_vappendf( +@@ -471,6 +478,11 @@ + length = 0; + #else + if( precision<0 ) precision = 6; /* Set default precision */ ++#ifdef SQLITE_FP_PRECISION_LIMIT ++ if( precision>SQLITE_FP_PRECISION_LIMIT ){ ++ precision = SQLITE_FP_PRECISION_LIMIT; ++ } ++#endif + if( realvalue<0.0 ){ + realvalue = -realvalue; + prefix = '-'; +diff -Naur a/test/printf.test b/test/printf.test +--- a/test/printf.test 2020-06-23 03:01:16.963000000 +0000 ++++ b/test/printf.test 2020-06-23 03:52:25.410000000 +0000 +@@ -540,7 +540,7 @@ + } {abc: 1 1 (1e-20) :xyz} + do_test printf-2.1.2.10 { + sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20 +-} {abc: } ++} {} + do_test printf-2.1.3.1 { + sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0 + } {abc: (1.0) :xyz} diff --git a/sqlite-3.24.0-11-CVE-2020-13435.patch b/sqlite-3.24.0-11-CVE-2020-13435.patch new file mode 100644 index 0000000..38b0e5b --- /dev/null +++ b/sqlite-3.24.0-11-CVE-2020-13435.patch @@ -0,0 +1,41 @@ +From 6412131325fb2266c3faf0faea93c1d5a4e479a9 Mon Sep 17 00:00:00 2001 +From: Peibao Liu +Date: Fri, 29 May 2020 02:04:15 -0400 +Subject: [PATCH] Defensive code that tries to prevent a recurrence of + problems. + +port from: +https://www.sqlite.org/src/info/572105de1d44bca4 + +Signed-off-by: Peibao Liu +--- + src/expr.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff -Naur c/src/expr.c d/src/expr.c +--- c/src/expr.c 2020-06-23 03:05:10.871000000 +0000 ++++ d/src/expr.c 2020-06-23 03:15:14.426000000 +0000 +@@ -3542,7 +3542,10 @@ + switch( op ){ + case TK_AGG_COLUMN: { + AggInfo *pAggInfo = pExpr->pAggInfo; +- struct AggInfo_col *pCol = &pAggInfo->aCol[pExpr->iAgg]; ++ struct AggInfo_col *pCol; ++ assert( pAggInfo!=0 ); ++ assert( pExpr->iAgg>=0 && pExpr->iAggnColumn ); ++ pCol = &pAggInfo->aCol[pExpr->iAgg]; + if( !pAggInfo->directMode ){ + assert( pCol->iMem>0 ); + return pCol->iMem; +@@ -3761,7 +3764,10 @@ + } + case TK_AGG_FUNCTION: { + AggInfo *pInfo = pExpr->pAggInfo; +- if( pInfo==0 ){ ++ if( pInfo==0 ++ || NEVER(pExpr->iAgg<0) ++ || NEVER(pExpr->iAgg>=pInfo->nFunc) ++ ){ + assert( !ExprHasProperty(pExpr, EP_IntValue) ); + sqlite3ErrorMsg(pParse, "misuse of aggregate: %s()", pExpr->u.zToken); + }else{ diff --git a/sqlite-3.24.0-11-CVE-2020-13630.patch b/sqlite-3.24.0-11-CVE-2020-13630.patch new file mode 100644 index 0000000..78afc53 --- /dev/null +++ b/sqlite-3.24.0-11-CVE-2020-13630.patch @@ -0,0 +1,25 @@ +From 3528b0de3aa5fefc4cb91599c920e2c9d6c2ffc3 Mon Sep 17 00:00:00 2001 +From: yanglongkang +Date: Thu, 11 Jun 2020 19:21:35 +0000 +Subject: [PATCH] sqlite: fix CVE-2020-13630 + +Fix a use-after-free bug in the fts3 snippet() function. +https://sqlite.org/src/info/0d69f76f0865f962 + +Signed-off-by: dan +Signed-off-by: yanglongkang +--- + ext/fts3/fts3.c | 1 + + 1 file changed, 1 insertion(+) + +diff -Naur e/ext/fts3/fts3.c f/ext/fts3/fts3.c +--- e/ext/fts3/fts3.c 2020-06-23 03:05:29.962000000 +0000 ++++ f/ext/fts3/fts3.c 2020-06-23 03:25:15.587000000 +0000 +@@ -5192,6 +5192,7 @@ + fts3EvalNextRow(pCsr, pLeft, pRc); + } + } ++ pRight->bEof = pLeft->bEof = 1; + } + } + break; diff --git a/sqlite-3.24.0-11-CVE-2020-13632.patch b/sqlite-3.24.0-11-CVE-2020-13632.patch new file mode 100644 index 0000000..6b3e5c2 --- /dev/null +++ b/sqlite-3.24.0-11-CVE-2020-13632.patch @@ -0,0 +1,26 @@ +From 