diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-13434.patch b/SOURCES/sqlite-3.26.0-CVE-2020-13434.patch
new file mode 100644
index 0000000..ec015ab
--- /dev/null
+++ b/SOURCES/sqlite-3.26.0-CVE-2020-13434.patch
@@ -0,0 +1,73 @@
+Subject: [PATCH] Limit the "precision" of floating-point to text conversions
+ in the printf() function to 100,000,000.
+
+---
+ src/printf.c | 12 ++++++++++++
+ test/printf.test | 16 +++++++++++++---
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/src/printf.c b/src/printf.c
+index 7bce83f..260bf79 100644
+--- a/src/printf.c
++++ b/src/printf.c
+@@ -165,6 +165,13 @@ static char *getTextArg(PrintfArguments *p){
+ #endif
+ #define etBUFSIZE SQLITE_PRINT_BUF_SIZE /* Size of the output buffer */
+
++/*
++** Hard limit on the precision of floating-point conversions.
++*/
++#ifndef SQLITE_PRINTF_PRECISION_LIMIT
++# define SQLITE_FP_PRECISION_LIMIT 100000000
++#endif
++
+ /*
+ ** Render a string given by "fmt" into the StrAccum object.
+ */
+@@ -471,6 +478,11 @@ void sqlite3_str_vappendf(
+ length = 0;
+ #else
+ if( precision<0 ) precision = 6; /* Set default precision */
++#ifdef SQLITE_FP_PRECISION_LIMIT
++ if( precision>SQLITE_FP_PRECISION_LIMIT ){
++ precision = SQLITE_FP_PRECISION_LIMIT;
++ }
++#endif
+ if( realvalue<0.0 ){
+ realvalue = -realvalue;
+ prefix = '-';
+diff --git a/test/printf.test b/test/printf.test
+index d768898..a2b5e2a 100644
+--- a/test/printf.test
++++ b/test/printf.test
+@@ -538,9 +538,11 @@ do_test printf-2.1.2.8 {
+ do_test printf-2.1.2.9 {
+ sqlite3_mprintf_double {abc: %d %d (%1.1g) :xyz} 1 1 1.0e-20
+ } {abc: 1 1 (1e-20) :xyz}
+-do_test printf-2.1.2.10 {
+- sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20
+-} {abc: }
++if {$SQLITE_MAX_LENGTH<=[expr 1000*1000*1000]} {
++ do_test printf-2.1.2.10 {
++ sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20
++ } {}
++}
+ do_test printf-2.1.3.1 {
+ sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0
+ } {abc: (1.0) :xyz}
+@@ -3777,4 +3779,12 @@ foreach ::iRepeat {0 1} {
+ }
+ }
+
++# 2020-05-23
++# ticket 23439ea582241138
++#
++do_execsql_test printf-16.1 {
++ SELECT printf('%.*g',2147483647,0.01);
++} {0.01}
++
++
+ finish_test
+--
+2.24.1
+
diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch b/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch
index 626e5be..0813c9a 100644
--- a/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch
+++ b/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch
@@ -3,9 +3,9 @@ Subject: [PATCH] Do not allow a virtual table to be renamed into the name of
---
src/alter.c | 5 ++++-
- src/build.c | 28 ++++++++++++++++++++++------
+ src/build.c | 29 +++++++++++++++++++++++------
src/sqliteInt.h | 5 +++++
- 3 files changed, 31 insertions(+), 7 deletions(-)
+ 3 files changed, 32 insertions(+), 7 deletions(-)
diff --git a/src/alter.c b/src/alter.c
index 1280e90..0fa24c0 100644
@@ -24,10 +24,10 @@ index 1280e90..0fa24c0 100644
"there is already another table or index with this name: %s", zName);
