From 50eab3ada6c77822a32cb20686ec9bb3c199a269 Mon Sep 17 00:00:00 2001 From: eulerstorage Date: Wed, 8 Jan 2020 10:32:47 +0800 Subject: [PATCH] repackage and fix cves --- ...-sqlite-3.6.23-lemon-system-template.patch | 21 --- ...=> 0000-sqlite-no-malloc-usable-size.patch | 0 ....patch => 0001-sqlite-CVE-2018-20346.patch | 0 ...ail-testcase-in-no-free-fd-situation.patch | 57 +++++--- 0003-sqlite-3.8.0-percentile-test.patch | 15 -- 0004-sqlite-3.8.10.1-tcl-regress-tests.patch | 137 ------------------ 0005-sqlite-3.16-datetest-2.2c.patch | 14 -- 0006-sqlite-3.18.0-sync2-dirsync.patch | 90 ------------ ...-away-from-the-LEFT-JOIN-optimizatio.patch | 70 +++++++++ ...curs-while-rewriting-the-parser-tree.patch | 50 +++++++ ...extension-so-that-INSERT-works-even-.patch | 55 +++++++ ...e2bddcd4c55ba3cb-Add-another-spot-wh.patch | 34 +++++ ...o-unwind-the-WITH-stack-in-the-Parse.patch | 32 ++++ sqlite.spec | 39 ++--- 14 files changed, 297 insertions(+), 317 deletions(-) delete mode 100644 0000-sqlite-3.6.23-lemon-system-template.patch rename 0002-sqlite-3.12.2-no-malloc-usable-size.patch => 0000-sqlite-no-malloc-usable-size.patch (100%) rename 0007-sqlite-CVE-2018-20346.patch => 0001-sqlite-CVE-2018-20346.patch (100%) rename 0001-sqlite-3.7.7.1-stupid-openfiles-test.patch => 0002-remove-fail-testcase-in-no-free-fd-situation.patch (33%) delete mode 100644 0003-sqlite-3.8.0-percentile-test.patch delete mode 100644 0004-sqlite-3.8.10.1-tcl-regress-tests.patch delete mode 100644 0005-sqlite-3.16-datetest-2.2c.patch delete mode 100644 0006-sqlite-3.18.0-sync2-dirsync.patch create mode 100644 6049-Fix-CVE-2019-19923-Continue-to-back-away-from-the-LEFT-JOIN-optimizatio.patch create mode 100644 6050-Fix-CVE-2019-19924-When-an-error-occurs-while-rewriting-the-parser-tree.patch create mode 100644 6051-Fix-CVE-2019-19925-Fix-the-zipfile-extension-so-that-INSERT-works-even-.patch create mode 100644 6052-Fix-CVE-2019-19926-Continuation-of-e2bddcd4c55ba3cb-Add-another-spot-wh.patch create mode 100644 6053-Fix-CVE-2019-20218-Do-not-attempt-to-unwind-the-WITH-stack-in-the-Parse.patch diff --git a/0000-sqlite-3.6.23-lemon-system-template.patch b/0000-sqlite-3.6.23-lemon-system-template.patch deleted file mode 100644 index 3d3b0aa..0000000 --- a/0000-sqlite-3.6.23-lemon-system-template.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up sqlite-3.6.23/tool/lemon.c.system-template sqlite-3.6.23/tool/lemon.c ---- sqlite-3.6.23/tool/lemon.c.system-template 2010-03-10 16:40:35.000000000 +0200 -+++ sqlite-3.6.23/tool/lemon.c 2010-03-10 16:40:39.000000000 +0200 -@@ -3363,6 +3363,8 @@ PRIVATE FILE *tplt_open(struct lemon *le - tpltname = buf; - }else if( access(templatename,004)==0 ){ - tpltname = templatename; -+ }else if( access("/usr/share/lemon/lempar.c", R_OK)==0){ -+ tpltname = "/usr/share/lemon/lempar.c"; - }else{ - tpltname = pathsearch(lemp->argv0,templatename,0); - } -@@ -3374,7 +3376,7 @@ PRIVATE FILE *tplt_open(struct lemon *le - } - in = fopen(tpltname,"rb"); - if( in==0 ){ -- fprintf(stderr,"Can't open the template file \"%s\".\n",templatename); -+ fprintf(stderr,"Can't open the template file \"%s\".