From d8894c37345f89baf174882928bd57efbd7bf509 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 14 2020 01:59:52 +0000 Subject: import sqlite-3.26.0-10.el8 --- diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-13630.patch b/SOURCES/sqlite-3.26.0-CVE-2020-13630.patch new file mode 100644 index 0000000..17525f6 --- /dev/null +++ b/SOURCES/sqlite-3.26.0-CVE-2020-13630.patch @@ -0,0 +1,88 @@ +Subject: [PATCH] Fix a use-after-free bug in the fts3 snippet() function. + +--- + ext/fts3/fts3.c | 1 + + test/fts3snippet2.test | 59 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 60 insertions(+) + create mode 100644 test/fts3snippet2.test + +diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c +index 84fc8a5..9ddd201 100644 +--- a/ext/fts3/fts3.c ++++ b/ext/fts3/fts3.c +@@ -5213,6 +5213,7 @@ static void fts3EvalNextRow( + fts3EvalNextRow(pCsr, pLeft, pRc); + } + } ++ pRight->bEof = pLeft->bEof = 1; + } + } + break; +diff --git a/test/fts3snippet2.test b/test/fts3snippet2.test +new file mode 100644 +index 0000000..607b01e +--- /dev/null ++++ b/test/fts3snippet2.test +@@ -0,0 +1,59 @@ ++# 2020-05-14 ++# ++# The author disclaims copyright to this source code. In place of ++# a legal notice, here is a blessing: ++# ++# May you do good and not evil. ++# May you find forgiveness for yourself and forgive others. ++# May you share freely, never taking more than you give. ++# ++#************************************************************************* ++# ++# The tests in this file test the FTS3 auxillary functions offsets(), ++# snippet() and matchinfo() work. At time of writing, running this file ++# provides full coverage of fts3_snippet.c. ++# ++ ++set testdir [file dirname $argv0] ++source $testdir/tester.tcl ++set testprefix fts3snippet ++ ++# If SQLITE_ENABLE_FTS3 is not defined, omit this file. ++ifcapable !fts3 { finish_test ; return } ++source $testdir/fts3_common.tcl ++ ++set sqlite_fts3_enable_parentheses 1 ++#------------------------------------------------------------------------- ++# Request a snippet from a query with more than 64 phrases. ++# ++reset_db ++do_execsql_test 1.0 { ++ CREATE VIRTUAL TABLE f USING fts3(b); ++ INSERT INTO f VALUES ( x'746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218'); ++} ++ ++do_execsql_test 1.1 { ++ SELECT length(snippet(f))>0 FROM f WHERE b MATCH x'1065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a010f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c2a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e0f42'; ++} {1} ++ ++reset_db ++do_execsql_test 2.0 { ++ CREATE VIRTUAL TABLE t0 USING fts3(col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY); ++ INSERT INTO t0 VALUES (1, '1234','aaaa','bbbb'); ++ SELECT snippet(t0) FROM t0 WHERE t0 MATCH x'0a4d4d4d4d320a4f52d70a310a310a4e4541520a0a31f6ce0a4f520a0a310a310a310a4f520a75fc2a242424' ; ++} {1} ++ ++reset_db ++do_execsql_test 2.1 { ++ CREATE VIRTUAL TABLE t0 USING fts3( ++ col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY ++ ); ++ INSERT INTO t0 VALUES ('one', '1234','aaaa','bbbb'); ++} ++do_execsql_test 2.2 { ++ SELECT snippet(t0) FROM t0 WHERE t0 MATCH ++ '(def AND (one NEAR abc)) OR one' ++} {one} ++ ++set sqlite_fts3_enable_parentheses 0 ++finish_test +-- +2.24.1 + diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch b/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch new file mode 100644 index 0000000..626e5be --- /dev/null +++ b/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch @@ -0,0 +1,97 @@ +Subject: [PATCH] Do not allow a virtual table to be renamed into the name of + one of its shadows. + +--- + src/alter.c | 5 ++++- + src/build.c | 28 ++++++++++++++++++++++------ + src/sqliteInt.h | 5 +++++ + 3 files changed, 31 insertions(+), 7 deletions(-) + +diff --git a/src/alter.c b/src/alter.c +index 