diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-13434.patch b/SOURCES/sqlite-3.26.0-CVE-2020-13434.patch new file mode 100644 index 0000000..ec015ab --- /dev/null +++ b/SOURCES/sqlite-3.26.0-CVE-2020-13434.patch @@ -0,0 +1,73 @@ +Subject: [PATCH] Limit the "precision" of floating-point to text conversions + in the printf() function to 100,000,000. + +--- + src/printf.c | 12 ++++++++++++ + test/printf.test | 16 +++++++++++++--- + 2 files changed, 25 insertions(+), 3 deletions(-) + +diff --git a/src/printf.c b/src/printf.c +index 7bce83f..260bf79 100644 +--- a/src/printf.c ++++ b/src/printf.c +@@ -165,6 +165,13 @@ static char *getTextArg(PrintfArguments *p){ + #endif + #define etBUFSIZE SQLITE_PRINT_BUF_SIZE /* Size of the output buffer */ + ++/* ++** Hard limit on the precision of floating-point conversions. ++*/ ++#ifndef SQLITE_PRINTF_PRECISION_LIMIT ++# define SQLITE_FP_PRECISION_LIMIT 100000000 ++#endif ++ + /* + ** Render a string given by "fmt" into the StrAccum object. + */ +@@ -471,6 +478,11 @@ void sqlite3_str_vappendf( + length = 0; + #else + if( precision<0 ) precision = 6; /* Set default precision */ ++#ifdef SQLITE_FP_PRECISION_LIMIT ++ if( precision>SQLITE_FP_PRECISION_LIMIT ){ ++ precision = SQLITE_FP_PRECISION_LIMIT; ++ } ++#endif + if( realvalue<0.0 ){ + realvalue = -realvalue; + prefix = '-'; +diff --git a/test/printf.test b/test/printf.test +index d768898..a2b5e2a 100644 +--- a/test/printf.test ++++ b/test/printf.test +@@ -538,9 +538,11 @@ do_test printf-2.1.2.8 { + do_test printf-2.1.2.9 { + sqlite3_mprintf_double {abc: %d %d (%1.1g) :xyz} 1 1 1.0e-20 + } {abc: 1 1 (1e-20) :xyz} +-do_test printf-2.1.2.10 { +- sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20 +-} {abc: } ++if {$SQLITE_MAX_LENGTH<=[expr 1000*1000*1000]} { ++ do_test printf-2.1.2.10 { ++ sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20 ++ } {} ++} + do_test printf-2.1.3.1 { + sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0 + } {abc: (1.0) :xyz} +@@ -3777,4 +3779,12 @@ foreach ::iRepeat {0 1} { + } + } + ++# 2020-05-23 ++# ticket 23439ea582241138 ++# ++do_execsql_test printf-16.1 { ++ SELECT printf('%.*g',2147483647,0.01); ++} {0.01} ++ ++ + finish_test +-- +2.24.1 + diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch b/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch index 626e5be..0813c9a 100644 --- a/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch +++ b/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch @@ -3,9 +3,9 @@ Subject: [PATCH] Do not allow a virtual table to be renamed into the name of --- src/alter.c | 5 ++++- - src/build.c | 28 ++++++++++++++++++++++------ + src/build.c | 29 +++++++++++++++++++++++------ src/sqliteInt.h | 5 +++++ - 3 files changed, 31 insertions(+), 7 deletions(-) + 3 files changed, 32 insertions(+), 7 deletions(-) diff --git a/src/alter.c b/src/alter.c index 1280e90..0fa24c0 100644 @@ -24,10 +24,10 @@ index 1280e90..0fa24c0 100644 "there is already another table or index with this name: %s", zName); goto exit_rename_table; diff --git a/src/build.c b/src/build.c -index e0fed8a..426428b 100644 +index e0fed8a..afe4171 100644 --- a/src/build.c +++ b/src/build.c -@@ -1899,6 +1899,27 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){ +@@ -1899,6 +1899,28 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){ recomputeColumnsNotIndexed(pPk); } @@ -39,12 +39,13 @@ index e0fed8a..426428b 100644 +*/ +int sqlite3IsShadowTableOf(sqlite3 *db, Table *pTab, const char *zName){ + int nName; /* Length of zName */ ++ Module *pMod; /* Module for the virtual table */ + + if( !IsVirtual(pTab) ) return 0; + nName = sqlite3Strlen30(pTab->zName); + if( sqlite3_strnicmp(zName, pTab->zName, nName)!=0 ) return 0; + if( zName[nName]!='_' ) return 0; -+ Module *pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]); ++ pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]); + if( pMod==0 ) return 0; + if( pMod->pModule->iVersion<3 ) return 0; + if( pMod->pModule->xShadowName==0 ) return 0; @@ -55,7 +56,7 @@ index e0fed8a..426428b 100644 #ifndef SQLITE_OMIT_VIRTUALTABLE /* ** Return true if zName is a shadow table name in the current database -@@ -1910,7 +1931,6 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){ +@@ -1910,7 +1932,6 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){ static int isShadowTableName(sqlite3 *db, char *zName){ char *zTail; /* Pointer to the last "_" in zName */ Table *pTab; /* Table that zName is a shadow of */ @@ -63,7 +64,7 @@ index e0fed8a..426428b 100644 zTail = strrchr(zName, '_'); if( zTail==0 ) return 0; -@@ -1919,11 +1939,7 @@ static int isShadowTableName(sqlite3 *db, char *zName){ +@@ -1919,11 +1940,7 @@ static int isShadowTableName(sqlite3 *db, char *zName){ *zTail = '_'; if( pTab==0 ) return 0; if( !IsVirtual(pTab) ) return 0; diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-15358.patch b/SOURCES/sqlite-3.26.0-CVE-2020-15358.patch new file mode 100644 index 0000000..2cff0ad --- /dev/null +++ b/SOURCES/sqlite-3.26.0-CVE-2020-15358.patch @@ -0,0 +1,88 @@ +Subject: [PATCH] Fix a defect in the query-flattener optimization + +--- + src/select.c | 8 ++++---- + src/sqliteInt.h | 1 + + test/selectA.test | 22 ++++++++++++++++++++++ + 3 files changed, 27 insertions(+), 4 deletions(-) + +diff --git a/src/select.c b/src/select.c +index 88a43df..a513d36 100644 +--- a/src/select.c ++++ b/src/select.c +@@ -2686,9 +2686,7 @@ static int multiSelect( + selectOpName(p->op))); + rc = sqlite3Select(pParse, p, &uniondest); + testcase( rc!=SQLITE_OK ); +- /* Query flattening in sqlite3Select() might refill p->pOrderBy. +- ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */ +- sqlite3ExprListDelete(db, p->pOrderBy); ++ assert( p->pOrderBy==0 ); + pDelete = p->pPrior; + p->pPrior = pPrior; + p->pOrderBy = 0; +@@ -4010,7 +4008,7 @@ static int flattenSubquery( + ** We look at every expression in the outer query and every place we see + ** "a" we substitute "x*3" and every place we see "b" we substitute "y+10". + */ +- if( pSub->pOrderBy ){ ++ if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){ + /* At this point, any non-zero iOrderByCol values indicate that the + ** ORDER BY column expression is identical to the iOrderByCol'th + ** expression returned by SELECT statement pSub. Since these values +@@ -5633,6 +5631,8 @@ int sqlite3Select( + sqlite3ExprListDelete(db, p->pOrderBy); + p->pOrderBy = 0; + p->selFlags &= ~SF_Distinct; ++ p->selFlags |= SF_NoopOrderBy; ++ + } + sqlite3SelectPrep(pParse, p, 0); + if( pParse->nErr || db->mallocFailed ){ +diff --git a/src/sqliteInt.h b/src/sqliteInt.h +index 76337f7..60b2ebd 100644 +--- a/src/sqliteInt.h ++++ b/src/sqliteInt.h +@@ -2874,6 +2874,7 @@ struct Select { + #define SF_Converted 0x10000 /* By convertCompoundSelectToSubquery() */ + #define SF_IncludeHidden 0x20000 /* Include hidden columns in output */ + #define SF_ComplexResult 0x40000 /* Result contains subquery or function */ ++#define SF_NoopOrderBy 0x0400000 /* ORDER BY is ignored for this query */ + + /* + ** The results of a SELECT can be distributed in several ways, as defined +diff --git a/test/selectA.test b/test/selectA.test +index 838e5f4..2626008 100644 +--- a/test/selectA.test ++++ b/test/selectA.test +@@ -1446,5 +1446,27 @@ do_execsql_test 6.1 { + SELECT * FROM (SELECT a FROM t1 UNION SELECT b FROM t2) WHERE a=a; + } {12345} + ++# 2020-06-15 ticket 8f157e8010b22af0 ++# ++reset_db ++do_execsql_test 7.1 { ++ CREATE TABLE t1(c1); INSERT INTO t1 VALUES(12),(123),(1234),(NULL),('abc'); ++ CREATE TABLE t2(c2); INSERT INTO t2 VALUES(44),(55),(123); ++ CREATE TABLE t3(c3,c4); INSERT INTO t3 VALUES(66,1),(123,2),(77,3); ++ CREATE VIEW t4 AS SELECT c3 FROM t3; ++ CREATE VIEW t5 AS SELECT c3 FROM t3 ORDER BY c4; ++} ++do_execsql_test 7.2 { ++ SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t4) AND c1=123; ++} {123 123} ++do_execsql_test 7.3 { ++ SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t5) AND c1=123; ++} {123 123} ++do_execsql_test 7.4 { ++ CREATE TABLE a(b); ++ CREATE VIEW c(d) AS SELECT b FROM a ORDER BY b; ++ SELECT sum(d) OVER( PARTITION BY(SELECT 0 FROM c JOIN a WHERE b =(SELECT b INTERSECT SELECT d FROM c) AND b = 123)) FROM c; ++} {} ++ + + finish_test +-- +2.24.1 + diff --git a/SPECS/sqlite.spec b/SPECS/sqlite.spec index c6a8107..48bd9a9 100644 --- a/SPECS/sqlite.spec +++ b/SPECS/sqlite.spec @@ -10,7 +10,7 @@ Summary: Library that implements an embeddable SQL database engine Name: sqlite Version: %{rpmver} -Release: 11%{?dist} +Release: 12%{?dist} License: Public Domain Group: Applications/Databases URL: http://www.sqlite.org/ @@ -69,6 +69,12 @@ Patch23: sqlite-3.26.0-CVE-2020-13632.patch Patch24: sqlite-3.26.0-CVE-2020-13631.patch # Fix for CVE-2020-13630 Patch25: sqlite-3.26.0-CVE-2020-13630.patch +# Fix for CVE-2020-13434 +# upstream commit: https://www.sqlite.org/src/info/d08d3405878d394e +Patch26: sqlite-3.26.0-CVE-2020-13434.patch +# Fix for CVE-2020-15358 +# upstream commit: https://www.sqlite.org/src/info/10fa79d00f8091e5 +Patch27: sqlite-3.26.0-CVE-2020-15358.patch BuildRequires: ncurses-devel readline-devel glibc-devel BuildRequires: autoconf @@ -191,6 +197,9 @@ This package contains the analysis program for %{name}. %patch23 -p1 %patch24 -p1 %patch25 -p1 +%patch26 -p1 +%patch27 -p1 + # Remove backup-file rm -f %{name}-doc-%{docver}/sqlite.css~ || : @@ -295,6 +304,10 @@ make test %endif %changelog +* Mon Aug 17 2020 Ondrej Dubaj - 3.26.0-12 +- Fixed CVE-2020-13434 (#1845843) +- Fixed CVE-2020-15358 (#1855208) + * Fri Aug 07 2020 Ondrej Dubaj - 3.26.0-11 - Fixed bug in CVE-2019-20218 (#1791592)