\n",tpltname); - lemp->errorcnt++; - return 0; - } diff --git a/0002-sqlite-3.12.2-no-malloc-usable-size.patch b/0000-sqlite-no-malloc-usable-size.patch similarity index 100% rename from 0002-sqlite-3.12.2-no-malloc-usable-size.patch rename to 0000-sqlite-no-malloc-usable-size.patch diff --git a/0007-sqlite-CVE-2018-20346.patch b/0001-sqlite-CVE-2018-20346.patch similarity index 100% rename from 0007-sqlite-CVE-2018-20346.patch rename to 0001-sqlite-CVE-2018-20346.patch diff --git a/0001-sqlite-3.7.7.1-stupid-openfiles-test.patch b/0002-remove-fail-testcase-in-no-free-fd-situation.patch similarity index 33% rename from 0001-sqlite-3.7.7.1-stupid-openfiles-test.patch rename to 0002-remove-fail-testcase-in-no-free-fd-situation.patch index 101f0d4..97ec1aa 100644 --- a/0001-sqlite-3.7.7.1-stupid-openfiles-test.patch +++ b/0002-remove-fail-testcase-in-no-free-fd-situation.patch @@ -1,9 +1,31 @@ ---- sqlite-src-3240000/test/oserror.test.old 2018-06-05 08:40:35.656122573 +0200 -+++ sqlite-src-3240000/test/oserror.test 2018-06-05 08:40:45.614935197 +0200 -@@ -51,20 +51,20 @@ - # a call to getcwd() may fail if there are no free file descriptors. So - # an error may be reported for either open() or getcwd() here. - # +From defded46ea50037500590122d847ba6a7cb96110 Mon Sep 17 00:00:00 2001 +From: eulerstorage +Date: Sat, 11 Jan 2020 11:33:54 +0800 +Subject: [PATCH] remove fail testcase in no free fd situation + +--- + test/oserror.test | 27 --------------------------- + 1 file changed, 27 deletions(-) + +diff --git a/test/oserror.test b/test/oserror.test +index 271163a..d46218f 100644 +--- a/test/oserror.test ++++ b/test/oserror.test +@@ -40,33 +40,6 @@ proc do_re_test {tn script expression} { + + } + +-#-------------------------------------------------------------------------- +-# Tests oserror-1.* test failures in the open() system call. +-# +- +-# Test a failure in open() due to too many files. +-# +-# The xOpen() method of the unix VFS calls getcwd() as well as open(). +-# Although this does not appear to be documented in the man page, on OSX +-# a call to getcwd() may fail if there are no free file descriptors. So +-# an error may be reported for either open() or getcwd() here. +-# -if {![clang_sanitize_address]} { - do_test 1.1.1 { - set ::log [list] @@ -18,20 +40,11 @@ - lindex $::log 0 - } {^os_unix.c:\d+: \(\d+\) (open|getcwd)\(.*test.db\) - } -} -+#if {![clang_sanitize_address]} { -+# do_test 1.1.1 { -+# set ::log [list] -+# list [catch { -+# for {set i 0} {$i < 20000} {incr i} { sqlite3 dbh_$i test.db -readonly 1 } -+# } msg] $msg -+# } {1 {unable to open database file}} -+# do_test 1.1.2 { -+# catch { for {set i 0} {$i < 20000} {incr i} { dbh_$i close } } -+# } {1} -+# do_re_test 1.1.3 { -+# lindex $::log 0 -+# } {^os_unix.c:\d+: \(\d+\) (open|getcwd)\(.*test.db\) - } -+#} - - +- +- # Test a failure in open() due to the path being a directory. + # + do_test 1.2.1 { +-- +1.8.3.1 + diff --git a/0003-sqlite-3.8.0-percentile-test.patch b/0003-sqlite-3.8.0-percentile-test.patch deleted file mode 100644 index f828fa5..0000000 --- a/0003-sqlite-3.8.0-percentile-test.patch +++ /dev/null @@ -1,15 +0,0 @@ -# On i686 arch the removed test fails with result 2749999.50004681 instead of expected -# 2749999.5. This patch is temporary workaround and should be dropped as soon as a valid -# fix is found. - -diff -up sqlite-src-3080002/test/percentile.test.broken sqlite-src-3080002/test/percentile.test ---- sqlite-src-3080002/test/percentile.test.broken 2013-09-16 13:19:53.406004041 +0200 -+++ sqlite-src-3080002/test/percentile.test 2013-09-16 13:20:00.079024945 +0200 -@@ -195,7 +195,6 @@ ifcapable vtab { - foreach {in out} { - 0 0.0 - 100 9999990.0 -- 50 2749999.5 - 10 99999.9 - } { - do_test percentile-2.1.