3528b0de3aa5fefc4cb91599c920e2c9d6c2ffc3 Mon Sep 17 00:00:00 2001 +From: yanglongkang +Date: Thu, 11 Jun 2020 19:21:35 +0000 +Subject: [PATCH] sqlite: fix CVE-2020-13632 + +Fix a null pointer deference that can occur on a strange matchinfo() query. +https://sqlite.org/src/info/a4dd148928ea65bd + +Signed-off-by: drh +Signed-off-by: yanglongkang +--- + ext/fts3/fts3_snippet.c | 1 + + 1 file changed, 1 insertion(+) + +diff -Naur 1/ext/fts3/fts3_snippet.c 2/ext/fts3/fts3_snippet.c +--- 1/ext/fts3/fts3_snippet.c 2020-06-23 03:05:55.432000000 +0000 ++++ 2/ext/fts3/fts3_snippet.c 2020-06-23 03:32:44.272000000 +0000 +@@ -869,7 +869,7 @@ + iStart = pExpr->iPhrase * ((p->nCol + 31) / 32); + } + +- while( 1 ){ ++ if( pIter ) while( 1 ){ + int nHit = fts3ColumnlistCount(&pIter); + if( (pPhrase->iColumn>=pTab->nColumn || pPhrase->iColumn==iCol) ){ + if( p->flag==FTS3_MATCHINFO_LHITS ){ -- Gitee From cbde297cc31fe7009d04abf6e04339b49fa5b2bc Mon Sep 17 00:00:00 2001 From: Markeryang <747675909@qq.com> Date: Tue, 23 Jun 2020 15:10:36 +0800 Subject: [PATCH 3/7] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20sqli?= =?UTF-8?q?te-3.24.0-10.h1-CVE-2020-13632.patch?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- sqlite-3.24.0-10.h1-CVE-2020-13632.patch | 26 ------------------------ 1 file changed, 26 deletions(-) delete mode 100644 sqlite-3.24.0-10.h1-CVE-2020-13632.patch diff --git a/sqlite-3.24.0-10.h1-CVE-2020-13632.patch b/sqlite-3.24.0-10.h1-CVE-2020-13632.patch deleted file mode 100644 index 6b3e5c2..0000000 --- a/sqlite-3.24.0-10.h1-CVE-2020-13632.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 3528b0de3aa5fefc4cb91599c920e2c9d6c2ffc3 Mon Sep 17 00:00:00 2001 -From: yanglongkang -Date: Thu, 11 Jun 2020 19:21:35 +0000 -Subject: [PATCH] sqlite: fix CVE-2020-13632 - -Fix a null pointer deference that can occur on a strange matchinfo() query. -https://sqlite.org/src/info/a4dd148928ea65bd - -Signed-off-by: drh -Signed-off-by: yanglongkang ---- - ext/fts3/fts3_snippet.c | 1 + - 1 file changed, 1 insertion(+) - -diff -Naur 1/ext/fts3/fts3_snippet.c 2/ext/fts3/fts3_snippet.c ---- 1/ext/fts3/fts3_snippet.c 2020-06-23 03:05:55.432000000 +0000 -+++ 2/ext/fts3/fts3_snippet.c 2020-06-23 03:32:44.272000000 +0000 -@@ -869,7 +869,7 @@ - iStart = pExpr->iPhrase * ((p->nCol + 31) / 32); - } - -- while( 1 ){ -+ if( pIter ) while( 1 ){ - int nHit = fts3ColumnlistCount(&pIter); - if( (pPhrase->iColumn>=pTab->nColumn || pPhrase->iColumn==iCol) ){ - if( p->flag==FTS3_MATCHINFO_LHITS ){ -- Gitee From e78cc6e7bab2beb73eab3d871b2f71469ab24469 Mon Sep 17 00:00:00 2001 From: Markeryang <747675909@qq.com> Date: Tue, 23 Jun 2020 15:10:48 +0800 Subject: [PATCH 4/7] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20sqli?= =?UTF-8?q?te-3.24.0-10.h1-CVE-2020-13630.patch?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- sqlite-3.24.0-10.h1-CVE-2020-13630.patch | 25 ------------------------ 1 file changed, 25 deletions(-) delete mode 100644 sqlite-3.24.0-10.h1-CVE-2020-13630.patch diff --git a/sqlite-3.24.0-10.h1-CVE-2020-13630.patch b/sqlite-3.24.0-10.h1-CVE-2020-13630.patch deleted file mode 100644 index 78afc53..0000000 --- a/sqlite-3.24.0-10.h1-CVE-2020-13630.