1280e90..0fa24c0 100644 +--- a/src/alter.c ++++ b/src/alter.c +@@ -117,7 +117,10 @@ void sqlite3AlterRenameTable( + /* Check that a table or index named 'zName' does not already exist + ** in database iDb. If so, this is an error. + */ +- if( sqlite3FindTable(db, zName, zDb) || sqlite3FindIndex(db, zName, zDb) ){ ++ if( sqlite3FindTable(db, zName, zDb) ++ || sqlite3FindIndex(db, zName, zDb) ++ || sqlite3IsShadowTableOf(db, pTab, zName) ++ ){ + sqlite3ErrorMsg(pParse, + "there is already another table or index with this name: %s", zName); + goto exit_rename_table; +diff --git a/src/build.c b/src/build.c +index e0fed8a..426428b 100644 +--- a/src/build.c ++++ b/src/build.c +@@ -1899,6 +1899,27 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){ + recomputeColumnsNotIndexed(pPk); + } + ++ ++#ifndef SQLITE_OMIT_VIRTUALTABLE ++/* ++** Return true if pTab is a virtual table and zName is a shadow table name ++** for that virtual table. ++*/ ++int sqlite3IsShadowTableOf(sqlite3 *db, Table *pTab, const char *zName){ ++ int nName; /* Length of zName */ ++ ++ if( !IsVirtual(pTab) ) return 0; ++ nName = sqlite3Strlen30(pTab->zName); ++ if( sqlite3_strnicmp(zName, pTab->zName, nName)!=0 ) return 0; ++ if( zName[nName]!='_' ) return 0; ++ Module *pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]); ++ if( pMod==0 ) return 0; ++ if( pMod->pModule->iVersion<3 ) return 0; ++ if( pMod->pModule->xShadowName==0 ) return 0; ++ return pMod->pModule->xShadowName(zName+nName+1); ++} ++#endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */ ++ + #ifndef SQLITE_OMIT_VIRTUALTABLE + /* + ** Return true if zName is a shadow table name in the current database +@@ -1910,7 +1931,6 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){ + static int isShadowTableName(sqlite3 *db, char *zName){ + char *zTail; /* Pointer to the last "_" in zName */ + Table *pTab; /* Table that zName is a shadow of */ +- Module *pMod; /* Module for the virtual table */ + + zTail = strrchr(zName, '_'); + if( zTail==0 ) return 0; +@@ -1919,11 +1939,7 @@ static int isShadowTableName(sqlite3 *db, char *zName){ + *zTail = '_'; + if( pTab==0 ) return 0; + if( !IsVirtual(pTab) ) return 0; +- pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]); +- if( pMod==0 ) return 0; +- if( pMod->pModule->iVersion<3 ) return 0; +- if( pMod->pModule->xShadowName==0 ) return 0; +- return pMod->pModule->xShadowName(zTail+1); ++ return sqlite3IsShadowTableOf(db, pTab, zName); + } + #else + # define isShadowTableName(x,y) 0 +diff --git a/src/sqliteInt.h b/src/sqliteInt.h +index b7d3571..76337f7 100644 +--- a/src/sqliteInt.h ++++ b/src/sqliteInt.h +@@ -4407,6 +4407,11 @@ void sqlite3AutoLoadExtensions(sqlite3*); + ); + # define sqlite3VtabInSync(db) ((db)->nVTrans>0 && (db)->aVTrans==0) + #endif ++#ifndef SQLITE_OMIT_VIRTUALTABLE ++ int sqlite3IsShadowTableOf(sqlite3*,Table*,const char*); ++#else ++# define sqlite3IsShadowTableOf(A,B,C) 0 ++#endif + int sqlite3VtabEponymousTableInit(Parse*,Module*); + void sqlite3VtabEponymousTableClear(sqlite3*,Module*); + void sqlite3VtabMakeWritable(Parse*,Table*); +-- +2.24.1 + diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-13632.patch b/SOURCES/sqlite-3.26.0-CVE-2020-13632.patch new file mode 100644 index 0000000..f72b8d9 --- /dev/null +++ b/SOURCES/sqlite-3.26.0-CVE-2020-13632.patch @@ -0,0 +1,67 @@ +Subject: [PATCH] Fix a null pointer deference that can occur on a strange + matchinfo() query. + +--- + ext/fts3/fts3_snippet.c | 2 +- + test/fts3matchinfo2.test | 35 +++++++++++++++++++++++++++++++++++ + 2 files changed, 36 insertions(+), 1 deletion(-) + create mode 100644 test/fts3matchinfo2.test + +diff --git a/ext/fts3/fts3_snippet.c b/ext/fts3/fts3_snippet.c +index a0771c0..5778620 100644 +--- a/ext/fts3/fts3_snippet.c ++++ b/ext/fts3/fts3_snippet.c +@@ -869,7 +869,7 @@ static