$in { diff --git a/0004-sqlite-3.8.10.1-tcl-regress-tests.patch b/0004-sqlite-3.8.10.1-tcl-regress-tests.patch deleted file mode 100644 index bdeb6da..0000000 --- a/0004-sqlite-3.8.10.1-tcl-regress-tests.patch +++ /dev/null @@ -1,137 +0,0 @@ -This patch disables a test which caused failed assertion in tcl 8.6.3. -According to sqlite upstream[1], this should be fixed in tcl 8.6.5. - -[1] http://mailinglists.sqlite.org/cgi-bin/mailman/private/sqlite-users/2015-May/059518.html - -diff -up sqlite-src-3130000/test/shell1.test.orig sqlite-src-3130000/test/shell1.test ---- sqlite-src-3140100/test/shell1.test.orig 2016-08-12 02:17:02.000000000 +0200 -+++ sqlite-src-3140100/test/shell1.test 2016-08-15 15:00:59.869664051 +0200 -@@ -855,67 +855,67 @@ do_test shell1-4.6 { - - # Test using arbitrary byte data with the shell via standard input/output. - # --do_test shell1-5.0 { -- # -- # NOTE: Skip NUL byte because it appears to be incompatible with command -- # shell argument parsing. -- # -- for {set i 1} {$i < 256} {incr i} { -- # -- # NOTE: Due to how the Tcl [exec] command works (i.e. where it treats -- # command channels opened for it as textual ones), the carriage -- # return character (and on Windows, the end-of-file character) -- # cannot be used here. -- # -- if {$i==0x0D || ($tcl_platform(platform)=="windows" && $i==0x1A)} { -- continue -- } -- if {$i>=0xE0 && $tcl_platform(os)=="OpenBSD"} continue -- if {$i>=0xE0 && $i<=0xEF && $tcl_platform(os)=="Linux"} continue -- set hex [format %02X $i] -- set char [subst \\x$hex]; set oldChar $char -- set escapes [list] -- if {$tcl_platform(platform)=="windows"} { -- # -- # NOTE: On Windows, we need to escape all the whitespace characters, -- # the alarm (\a) character, and those with special meaning to -- # the SQLite shell itself. -- # -- set escapes [list \ -- \a \\a \b \\b \t \\t \n \\n \v \\v \f \\f \r \\r \ -- " " "\" \"" \" \\\" ' \"'\" \\ \\\\] -- } else { -- # -- # NOTE: On Unix, we need to escape most of the whitespace characters -- # and those with special meaning to the SQLite shell itself. -- # The alarm (\a), backspace (\b), and carriage-return (\r) -- # characters do not appear to require escaping on Unix. For -- # the alarm and backspace characters, this is probably due to -- # differences in the command shell. For the carriage-return, -- # it is probably due to differences in how Tcl handles command -- # channel end-of-line translations. -- # -- set escapes [list \ -- \t \\t \n \\n \v \\v \f \\f \ -- " " "\" \"" \" \\\" ' \"'\" \\ \\\\] -- } -- set char [string map $escapes $char] -- set x [catchcmdex test.db ".print $char\n"] -- set code [lindex $x 0] -- set res [lindex $x 1] -- if {$code ne "0"} { -- error "failed with error: $res" -- } -- if {$res ne "$oldChar\n"} { -- if {[llength $res] > 0} { -- set got [format %02X [scan $res %c]] -- } else { -- set got -- } -- error "failed with byte $hex mismatch, got $got" -- } -- } --} {} -+#do_test shell1-5.0 { -+# # -+# # NOTE: Skip NUL byte because it appears to be incompatible with command -+# # shell argument parsing. -+# # -+# for {set i 1} {$i < 256} {incr i} { -+# # -+# # NOTE: Due to how the Tcl [exec] command works (i.e. where it treats -+# # command channels opened for it as textual ones), the carriage -+# # return character (and on Windows, the end-of-file character) -+# # cannot be used here. -+# # -+# if {$i==0x0D || ($tcl_platform(platform)=="windows" && $i==0x1A)} { -+# continue -+# } -+# if {$i>=0xE0 && $tcl_platform(os)=="OpenBSD"} continue -+# if {$i>=0xE0 && $i<=0xEF && $tcl_platform(os)=="Linux"} continue -+# set hex [format %02X $i] -+# set char [subst \\x$hex]; set oldChar $char -+# set escapes [list] -+# if {$tcl_platform(platform)=="windows"} { -+# # -+# # NOTE: On Windows, we need to escape all the whitespace characters, -+# # the alarm (\a) character, and those with special meaning to -+# # the SQLite shell itself. -+# # -+# set escapes [list \ -+# \a \\a \b \\b \t \\t \n \\n \v \\v \f \\f \r \\r \ -+# " " "\" \"" \" \\\" ' \"'\" \\ \\\\] -+# } else { -+# # -+# # NOTE: On Unix, we need to escape most of the whitespace characters -+# # and those with special meaning to the SQLite shell itself. -+# # The alarm (\a), backspace (\b), and carriage-return (\r) -+# # characters do not appear to require escaping on Unix. For -+# # the alarm and backspace characters, this is probably due to -+# # differences in the command shell. For the carriage-return, -+# # it is probably due to differences in how Tcl handles command -+# # channel end-of-line translations. -+# # -+# set escapes [list \ -+# \t \\t \n \\n \v \\v \f \\f \ -+# " " "\" \"" \" \\\" ' \"'\" \\ \\\\] -+# } -+# set char [string map $escapes $char] -+# set x [catchcmdex test.db ".print $char\n"] -+# set code [lindex $x 0] -+# set res [lindex $x 1] -+# if {$code ne "0"} { -+# error "failed with error: $res" -+# } -+# if {$res ne "$oldChar\n"} { -+# if {[llength $res] > 0} { -+# set got [format %02X [scan $res %c]] -+# } else { -+# set got -+# } -+# error "failed with byte $hex mismatch, got $got" -+# } -+# } -+#} {} - - # These test cases do not work on MinGW - if 0 { diff --git a/0005-sqlite-3.16-datetest-2.2c.patch b/0005-sqlite-3.16-datetest-2.2c.patch deleted file mode 100644 index 63857db..0000000 --- a/0005-sqlite-3.16-datetest-2.2c.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- sqlite-src-3160100/test/date.test.orig 2017-01-04 14:48:46.113737093 +0100 -+++ sqlite-src-3160100/test/date.test 2017-01-04 14:49:11.144833563 +0100 -@@ -76,11 +76,6 @@ datetest 2.1c datetime(0,'unixepochx') N - datetest 2.1d datetime('2003-10-22','unixepoch') NULL - datetest 2.2 datetime(946684800,'unixepoch') {2000-01-01 00:00:00} - datetest 2.2b datetime('946684800','unixepoch') {2000-01-01 00:00:00} --for {set i 0} {$i<1000} {incr i} { -- set sql [format {strftime('%%H:%%M:%%f',1237962480.%03d,'unixepoch')} $i] -- set res [format {06:28:00.%03d} $i] -- datetest 2.2c-$i $sql $res --} - datetest 2.3 {date('2003-10-22','weekday 0')} 2003-10-26 - datetest 2.4 {date('2003-10-22','weekday 1')} 2003-10-27 - datetest 2.4a {date('2003-10-22','weekday 1')} 2003-10-27 diff --git a/0006-sqlite-3.18.0-sync2-dirsync.patch b/0006-sqlite-3.18.0-sync2-dirsync.patch deleted file mode 100644 index 0c7d0a5..0000000 --- a/0006-sqlite-3.18.0-sync2-dirsync.patch +++ /dev/null @@ -1,90 +0,0 @@ ---- sqlite-src-3180000/test/sync2.test.sync2-dirsync 2017-03-30 21:26:42.000000000 +0200 -+++ sqlite-src-3180000/test/sync2.test 2017-04-03 13:16:14.422329691 +0200 -@@ -44,6 +44,15 @@ - uplevel [list do_test $tn [list execsql_sync $sql] [list {*}$res]] - } - -+# Wrapper over the expected sync count, takes DIRSYNC into consideration -+proc expected_sync_count {sync_count} { -+ ifcapable dirsync { -+ return $sync_count -+ } else { -+ return [ incr sync_count -1 ] -+ } -+} -+ - #----------------------------------------------------------------------- - # Tests for journal mode. - # -@@ -53,13 +62,13 @@ - INSERT INTO t1 VALUES(1, 2); - } - --do_execsql_sync_test 1.1 { INSERT INTO t1 VALUES(3, 4) } 4 -+do_execsql_sync_test 1.1 { INSERT INTO t1 VALUES(3, 4) } [ expected_sync_count 4 ] - - # synchronous=normal. So, 1 sync on the directory, 1 on the journal, 1 - # on the db file. 3 in total. - do_execsql_test 1.2.1 { PRAGMA main.synchronous = NORMAL } - do_execsql_test 1.2.2 { PRAGMA main.synchronous } 1 --do_execsql_sync_test 1.2.3 { INSERT INTO t1 VALUES(5, 6) } 3 -+do_execsql_sync_test 1.2.3 { INSERT INTO t1 VALUES(5, 6) } [ expected_sync_count 3 ] - - # synchronous=off. No syncs. - do_execsql_test 1.3.1 { PRAGMA main.synchronous = OFF } -@@ -70,7 +79,7 @@ - # 2 on the journal, 1 on the db file. 4 in