From ce205d3f500a71326f402aa4bb2688adaf74887e Mon Sep 17 00:00:00 2001 From: bzhaoop Date: Mon, 26 Apr 2021 16:45:02 +0800 Subject: [PATCH] Fix CVE-2021-20227 Ref: https://sqlite.org/src/info/30a4c323650cc949 https://sqlite.org/src/vpatch?from=69e31d52b2a7bde1&to=30a4c323650cc949 (cherry picked from commit cb4bb17c51b99913401e50c95779fbb5e54e01b8) --- CVE-2021-20227.patch | 69 ++++++++++++++++++++++++++++++++++++++++++++ sqlite.spec | 7 ++++- 2 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-20227.patch diff --git a/CVE-2021-20227.patch b/CVE-2021-20227.patch new file mode 100644 index 0000000..94bde6a --- /dev/null +++ b/CVE-2021-20227.patch @@ -0,0 +1,69 @@ +Index: sqlite-src-3320300/src/select.c +================================================================== +--- sqlite-src-3320300/src/select.c ++++ sqlite-src-3320300/src/select.c +@@ -5613,11 +5613,13 @@ + ** within the HAVING expression with a constant "1". + */ + static int havingToWhereExprCb(Walker *pWalker, Expr *pExpr){ + if( pExpr->op!=TK_AND ){ + Select *pS = pWalker->u.pSelect; +- if( sqlite3ExprIsConstantOrGroupBy(pWalker->pParse, pExpr, pS->pGroupBy) ){ ++ if( sqlite3ExprIsConstantOrGroupBy(pWalker->pParse, pExpr, pS->pGroupBy) ++ && ExprAlwaysFalse(pExpr)==0 ++ ){ + sqlite3 *db = pWalker->pParse->db; + Expr *pNew = sqlite3Expr(db, TK_INTEGER, "1"); + if( pNew ){ + Expr *pWhere = pS->pWhere; + SWAP(Expr, *pNew, *pExpr); + +Index: sqlite-src-3320300/test/having.test +================================================================== +--- sqlite-src-3320300/test/having.test ++++ sqlite-src-3320300/test/having.test +@@ -63,12 +63,12 @@ + "SELECT a, sum(b) FROM t1 WHERE a=2 GROUP BY a HAVING sum(b)>5" + + 3 "SELECT a, sum(b) FROM t1 GROUP BY a COLLATE binary HAVING a=2" + "SELECT a, sum(b) FROM t1 WHERE a=2 GROUP BY a COLLATE binary" + +- 5 "SELECT a, sum(b) FROM t1 GROUP BY a COLLATE binary HAVING 0" +- "SELECT a, sum(b) FROM t1 WHERE 0 GROUP BY a COLLATE binary" ++ 5 "SELECT a, sum(b) FROM t1 GROUP BY a COLLATE binary HAVING 1" ++ "SELECT a, sum(b) FROM t1 WHERE 1 GROUP BY a COLLATE binary" + + 6 "SELECT count(*) FROM t1,t2 WHERE a=c GROUP BY b, d HAVING b=d" + "SELECT count(*) FROM t1,t2 WHERE a=c AND b=d GROUP BY b, d" + + 7 { +@@ -151,8 +151,28 @@ + # + set ::nondeter_ret 0 + do_execsql_test 4.3 { + SELECT a, sum(b) FROM t3 WHERE nondeter(a) GROUP BY a + } {1 4 2 2} ++ ++#------------------------------------------------------------------------- ++reset_db ++do_execsql_test 5.0 { ++ CREATE TABLE t1(a, b); ++ CREATE TABLE t2(x, y); ++ INSERT INTO t1 VALUES('a', 'b'); ++} ++ ++# The WHERE clause (a=2), uses an aggregate column from the outer query. ++# If the HAVING term (0) is moved into the WHERE clause in this case, ++# SQLite would at one point optimize (a=2 AND 0) to simply (0). Which ++# is logically correct, but happened to cause problems in aggregate ++# processing for the outer query. This test case verifies that those ++# problems are no longer present. ++do_execsql_test 5.1 { ++ SELECT min(b), ( ++ SELECT x FROM t2 WHERE a=2 GROUP BY y HAVING 0 ++ ) FROM t1; ++} {b {}} + + + finish_test + diff --git a/sqlite.spec b/sqlite.spec index 3250f45..0319a2f 100644 --- a/sqlite.spec +++ b/sqlite.spec @@ -7,7 +7,7 @@ Name: sqlite Version: 3.32.3 -Release: 2 +Release: 3 Summary: Embeded SQL database License: Public Domain URL: http://www.sqlite.org/ @@ -18,6 +18,7 @@ Source2: https://www.sqlite.org/%{year}/sqlite-autoconf-%{extver}.tar.gz Patch1: 0001-sqlite-no-malloc-usable-size.patch Patch2: 0002-remove-fail-testcase-in-no-free-fd-situation.patch +Patch3: CVE-2021-20227.patch BuildRequires: gcc autoconf tcl tcl-devel BuildRequires: ncurses-devel readline-devel glibc-devel @@ -62,6 +63,7 @@ This contains man files and HTML files for the using of sqlite. %setup -q -a1 -n %{name}-src-%{extver} %patch1 -p1 %patch2 -p1 +%patch3 -p1 rm -f %{name}-doc-%{extver}/sqlite.css~ || : @@ -135,6 +137,9 @@ make test %{_mandir}/man*/* %changelog +* Mon Apr 26 2021 bzhaoop - 3.32.3-3 +- Fix CVE-2021-20227 + * Thu Sep 2 2020 lihaotian - 3.32.3-2 - update source0 url -- Gitee