goto exit_rename_table;
diff --git a/src/build.c b/src/build.c
-index e0fed8a..426428b 100644
+index e0fed8a..afe4171 100644
--- a/src/build.c
+++ b/src/build.c
-@@ -1899,6 +1899,27 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
+@@ -1899,6 +1899,28 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
recomputeColumnsNotIndexed(pPk);
}
@@ -39,12 +39,13 @@ index e0fed8a..426428b 100644
+*/
+int sqlite3IsShadowTableOf(sqlite3 *db, Table *pTab, const char *zName){
+ int nName; /* Length of zName */
++ Module *pMod; /* Module for the virtual table */
+
+ if( !IsVirtual(pTab) ) return 0;
+ nName = sqlite3Strlen30(pTab->zName);
+ if( sqlite3_strnicmp(zName, pTab->zName, nName)!=0 ) return 0;
+ if( zName[nName]!='_' ) return 0;
-+ Module *pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
++ pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
+ if( pMod==0 ) return 0;
+ if( pMod->pModule->iVersion<3 ) return 0;
+ if( pMod->pModule->xShadowName==0 ) return 0;
@@ -55,7 +56,7 @@ index e0fed8a..426428b 100644
#ifndef SQLITE_OMIT_VIRTUALTABLE
/*
** Return true if zName is a shadow table name in the current database
-@@ -1910,7 +1931,6 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
+@@ -1910,7 +1932,6 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
static int isShadowTableName(sqlite3 *db, char *zName){
char *zTail; /* Pointer to the last "_" in zName */
Table *pTab; /* Table that zName is a shadow of */
@@ -63,7 +64,7 @@ index e0fed8a..426428b 100644
zTail = strrchr(zName, '_');
if( zTail==0 ) return 0;
-@@ -1919,11 +1939,7 @@ static int isShadowTableName(sqlite3 *db, char *zName){
+@@ -1919,11 +1940,7 @@ static int isShadowTableName(sqlite3 *db, char *zName){
*zTail = '_';
if( pTab==0 ) return 0;
if( !IsVirtual(pTab) ) return 0;
diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-15358.patch b/SOURCES/sqlite-3.26.0-CVE-2020-15358.patch
new file mode 100644
index 0000000..2cff0ad
--- /dev/null
+++ b/SOURCES/sqlite-3.26.0-CVE-2020-15358.patch
@@ -0,0 +1,88 @@
+Subject: [PATCH] Fix a defect in the query-flattener optimization
+
+---
+ src/select.c | 8 ++++----
+ src/sqliteInt.h | 1 +
+ test/selectA.test | 22 ++++++++++++++++++++++
+ 3 files changed, 27 insertions(+), 4 deletions(-)
+
+diff --git a/src/select.c b/src/select.c
+index 88a43df..a513d36 100644
+--- a/src/select.c
++++ b/src/select.c
+@@ -2686,9 +2686,7 @@ static int multiSelect(
+ selectOpName(p->op)));
+ rc = sqlite3Select(pParse, p, &uniondest);
+ testcase( rc!=SQLITE_OK );
+- /* Query flattening in sqlite3Select() might refill p->pOrderBy.
+- ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */
+- sqlite3ExprListDelete(db, p->pOrderBy);
++ assert( p->pOrderBy==0 );
+ pDelete = p->pPrior;
+ p->pPrior = pPrior;
+ p->pOrderBy = 0;
+@@ -4010,7 +4008,7 @@ static int flattenSubquery(
+ ** We look at every expression in the outer query and every place we see
+ ** "a" we substitute "x*3" and every place we see "b" we substitute "y+10".