total. - do_execsql_test 1.4.1 { PRAGMA main.synchronous = FULL } - do_execsql_test 1.4.2 { PRAGMA main.synchronous } 2 --do_execsql_sync_test 1.4.3 { INSERT INTO t1 VALUES(9, 10) } 4 -+do_execsql_sync_test 1.4.3 { INSERT INTO t1 VALUES(9, 10) } [ expected_sync_count 4 ] - - #----------------------------------------------------------------------- - # Tests for wal mode. -@@ -79,7 +88,7 @@ - - # sync=full, journal_mode=wal. One sync on the directory, two on the - # wal file. --do_execsql_sync_test 1.6 { INSERT INTO t1 VALUES(11, 12) } 3 -+do_execsql_sync_test 1.6 { INSERT INTO t1 VALUES(11, 12) } [ expected_sync_count 3 ] - - # One sync on the wal file. - do_execsql_sync_test 1.7 { INSERT INTO t1 VALUES(13, 14) } 1 -@@ -112,7 +121,7 @@ - - # Wal mode, sync=normal. The first transaction does one sync on directory, - # one on the wal file. The second does no syncs. -- do_execsql_sync_test 1.11.1 { INSERT INTO t1 VALUES(19, 20) } 2 -+ do_execsql_sync_test 1.11.1 { INSERT INTO t1 VALUES(19, 20) } [ expected_sync_count 2 ] - do_execsql_sync_test 1.11.2 { INSERT INTO t1 VALUES(21, 22) } 0 - do_execsql_test 1.11.3 { PRAGMA main.synchronous } 1 - -@@ -129,14 +138,14 @@ - # Delete mode, sync=full. The first transaction does one sync on - # directory, two on the journal file, one on the db. The second does - # the same. -- do_execsql_sync_test 1.15.1 { INSERT INTO t1 VALUES(26, 27) } 4 -- do_execsql_sync_test 1.15.2 { INSERT INTO t1 VALUES(28, 29) } 4 -+ do_execsql_sync_test 1.15.1 { INSERT INTO t1 VALUES(26, 27) } [ expected_sync_count 4 ] -+ do_execsql_sync_test 1.15.2 { INSERT INTO t1 VALUES(28, 29) } [ expected_sync_count 4 ] - do_execsql_test 1.15.3 { PRAGMA main.synchronous } 2 - - # Switch back to wal mode. - do_execsql_test 1.16 { PRAGMA journal_mode = wal } {wal} - -- do_execsql_sync_test 1.17.1 { INSERT INTO t1 VALUES(30, 31) } 2 -+ do_execsql_sync_test 1.17.1 { INSERT INTO t1 VALUES(30, 31) } [ expected_sync_count 2 ] - do_execsql_sync_test 1.17.2 { INSERT INTO t1 VALUES(32, 33) } 0 - do_execsql_test 1.17.3 { PRAGMA main.synchronous } 1 - -@@ -152,8 +161,8 @@ - # Close and reopen the db. Back to synchronous=normal. - db close - sqlite3 db test.db -- do_execsql_sync_test 1.20.1 { INSERT INTO t1 VALUES(38, 39) } 4 -- do_execsql_sync_test 1.20.2 { INSERT INTO t1 VALUES(40, 41) } 4 -+ do_execsql_sync_test 1.20.1 { INSERT INTO t1 VALUES(38, 39) } [ expected_sync_count 4 ] -+ do_execsql_sync_test 1.20.2 { INSERT INTO t1 VALUES(40, 41) } [ expected_sync_count 4 ] - do_execsql_test 1.20.3 { PRAGMA main.synchronous } 2 - } - diff --git a/6049-Fix-CVE-2019-19923-Continue-to-back-away-from-the-LEFT-JOIN-optimizatio.patch b/6049-Fix-CVE-2019-19923-Continue-to-back-away-from-the-LEFT-JOIN-optimizatio.patch new file mode 100644 index 0000000..941627a --- /dev/null +++ b/6049-Fix-CVE-2019-19923-Continue-to-back-away-from-the-LEFT-JOIN-optimizatio.patch @@ -0,0 +1,70 @@ +From 2795bd850dd566da15576a48b275e7ed2e4eb581 Mon Sep 17 00:00:00 2001 +From: suweifeng +Date: Tue, 7 Jan 2020 11:56:05 +0800 +Subject: [PATCH] Continue to back away from the LEFT JOIN optimization of + check-in [41c27bc0ff1d3135] + +by disallowing query flattening if the outer query is DISTINCT. Without this fix, +if an index scan is run on the table within the view on the right-hand side of the +LEFT JOIN, stale result registers might be accessed yielding incorrect results, +and/or an OP_IfNullRow opcode might be invoked on the un-opened table, resulting +in a NULL-pointer dereference. This problem was found by the Yongheng and Rui fuzzer. + +FossilOrigin-Name: 862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e + +Signed-off-by: suweifeng +--- + src/select.c | 8 ++++++-- + test/join.test | 13 +++++++++++++ + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/src/select.c b/src/select.c +index 529df0f..4510b77 100644 +--- a/src/select.c ++++ b/src/select.c +@@ -3582,6 +3582,7 @@ static void substSelect( + ** (3b) the FROM clause of the subquery may not contain a virtual + ** table and + ** (3c) the outer query may not be an aggregate. ++** (3d) the outer query may not be DISTINCT. + ** + ** (4) The subquery can not be DISTINCT. + ** +@@ -3770,8 +3771,11 @@ static int flattenSubquery( + */ + if( (pSubitem->fg.jointype & JT_OUTER)!=0 ){ + isLeftJoin = 1; +- if( pSubSrc->nSrc>1 || isAgg || IsVirtual(pSubSrc->a[0].pTab) ){ +- /* (3a) (3c) (3b) */ ++ if( pSubSrc->nSrc>1 /* (3a) */ ++ || isAgg /* (3b) */ ++ || IsVirtual(pSubSrc->a[0].pTab) /* (3c) */ ++ || (p->selFlags & SF_Distinct)!=0 /* (3d) */ ++ ){ + return 0; + } + } +diff --git a/test/join.test b/test/join.test +index 8c6f463..8c6a53d 100644 +--- a/test/join.test ++++ b/test/join.test +@@ -844,4 +844,17 @@ do_execsql_test join-15.110 { + ORDER BY a1, a2, a3, a4, a5; + } {1 {} {} {} {} 1 11 {} {} {} 1 12 {} {} {} 1 12 121 {} {} 1 13 {} {} {}} + ++# 2019-12-18 problem with a LEFT JOIN where the RHS is a view. ++# Detected by Yongheng and Rui. ++# Follows from the optimization attempt of check-in 41c27bc0ff1d3135 ++# on 2017-04-18 ++# ++reset_db ++do_execsql_test join-22.10 { ++ CREATE TABLE t0(a, b); ++ CREATE INDEX t0a ON t0(a); ++ INSERT INTO t0 VALUES(10,10),(10,11),(10,12); ++ SELECT DISTINCT c FROM t0 LEFT JOIN (SELECT a+1 AS c FROM t0) ORDER BY c ; ++} {11} ++ + finish_test +-- +2.19.1 diff --git a/6050-Fix-CVE-2019-19924-When-an-error-occurs-while-rewriting-the-parser-tree.patch b/6050-Fix-CVE-2019-19924-When-an-error-occurs-while-rewriting-the-parser-tree.patch new file mode 100644 index 0000000..8d56da8 --- /dev/null +++ b/6050-Fix-CVE-2019-19924-When-an-error-occurs-while-rewriting-the-parser-tree.patch @@ -0,0 +1,50 @@ +From 9a1e94798c28f19ac3c80b83e514c0d3f2b7ca67 Mon Sep 17 00:00:00 2001 +From: suweifeng +Date: Tue, 7 Jan 2020 11:59:38 +0800 +Subject: [PATCH] When an error occurs while rewriting the parser tree for + window functions + +in the sqlite3WindowRewrite() routine, make sure that pParse->nErr is set, +and make sure that this shuts down any subsequent code generation that might +depend on the transformations that were implemented. This fixes a problem +discovered by the Yongheng and Rui fuzzer. + +FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f + +Signed-off-by: suweifeng +--- + src/expr.c | 2 ++ + src/vdbeaux.c | 3 ++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/expr.c b/src/expr.c +index 36ca515..8fd8af9 100644 +--- a/src/expr.c ++++ b/src/expr.c +@@ -344,6 +344,8 @@ static int codeCompare( + int addr; + CollSeq *p4; + ++ if( pParse->nErr ) return 0; ++ + p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight); + p5 = binaryCompareP5(pLeft, pRight, jumpIfNull); + addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1, +diff --git a/src/vdbeaux.c b/src/vdbeaux.c +index ba2396c..df8bcc2 100644 +--- a/src/vdbeaux.c ++++ b/src/vdbeaux.c +@@ -1171,7 +1171,8 @@ void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){ + */ + static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){ + assert( p->nOp>0 || p->aOp==0 ); +- assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed ); ++ assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed ++ || p->pParse->nErr>0 ); + if( p->nOp ){ + assert( p->aOp ); + sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment); +-- +2.19.1 + + diff --git