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 3528b0de3aa5fefc4cb91599c920e2c9d6c2ffc3 Mon Sep 17 00:00:00 2001 -From: yanglongkang -Date: Thu, 11 Jun 2020 19:21:35 +0000 -Subject: [PATCH] sqlite: fix CVE-2020-13630 - -Fix a use-after-free bug in the fts3 snippet() function. -https://sqlite.org/src/info/0d69f76f0865f962 - -Signed-off-by: dan -Signed-off-by: yanglongkang ---- - ext/fts3/fts3.c | 1 + - 1 file changed, 1 insertion(+) - -diff -Naur e/ext/fts3/fts3.c f/ext/fts3/fts3.c ---- e/ext/fts3/fts3.c 2020-06-23 03:05:29.962000000 +0000 -+++ f/ext/fts3/fts3.c 2020-06-23 03:25:15.587000000 +0000 -@@ -5192,6 +5192,7 @@ - fts3EvalNextRow(pCsr, pLeft, pRc); - } - } -+ pRight->bEof = pLeft->bEof = 1; - } - } - break; -- Gitee From dce7312cc9e41eb92df55371da4b653bcead645f Mon Sep 17 00:00:00 2001 From: Markeryang <747675909@qq.com> Date: Tue, 23 Jun 2020 15:11:00 +0800 Subject: [PATCH 5/7] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20sqli?= =?UTF-8?q?te-3.24.0-10.h1-CVE-2020-13435.patch?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- sqlite-3.24.0-10.h1-CVE-2020-13435.patch | 41 ------------------------ 1 file changed, 41 deletions(-) delete mode 100644 sqlite-3.24.0-10.h1-CVE-2020-13435.patch diff --git a/sqlite-3.24.0-10.h1-CVE-2020-13435.patch b/sqlite-3.24.0-10.h1-CVE-2020-13435.patch deleted file mode 100644 index 38b0e5b..0000000 --- a/sqlite-3.24.0-10.h1-CVE-2020-13435.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 6412131325fb2266c3faf0faea93c1d5a4e479a9 Mon Sep 17 00:00:00 2001 -From: Peibao Liu -Date: Fri, 29 May 2020 02:04:15 -0400 -Subject: [PATCH] Defensive code that tries to prevent a recurrence of - problems. - -port from: -https://www.sqlite.org/src/info/572105de1d44bca4 - -Signed-off-by: Peibao Liu ---- - src/expr.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff -Naur c/src/expr.c d/src/expr.c ---- c/src/expr.c 2020-06-23 03:05:10.871000000 +0000 -+++ d/src/expr.c 2020-06-23 03:15:14.426000000 +0000 -@@ -3542,7 +3542,10 @@ - switch( op ){ - case TK_AGG_COLUMN: { - AggInfo *pAggInfo = pExpr->pAggInfo; -- struct AggInfo_col *pCol = &pAggInfo->aCol[pExpr->iAgg]; -+ struct AggInfo_col *pCol; -+ assert( pAggInfo!=0 ); -+ assert( pExpr->iAgg>=0 && pExpr->iAggnColumn ); -+ pCol = &pAggInfo->aCol[pExpr->iAgg]; - if( !pAggInfo->directMode ){ - assert( pCol->iMem>0 ); - return pCol->iMem; -@@ -3761,7 +3764,10 @@ - } - case TK_AGG_FUNCTION: { - AggInfo *pInfo = pExpr->pAggInfo; -- if( pInfo==0 ){ -+ if( pInfo==0 -+ || NEVER(pExpr->iAgg<0) -+ || NEVER(pExpr->iAgg>=pInfo->nFunc) -+ ){ - assert( !ExprHasProperty(pExpr, EP_IntValue) ); - sqlite3ErrorMsg(pParse, "misuse of aggregate: %s()", pExpr->u.zToken); - }else{ -- Gitee From 15623ba3f0c04be08881a9bd4ddabaccb31ace05 Mon Sep 17 00:00:00 2001 From: Markeryang <747675909@qq.com> Date: Tue, 23 Jun 2020 15:11:11 +0800 Subject: [PATCH 6/7] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20sqli?= =?UTF-8?q?te-3.24.0-10.h1-CVE-2020-13434.patch?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- sqlite-3.24.0-10.h1-CVE-2020-13434.patch | 65 ------------------------ 1 file changed, 65 deletions(-) delete mode 100644 sqlite-3.24.0-10.h1-CVE-2020-13434.patch diff --git a/sqlite-3.24.0-10.h1-CVE-2020-13434.patch b/sqlite-3.24.0-10.h1-CVE-2020-13434.patch deleted file mode 100644 index df754ea..0000000 --- a/sqlite-3.24.0-10.h1-CVE-2020-13434.