From cea1fa726c0eaaf9c2ec169a6005f25f274eb3bf Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Apr 24 2020 03:39:39 +0000
Subject: import sqlite-3.26.0-7.el8


---

diff --git a/SOURCES/sqlite-3.26.0-CVE-2019-20218.patch b/SOURCES/sqlite-3.26.0-CVE-2019-20218.patch
new file mode 100644
index 0000000..cda14f1
--- /dev/null
+++ b/SOURCES/sqlite-3.26.0-CVE-2019-20218.patch
@@ -0,0 +1,26 @@
+From 8fd3688e01f5839120d7477ca94e013f5809edcf Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Tue, 24 Mar 2020 11:33:04 +0100
+Subject: [PATCH] Do not attempt to unwind the WITH stack in the Parse object
+ following an error.
+
+---
+ src/select.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/select.c b/src/select.c
+index 0205a08..bbd13a4 100644
+--- a/src/select.c
++++ b/src/select.c
+@@ -4910,7 +4910,7 @@ static int selectExpander(Walker *pWalker, Select *p){
+ 
+   /* Process NATURAL keywords, and ON and USING clauses of joins.
+   */
+-  if( db->mallocFailed || sqliteProcessJoin(pParse, p) ){
++  if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){
+     return WRC_Abort;
+   }
+ 
+-- 
+2.24.1
+
diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-6405.patch b/SOURCES/sqlite-3.26.0-CVE-2020-6405.patch
new file mode 100644
index 0000000..cf1fff5
--- /dev/null
+++ b/SOURCES/sqlite-3.26.0-CVE-2020-6405.patch
@@ -0,0 +1,27 @@
+From 1668926bc3c7da0b2870a60382b179a0e3edb5de Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Thu, 26 Mar 2020 08:14:29 +0100
+Subject: [PATCH] Do not allow the constant-propagation optimization to apple
+ to ON/USING clause terms as it does not help and it might cause downstream
+ problems.
+
+---
+ src/select.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/select.c b/src/select.c
+index bbd13a4..88a43df 100644
+--- a/src/select.c
++++ b/src/select.c
+@@ -4171,7 +4171,7 @@ static int propagateConstantExprRewrite(Walker *pWalker, Expr *pExpr){
+   int i;
+   WhereConst *pConst;
+   if( pExpr->op!=TK_COLUMN ) return WRC_Continue;
+-  if( ExprHasProperty(pExpr, EP_FixedCol) ) return WRC_Continue;
++  if( ExprHasProperty(pExpr, EP_FixedCol|EP_FromJoin) ) return WRC_Continue;
+   pConst = pWalker->u.pConst;
+   for(i=0; i<pConst->nConst; i++){
+     Expr *pColumn = pConst->apExpr[i*2];
+-- 
+2.24.1
+
diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-9327.patch b/SOURCES/sqlite-3.26.0-CVE-2020-9327.patch
new file mode 100644
index 0000000..24b1eb9
--- /dev/null
+++ b/SOURCES/sqlite-3.26.0-CVE-2020-9327.patch
@@ -0,0 +1,106 @@
+From 2d788539b0018d34d3cabb328387ba6bec41ec42 Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Thu, 26 Mar 2020 09:43:43 +0100
+Subject: [PATCH] NULL pointer dereference and segmentation fault because of
+ generated column optimizations
+
+Take care when checking the table of a TK_COLUMN expression node to
+see if the table is a virtual table to first ensure that the
+Expr.y.pTab pointer is not null due to generated column optimizations.
+---
+ src/expr.c      | 13 ++++++++++---
+ src/sqliteInt.h |  3 +++
+ src/whereexpr.c | 12 ++++++++----
+ 3 files changed, 21 insertions(+), 7 deletions(-)
+
+diff --git a/src/expr.c b/src/expr.c
+index b081ca2..5f98f76 100644
+--- a/src/expr.c
++++ b/src/expr.c
+@@ -4901,18 +4901,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){
+     case TK_LT:
+     case TK_LE:
+     case TK_GT:
+-    case TK_GE:
++    case TK_GE: {
++      Expr *pLeft = pExpr->pLeft;
++      Expr *pRight = pExpr->pRight;
+       testcase( pExpr->op==TK_EQ );
+       testcase( pExpr->op==TK_NE );
+       testcase( pExpr->op==TK_LT );
+       testcase( pExpr->op==TK_LE );
+       testcase( pExpr->op==TK_GT );
+       testcase( pExpr->op==TK_GE );
+-      if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->y.pTab))
+-       || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->y.pTab))
++      /* The y.pTab=0 assignment in wherecode.c always happens after the