a/6051-Fix-CVE-2019-19925-Fix-the-zipfile-extension-so-that-INSERT-works-even-.patch b/6051-Fix-CVE-2019-19925-Fix-the-zipfile-extension-so-that-INSERT-works-even-.patch new file mode 100644 index 0000000..995ed18 --- /dev/null +++ b/6051-Fix-CVE-2019-19925-Fix-the-zipfile-extension-so-that-INSERT-works-even-.patch @@ -0,0 +1,55 @@ +From d37347d5f97a93b1598c3f74d0daa411cdfaab21 Mon Sep 17 00:00:00 2001 +From: suweifeng +Date: Tue, 7 Jan 2020 12:02:08 +0800 +Subject: [PATCH] Fix the zipfile extension so that INSERT works even if the + pathname of + +the file being inserted is a NULL. Bug discovered by the +Yongheng and Rui fuzzer. + +FossilOrigin-Name: a80f84b511231204658304226de3e075a55afc2e3f39ac063716f7a57f585c06 + +Signed-off-by: suweifeng +--- + ext/misc/zipfile.c | 1 + + test/zipfile.test | 13 +++++++++++++ + 2 files changed, 14 insertions(+) + +diff --git a/ext/misc/zipfile.c b/ext/misc/zipfile.c +index 9f2258e..01cd0ca 100644 +--- a/ext/misc/zipfile.c ++++ b/ext/misc/zipfile.c +@@ -1617,6 +1617,7 @@ static int zipfileUpdate( + + if( rc==SQLITE_OK ){ + zPath = (const char*)sqlite3_value_text(apVal[2]); ++ if( zPath==0 ) zPath = ""; + nPath = (int)strlen(zPath); + mTime = zipfileGetTime(apVal[4]); + } +diff --git a/test/zipfile.test b/test/zipfile.test +index ebc4977..abf432c 100644 +--- a/test/zipfile.test ++++ b/test/zipfile.test +@@ -761,4 +761,17 @@ do_execsql_test 11.11 { + SELECT name, data FROM z ORDER BY name; + } {b0suffix two b2suffix one} + ++# 2019-12-18 Yongheng and Rui fuzzer ++# ++do_execsql_test 13.10 { ++ DROP TABLE IF EXISTS t0; ++ DROP TABLE IF EXISTS t1; ++ CREATE TABLE t0(a,b,c,d,e,f,g); ++ REPLACE INTO t0(c,b,f) VALUES(10,10,10); ++ CREATE VIRTUAL TABLE t1 USING zipfile('h.zip'); ++ REPLACE INTO t1 SELECT * FROM t0; ++ SELECT quote(name),quote(mode),quote(mtime),quote(sz),quote(rawdata), ++ quote(data),quote(method) FROM t1; ++} {'' 10 10 2 X'3130' X'3130' 0} ++ + finish_test +-- +2.19.1 + + diff --git a/6052-Fix-CVE-2019-19926-Continuation-of-e2bddcd4c55ba3cb-Add-another-spot-wh.patch b/6052-Fix-CVE-2019-19926-Continuation-of-e2bddcd4c55ba3cb-Add-another-spot-wh.patch new file mode 100644 index 0000000..c64f7c4 --- /dev/null +++ b/6052-Fix-CVE-2019-19926-Continuation-of-e2bddcd4c55ba3cb-Add-another-spot-wh.patch @@ -0,0 +1,34 @@ + +m c5873e86526042b1be51ac96e7d748fc0a7ff009 Mon Sep 17 00:00:00 2001 +From: suweifeng +Date: Tue, 7 Jan 2020 12:03:55 +0800 +Subject: [PATCH] Continuation of [e2bddcd4c55ba3cb]: Add another spot where it + is necessary + +to abort early due to prior errors in sqlite3WindowRewrite(). + +FossilOrigin-Name: cba2a2a44cdf138a629109bb0ad088ed4ef67fc66bed3e0373554681a39615d2 + +Signed-off-by: suweifeng +--- + src/select.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/select.c b/src/select.c +index 4510b77..f78c8a5 100644 +--- a/src/select.c ++++ b/src/select.c +@@ -2813,7 +2813,8 @@ static int multiSelect( + } + #endif + } +- ++ if( pParse->nErr ) goto multi_select_end; ++ + /* Compute collating sequences used by + ** temporary tables needed to implement the compound select. + ** Attach the KeyInfo structure to all temporary tables. +-- +2.19.1 + + diff --git a/6053-Fix-CVE-2019-20218-Do-not-attempt-to-unwind-the-WITH-stack-in-the-Parse.patch b/6053-Fix-CVE-2019-20218-Do-not-attempt-to-unwind-the-WITH-stack-in-the-Parse.patch new file mode 100644 index 0000000..a9ab91e --- /dev/null +++ b/6053-Fix-CVE-2019-20218-Do-not-attempt-to-unwind-the-WITH-stack-in-the-Parse.patch @@ -0,0 +1,32 @@ +From c9011c193b557b435138c70dc555dcf3e43d3478 Mon Sep 17 00:00:00 2001 +From: suweifeng +Date: Sat, 11 Jan 2020 10:16:08 +0800 +Subject: [PATCH] Do not attempt to unwind the WITH stack in the Parse object + following + + an error. This fixes a separate case to [de6e6d68]. + +FossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92 + +Signed-off-by: suweifeng +--- + src/select.