void fts3ExprLHits( + iStart = pExpr->iPhrase * ((p->nCol + 31) / 32); + } + +- while( 1 ){ ++ if( pIter ) while( 1 ){ + int nHit = fts3ColumnlistCount(&pIter); + if( (pPhrase->iColumn>=pTab->nColumn || pPhrase->iColumn==iCol) ){ + if( p->flag==FTS3_MATCHINFO_LHITS ){ +diff --git a/test/fts3matchinfo2.test b/test/fts3matchinfo2.test +new file mode 100644 +index 0000000..d6b3ad0 +--- /dev/null ++++ b/test/fts3matchinfo2.test +@@ -0,0 +1,35 @@ ++# 2020-05-14 ++# ++# The author disclaims copyright to this source code. In place of ++# a legal notice, here is a blessing: ++# ++# May you do good and not evil. ++# May you find forgiveness for yourself and forgive others. ++# May you share freely, never taking more than you give. ++# ++#*********************************************************************** ++# This file implements regression tests for the FTS3 module. The focus ++# of this file is tables created with the "matchinfo=fts3" option. ++# ++ ++set testdir [file dirname $argv0] ++source $testdir/tester.tcl ++ ++# If SQLITE_ENABLE_FTS3 is not defined, omit this file. ++ifcapable !fts3 { finish_test ; return } ++ ++set sqlite_fts3_enable_parentheses 1 ++ ++# Crash case found by cyg0810 at gmail.com 2020-05-14. Reported to ++# chromium (which is not vulnerable) who kindly referred it to us. ++# ++do_execsql_test 1.0 { ++ CREATE TABLE t_content(col0 INTEGER); ++ CREATE VIRTUAL TABLE t0 USING fts3(col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY); ++ INSERT INTO t0 VALUES (1, '1234','aaaa','bbbb'); ++ SELECT hex(matchinfo(t0,'yxy')) FROM t0 WHERE t0 MATCH x'2b0a312b0a312a312a2a0b5d0a0b0b0a312a0a0b0b0a312a0b310a392a0b0a27312a2a0b5d0a312a0b310a31315d0b310a312a316d2a0b313b15bceaa50a312a0b0a27312a2a0b5d0a312a0b310a312b0b2a310a312a0b2a0b2a0b2e5d0a0bff313336e34a2a312a0b0a3c310b0a0b4b4b0b4b2a4bec40322b2a0b310a0a312a0a0a0a0a0a0a0a0a0b310a312a2a2a0b5d0a0b0b0a312a0b310a312a0b0a4e4541530b310a5df5ced70a0a0a0a0a4f520a0a0a0a0a0a0a312a0b0a4e4541520b310a5d616161610a0a0a0a4f520a0a0a0a0a0a312b0a312a312a0a0a0a0a0a0a004a0b0a310b220a0b0a310a4a22310a0b0a7e6fe0e0e030e0e0e0e0e01176e02000e0e0e0e0e01131320226310a0b0a310a4a22310a0b0a310a766f8b8b4ee0e0300ae0090909090909090909090909090909090909090909090909090909090909090947aaaa540b09090909090909090909090909090909090909090909090909090909090909fae0e0f2f22164e0e0f273e07fefefef7d6dfafafafa6d6d6d6d'; ++} {/000000.*0000000/} ++ ++ ++set sqlite_fts3_enable_parentheses 0 ++finish_test +\ No newline at end of file +-- +2.24.1 + diff --git a/SPECS/sqlite.spec b/SPECS/sqlite.spec index b0a11b6..526fe90 100644 --- a/SPECS/sqlite.spec +++ b/SPECS/sqlite.spec @@ -10,7 +10,7 @@ Summary: Library that implements an embeddable SQL database engine Name: sqlite Version: %{rpmver} -Release: 9%{?dist} +Release: 10%{?dist} License: Public Domain Group: Applications/Databases URL: http://www.sqlite.org/ @@ -63,6 +63,12 @@ Patch20: sqlite-3.26.0-CVE-2020-9327.patch Patch21: sqlite-3.26.0-CVE-2019-16168.patch # Fix for CVE-2019-5018 Patch22: sqlite-3.26.0-CVE-2019-5018.patch +# Fix for CVE-2020-13632 +Patch23: sqlite-3.26.0-CVE-2020-13632.patch +# Fix for CVE-2020-13631 +Patch24: sqlite-3.26.0-CVE-2020-13631.patch +# Fix for CVE-2020-13630 +Patch25: sqlite-3.26.0-CVE-2020-13630.patch BuildRequires: ncurses-devel readline-devel glibc-devel BuildRequires: autoconf @@ -182,6 +188,9 @@ This package contains the analysis program for %{name}. %patch20 -p1 %patch21 -p1 %patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 # Remove backup-file rm -f %{name}-doc-%{docver}/sqlite.css~ || : @@ -286,6 +295,11 @@ make test %endif %changelog +* Wed Jun 10 2020 Ondrej Dubaj - 3.26.0-10 +- Fixed CVE-2020-13632 (#1845572) +- Fixed CVE-2020-13631 (#1845474) +- Fixed CVE-2020-13630 (#1845153) + * Tue Jun 02 2020 Ondrej Dubaj - 3.26.0-9 - Fixed CVE-2019-5018 (#1721509)