+ */
+- if( pSub->pOrderBy ){
++ if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){
+ /* At this point, any non-zero iOrderByCol values indicate that the
+ ** ORDER BY column expression is identical to the iOrderByCol'th
+ ** expression returned by SELECT statement pSub. Since these values
+@@ -5633,6 +5631,8 @@ int sqlite3Select(
+ sqlite3ExprListDelete(db, p->pOrderBy);
+ p->pOrderBy = 0;
+ p->selFlags &= ~SF_Distinct;
++ p->selFlags |= SF_NoopOrderBy;
++
+ }
+ sqlite3SelectPrep(pParse, p, 0);
+ if( pParse->nErr || db->mallocFailed ){
+diff --git a/src/sqliteInt.h b/src/sqliteInt.h
+index 76337f7..60b2ebd 100644
+--- a/src/sqliteInt.h
++++ b/src/sqliteInt.h
+@@ -2874,6 +2874,7 @@ struct Select {
+ #define SF_Converted 0x10000 /* By convertCompoundSelectToSubquery() */
+ #define SF_IncludeHidden 0x20000 /* Include hidden columns in output */
+ #define SF_ComplexResult 0x40000 /* Result contains subquery or function */
++#define SF_NoopOrderBy 0x0400000 /* ORDER BY is ignored for this query */
+
+ /*
+ ** The results of a SELECT can be distributed in several ways, as defined
+diff --git a/test/selectA.test b/test/selectA.test
+index 838e5f4..2626008 100644
+--- a/test/selectA.test
++++ b/test/selectA.test
+@@ -1446,5 +1446,27 @@ do_execsql_test 6.1 {
+ SELECT * FROM (SELECT a FROM t1 UNION SELECT b FROM t2) WHERE a=a;
+ } {12345}
+
++# 2020-06-15 ticket 8f157e8010b22af0
++#
++reset_db
++do_execsql_test 7.1 {
++ CREATE TABLE t1(c1); INSERT INTO t1 VALUES(12),(123),(1234),(NULL),('abc');
++ CREATE TABLE t2(c2); INSERT INTO t2 VALUES(44),(55),(123);
++ CREATE TABLE t3(c3,c4); INSERT INTO t3 VALUES(66,1),(123,2),(77,3);
++ CREATE VIEW t4 AS SELECT c3 FROM t3;
++ CREATE VIEW t5 AS SELECT c3 FROM t3 ORDER BY c4;
++}
++do_execsql_test 7.2 {
++ SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t4) AND c1=123;
++} {123 123}
++do_execsql_test 7.3 {
++ SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t5) AND c1=123;
++} {123 123}
++do_execsql_test 7.4 {
++ CREATE TABLE a(b);
++ CREATE VIEW c(d) AS SELECT b FROM a ORDER BY b;
++ SELECT sum(d) OVER( PARTITION BY(SELECT 0 FROM c JOIN a WHERE b =(SELECT b INTERSECT SELECT d FROM c) AND b = 123)) FROM c;
++} {}
++
+
+ finish_test
+--
+2.24.1
+
diff --git a/SPECS/sqlite.spec b/SPECS/sqlite.spec
index c6a8107..48bd9a9 100644
--- a/SPECS/sqlite.spec
+++ b/SPECS/sqlite.spec
@@ -10,7 +10,7 @@
Summary: Library that implements an embeddable SQL database engine
Name: sqlite
Version: %{rpmver}
-Release: 11%{?dist}
+Release: 12%{?dist}
License: Public Domain
Group: Applications/Databases
URL: http://www.sqlite.org/
@@ -69,6 +69,12 @@ Patch23: sqlite-3.26.0-CVE-2020-13632.patch
Patch24: sqlite-3.26.0-CVE-2020-13631.patch
# Fix for CVE-2020-13630
Patch25: sqlite-3.26.0-CVE-2020-13630.patch
+# Fix for CVE-2020-13434
+# upstream commit: https://www.sqlite.org/src/info/d08d3405878d394e
+Patch26: sqlite-3.26.0-CVE-2020-13434.patch
+# Fix for CVE-2020-15358
+# upstream commit: https://www.sqlite.org/src/info/10fa79d00f8091e5
+Patch27: sqlite-3.26.0-CVE-2020-15358.patch
BuildRequires: ncurses-devel readline-devel glibc-devel
BuildRequires: autoconf
@@ -191,6 +197,9 @@ This package contains the analysis program for %{name}.
%patch23 -p1
%patch24 -p1
%patch25 -p1
+%patch26 -p1
+%patch27 -p1
+
# Remove backup-file
rm -f %{name}-doc-%{docver}/sqlite.css~ || :
@@ -295,6 +304,10 @@ make test
%endif
%changelog
+* Mon Aug 17 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-12
+- Fixed CVE-2020-13434 (#1845843)
+- Fixed CVE-2020-15358 (#1855208)
+
* Fri Aug 07 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-11
- Fixed bug in CVE-2019-20218 (#1791592)