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/select.c b/src/select.c +index f78c8a5..3bb98ad 100644 +--- a/src/select.c ++++ b/src/select.c +@@ -4717,7 +4717,7 @@ static int selectExpander(Walker *pWalker, Select *p){ + + /* Process NATURAL keywords, and ON and USING clauses of joins. + */ +- if( db->mallocFailed || sqliteProcessJoin(pParse, p) ){ ++ if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){ + return WRC_Abort; + } + +-- +2.19.1 + + diff --git a/sqlite.spec b/sqlite.spec index 79cc483..db4b6f2 100644 --- a/sqlite.spec +++ b/sqlite.spec @@ -6,7 +6,7 @@ Name: sqlite Version: 3.24.0 -Release: 6 +Release: 7 Summary: Embeded SQL database License: Public Domain URL: http://www.sqlite.org/ @@ -15,14 +15,9 @@ Source0: http://www.sqlite.org/2018/sqlite-src-%{extver}.zip Source1: http://www.sqlite.org/2018/sqlite-doc-%{extver}.zip Source2: https://www.sqlite.org/2018/sqlite-autoconf-%{extver}.tar.gz -Patch0000: 0000-sqlite-3.6.23-lemon-system-template.patch -Patch0001: 0001-sqlite-3.7.7.1-stupid-openfiles-test.patch -Patch0002: 0002-sqlite-3.12.2-no-malloc-usable-size.patch -Patch0003: 0003-sqlite-3.8.0-percentile-test.patch -Patch0004: 0004-sqlite-3.8.10.1-tcl-regress-tests.patch -Patch0005: 0005-sqlite-3.16-datetest-2.2c.patch -Patch0006: 0006-sqlite-3.18.0-sync2-dirsync.patch -Patch0007: 0007-sqlite-CVE-2018-20346.patch +Patch0000: 0000-sqlite-no-malloc-usable-size.patch +Patch0001: 0001-sqlite-CVE-2018-20346.patch +Patch0002: 0002-remove-fail-testcase-in-no-free-fd-situation.patch Patch6000: 6000-Fix-the-sqlite3BeginTrans-calls-within-the-snapshot-.patch Patch6001: 6001-Change-a-comma-into-a-logically-equivalent-but-seman.patch @@ -73,6 +68,11 @@ Patch6045: 6045-sqlite-CVE-2019-16168.patch Patch6046: 6046-Fix-CVE-2019-19646.patch Patch6047: 6047-Fix-CVE-2019-9936.patch Patch6048: 6048-Fix-CVE-2019-9937.patch +Patch6049: 6049-Fix-CVE-2019-19923-Continue-to-back-away-from-the-LEFT-JOIN-optimizatio.patch +Patch6050: 6050-Fix-CVE-2019-19924-When-an-error-occurs-while-rewriting-the-parser-tree.patch +Patch6051: 6051-Fix-CVE-2019-19925-Fix-the-zipfile-extension-so-that-INSERT-works-even-.patch +Patch6052: 6052-Fix-CVE-2019-19926-Continuation-of-e2bddcd4c55ba3cb-Add-another-spot-wh.patch +Patch6053: 6053-Fix-CVE-2019-20218-Do-not-attempt-to-unwind-the-WITH-stack-in-the-Parse.patch BuildRequires: gcc autoconf tcl tcl-devel BuildRequires: ncurses-devel readline-devel glibc-devel @@ -116,16 +116,8 @@ This contains man files and HTML files for the using of sqlite. #autosetup will fail because of 2 zip files %setup -q -a1 -n %{name}-src-%{extver} %patch0000 -p1 -%patch0001 -p1 +%patch0001 -p0 %patch0002 -p1 -%patch0003 -p1 -%patch0004 -p1 -%ifarch %{ix86} -%patch0005 -p1 -%endif -%patch0006 -p1 -%patch0007 -p0 - %patch6000 -p1 %patch6001 -p1 %patch6002 -p1 @@ -175,6 +167,11 @@ This contains man files and HTML files for the using of sqlite. %patch6046 -p1 %patch6047 -p1 %patch6048 -p1 +%patch6049 -p1 +%patch6050 -p1 +%patch6051 -p1 +%patch6052 -p1 +%patch6053 -p1 rm -f %{name}-doc-%{extver}/sqlite.css~ || : @@ -245,6 +242,12 @@ make test %{_mandir}/man*/* %changelog +* Wed Jan 11 2020 openEuler Buildteam - 3.24.0-7 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:Fix CVE-2019-19923 CVE-2019-19924 CVE-2019-19925 CVE-2019-19926 CVE-2019-20218 + * Fri Jan 3 2020 openEuler Buildteam - 3.24.0-6 - Type:cves - ID:CVE-2019-9936,CVE-2019-9937 -- Gitee