From 419bd31973ad59acb2a32bcd85255d6b83e7fa33 Mon Sep 17 00:00:00 2001 From: liusirui Date: Wed, 10 Aug 2022 10:53:03 +0800 Subject: [PATCH] fix CVE-2022-35737 --- 0004-CVE-2022-35737.patch | 80 +++++++++++++++++++++++++++++++++++++++ sqlite.spec | 7 +++- 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 0004-CVE-2022-35737.patch diff --git a/0004-CVE-2022-35737.patch b/0004-CVE-2022-35737.patch new file mode 100644 index 0000000..9c6fa5b --- /dev/null +++ b/0004-CVE-2022-35737.patch @@ -0,0 +1,80 @@ +From effc07ec9c6e08d3bd17665f8800054770f8c643 Mon Sep 17 00:00:00 2001 +From: drh <> +Date: Fri, 15 Jul 2022 12:34:31 +0000 +Subject: [PATCH] Fix the whereKeyStats() routine (part of STAT4 processing + only) so that it is able to cope with row-value comparisons against the + primary key index of a WITHOUT ROWID table. + [forum:/forumpost/3607259d3c|Forum post 3607259d3c]. + +FossilOrigin-Name: 2a6f761864a462de5c2d5bc666b82fb0b7e124a03443cd1482620dde344b34bb + +--- + src/where.c | 4 ++-- + test/rowvalue.test | 31 +++++++++++++++++++++++++++++++ + 2 files changed, 33 insertions(+), 2 deletions(-) + +diff --git a/src/where.c b/src/where.c +index de6ea91e3..110eb4845 100644 +--- a/src/where.c ++++ b/src/where.c +@@ -1433,7 +1433,7 @@ static int whereKeyStats( + #endif + assert( pRec!=0 ); + assert( pIdx->nSample>0 ); +- assert( pRec->nField>0 && pRec->nField<=pIdx->nSampleCol ); ++ assert( pRec->nField>0 ); + + /* Do a binary search to find the first sample greater than or equal + ** to pRec. If pRec contains a single field, the set of samples to search +@@ -1479,7 +1479,7 @@ static int whereKeyStats( + ** it is extended to two fields. The duplicates that this creates do not + ** cause any problems. + */ +- nField = pRec->nField; ++ nField = MIN(pRec->nField, pIdx->nSample); + iCol = 0; + iSample = pIdx->nSample * nField; + do{ +diff --git a/test/rowvalue.test b/test/rowvalue.test +index 12fee8237..59b44d938 100644 +--- a/test/rowvalue.test ++++ b/test/rowvalue.test +@@ -751,4 +751,35 @@ do_execsql_test 30.3 { + + + ++# 2022-07-15 ++# https://sqlite.org/forum/forumpost/3607259d3c ++# ++reset_db ++do_execsql_test 33.1 { ++ CREATE TABLE t1(a INT, b INT PRIMARY KEY) WITHOUT ROWID; ++ INSERT INTO t1(a, b) VALUES (0, 1),(15,-7),(3,100); ++ ANALYZE; ++} {} ++do_execsql_test 33.2 { ++ SELECT * FROM t1 WHERE (b,a) BETWEEN (0,5) AND (99,-2); ++} {0 1} ++do_execsql_test 33.3 { ++ SELECT * FROM t1 WHERE (b,a) BETWEEN (-8,5) AND (0,-2); ++} {15 -7} ++do_execsql_test 33.3 { ++ SELECT * FROM t1 WHERE (b,a) BETWEEN (3,5) AND (100,4); ++} {3 100} ++do_execsql_test 33.3 { ++ SELECT * FROM t1 WHERE (b,a) BETWEEN (3,5) AND (100,2); ++} {} ++do_execsql_test 33.3 { ++ SELECT * FROM t1 WHERE (a,b) BETWEEN (-2,99) AND (1,0); ++} {0 1} ++do_execsql_test 33.3 { ++ SELECT * FROM t1 WHERE (a,b) BETWEEN (14,99) AND (16,0); ++} {15 -7} ++do_execsql_test 33.3 { ++ SELECT * FROM t1 WHERE (a,b) BETWEEN (2,99) AND (4,0); ++} {3 100} ++ + finish_test +-- +2.25.1 + diff --git a/sqlite.spec b/sqlite.spec index 09e5df2..9ce8a92 100644 --- a/sqlite.spec +++ b/sqlite.spec @@ -6,7 +6,7 @@ Name: sqlite Version: 3.36.0 -Release: 2 +Release: 3 Summary: Embeded SQL database License: Public Domain URL: http://www.sqlite.org/ @@ -18,6 +18,7 @@ Source2: https://www.sqlite.org/2021/sqlite-autoconf-%{extver}.tar.gz Patch1: 0001-sqlite-no-malloc-usable-size.patch Patch2: 0002-remove-fail-testcase-in-no-free-fd-situation.patch Patch3: 0003-CVE-2021-36690.patch +Patch4: 0004-CVE-2022-35737.patch BuildRequires: gcc autoconf tcl tcl-devel BuildRequires: ncurses-devel readline-devel glibc-devel @@ -63,6 +64,7 @@ This contains man files and HTML files for the using of sqlite. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 rm -f %{name}-doc-%{extver}/sqlite.css~ || : @@ -133,6 +135,9 @@ make test %{_mandir}/man*/* %changelog +* Tue Aug 16 2022 liusirui - 3.36.0-3 +- fix the CVE-2022-35737. + * Sat Nov 27 2021 wbq_sky - 3.36.0-2 - fix the CVE-2021-36690. -- Gitee