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 4f0a1ae44243b92d7e20ff1b263f39ef8e183b50 Mon Sep 17 00:00:00 2001 -From: Peibao Liu -Date: Fri, 29 May 2020 01:34:28 -0400 -Subject: [PATCH] Limit the "precision" of floating-point to text conversions - in the printf() function to 100,000,000. - -port from: -https://www.sqlite.org/src/info/d08d3405878d394e - -1. The printf() func was introduced in sqlite v3.8(6db7052eeefafdbf) -and in the current version this func is still not introduced, which -caused the test case printf-16.1 could not execute. So remove the test -case part of the upstream patch. -2. The modification of sqlite3VXPrintf() in this patch could cause the -printf-2.1.2.10 test case failure as this test case has already modified -in e7144ffd21294d7a commit. Just modify this test case to latest but do -not port the relevant patch. - -Signed-off-by: Peibao Liu ---- - src/printf.c | 12 ++++++++++++ - test/printf.test | 2 +- - 2 files changed, 13 insertions(+), 1 deletion(-) - -diff -Naur a/src/printf.c b/src/printf.c ---- a/src/printf.c 2020-06-23 03:01:16.783000000 +0000 -+++ b/src/printf.c 2020-06-23 03:51:18.644000000 +0000 -@@ -166,6 +166,13 @@ - #define etBUFSIZE SQLITE_PRINT_BUF_SIZE /* Size of the output buffer */ - - /* -+ * ** Hard limit on the precision of floating-point conversions. -+ * */ -+#ifndef SQLITE_PRINTF_PRECISION_LIMIT -+# define SQLITE_FP_PRECISION_LIMIT 100000000 -+#endif -+ -+/* - ** Render a string given by "fmt" into the StrAccum object. - */ - void sqlite3_str_vappendf( -@@ -471,6 +478,11 @@ - length = 0; - #else - if( precision<0 ) precision = 6; /* Set default precision */ -+#ifdef SQLITE_FP_PRECISION_LIMIT -+ if( precision>SQLITE_FP_PRECISION_LIMIT ){ -+ precision = SQLITE_FP_PRECISION_LIMIT; -+ } -+#endif - if( realvalue<0.0 ){ - realvalue = -realvalue; - prefix = '-'; -diff -Naur a/test/printf.test b/test/printf.test ---- a/test/printf.test 2020-06-23 03:01:16.963000000 +0000 -+++ b/test/printf.test 2020-06-23 03:52:25.410000000 +0000 -@@ -540,7 +540,7 @@ - } {abc: 1 1 (1e-20) :xyz} - do_test printf-2.1.2.10 { - sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20 --} {abc: } -+} {} - do_test printf-2.1.3.1 { - sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0 - } {abc: (1.0) :xyz} -- Gitee From 5a84fa3a8865a14d3d53405dfd7121076fee4a8f Mon Sep 17 00:00:00 2001 From: Markeryang <747675909@qq.com> Date: Tue, 23 Jun 2020 15:11:57 +0800 Subject: [PATCH 7/7] update sqlite.spec. --- sqlite.spec | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sqlite.spec b/sqlite.spec index 4cf4c7e..19a9388 100644 --- a/sqlite.spec +++ b/sqlite.spec @@ -77,10 +77,10 @@ Patch6054: 6054-Fix-the-zipfile-function-in-the-zipfile-extension-so.patch Patch6055: 6055-Fix-CVE-2018-20505.patch Patch6056: 6056-Fix-CVE-2020-9327.patch Patch6057: 6057-Fix-CVE-2020-11655.patch -Patch6058: sqlite-3.24.0-10.h1-CVE-2020-13434.patch -Patch6059: sqlite-3.24.0-10.h1-CVE-2020-13435.patch -Patch6060: sqlite-3.24.0-10.h1-CVE-2020-13630.patch -Patch6061: sqlite-3.24.0-10.h1-CVE-2020-13632.patch +Patch6058: sqlite-3.24.0-11-CVE-2020-13434.patch +Patch6059: sqlite-3.24.0-11-CVE-2020-13435.patch +Patch6060: sqlite-3.24.0-11-CVE-2020-13630.patch +Patch6061: sqlite-3.24.0-11-CVE-2020-13632.patch BuildRequires: gcc autoconf tcl tcl-devel BuildRequires: ncurses-devel readline-devel glibc-devel -- Gitee