++      ** impliesNotNullRow() test */
++      if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->y.pTab!=0)
++                               && IsVirtual(pLeft->y.pTab))
++       || (pRight->op==TK_COLUMN && ALWAYS(pRight->y.pTab!=0)
++                               && IsVirtual(pRight->y.pTab))
+       ){
+        return WRC_Prune;
+       }
++    }
+     default:
+       return WRC_Continue;
+   }
+diff --git a/src/sqliteInt.h b/src/sqliteInt.h
+index 051aa40..5f5f3cc 100644
+--- a/src/sqliteInt.h
++++ b/src/sqliteInt.h
+@@ -2014,8 +2014,11 @@ struct Table {
+ */
+ #ifndef SQLITE_OMIT_VIRTUALTABLE
+ #  define IsVirtual(X)      ((X)->nModuleArg)
++#  define ExprIsVtab(X)  \
++              ((X)->op==TK_COLUMN && (X)->y.pTab!=0 && (X)->y.pTab->nModuleArg)
+ #else
+ #  define IsVirtual(X)      0
++#  define ExprIsVtab(X)     0
+ #endif
+ 
+ /*
+diff --git a/src/whereexpr.c b/src/whereexpr.c
+index dbb7f0d..9d2813a 100644
+--- a/src/whereexpr.c
++++ b/src/whereexpr.c
+@@ -382,7 +382,8 @@ static int isAuxiliaryVtabOperator(
+     **       MATCH(expression,vtab_column)
+     */
+     pCol = pList->a[1].pExpr;
+-    if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){
++    testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
++    if( ExprIsVtab(pCol) ){
+       for(i=0; i<ArraySize(aOp); i++){
+         if( sqlite3StrICmp(pExpr->u.zToken, aOp[i].zOp)==0 ){
+           *peOp2 = aOp[i].eOp2;
+@@ -404,7 +405,8 @@ static int isAuxiliaryVtabOperator(
+     ** with function names in an arbitrary case.
+     */
+     pCol = pList->a[0].pExpr;
+-    if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){
++    testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
++    if( ExprIsVtab(pCol) ){
+       sqlite3_vtab *pVtab;
+       sqlite3_module *pMod;
+       void (*xNotUsed)(sqlite3_context*,int,sqlite3_value**);
+@@ -427,10 +429,12 @@ static int isAuxiliaryVtabOperator(
+     int res = 0;
+     Expr *pLeft = pExpr->pLeft;
+     Expr *pRight = pExpr->pRight;
+-    if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->y.pTab) ){
++    testcase( pLeft->op==TK_COLUMN && pLeft->y.pTab==0 );
++    if( ExprIsVtab(pLeft) ){
+       res++;
+     }
+-    if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->y.pTab) ){
++    testcase( pRight && pRight->op==TK_COLUMN && pRight->y.pTab==0 );
++    if( pRight && ExprIsVtab(pRight) ){
+       res++;
+       SWAP(Expr*, pLeft, pRight);
+     }
+-- 
+2.24.1
+
diff --git a/SPECS/sqlite.spec b/SPECS/sqlite.spec
index fb381f2..d586e91 100644
--- a/SPECS/sqlite.spec
+++ b/SPECS/sqlite.spec
@@ -10,7 +10,7 @@
 Summary: Library that implements an embeddable SQL database engine
 Name: sqlite
 Version: %{rpmver}
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: Public Domain
 Group: Applications/Databases
 URL: http://www.sqlite.org/
@@ -51,8 +51,14 @@ Patch14: sqlite-3.26.0-CVE-2019-19923.patch
 Patch15: sqlite-3.26.0-CVE-2019-19925.patch
 # Fix for CVE-2019-19959
 Patch16: sqlite-3.26.0-CVE-2019-19959.patch
-# Fix fr issues found by covscan
+# Fix for issues found by covscan
 Patch17: sqlite-3.26.0-zPath-covscan.patch
+# Fix for CVE-2019-20218
+Patch18: sqlite-3.26.0-CVE-2019-20218.patch
+# Fix for CVE-2020-6405
+Patch19: sqlite-3.26.0-CVE-2020-6405.patch
+# Fix for CVE-2020-9327
+Patch20: sqlite-3.26.0-CVE-2020-9327.patch
 
 BuildRequires: ncurses-devel readline-devel glibc-devel
 BuildRequires: autoconf
@@ -167,6 +173,9 @@ This package contains the analysis program for %{name}.
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
 
 # Remove backup-file
 rm -f %{name}-doc-%{docver}/sqlite.css~ || :
@@ -271,6 +280,11 @@ make test
 %endif
 
 %changelog
+* Tue Mar 24 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-7
+- Fixed CVE-2019-20218 (#1791592)
+- Fixed CVE-2020-6405 (#1804823)
+- Fixed CVE-2020-0327 (#1816572)
+
 * Thu Jan 23 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-6
 - Fixed issues found by covscan