diff --git a/SOURCES/sqlite-3.26.0-CVE-2019-20218.patch b/SOURCES/sqlite-3.26.0-CVE-2019-20218.patch index cda14f1..befc39b 100644 --- a/SOURCES/sqlite-3.26.0-CVE-2019-20218.patch +++ b/SOURCES/sqlite-3.26.0-CVE-2019-20218.patch @@ -1,18 +1,31 @@ -From 8fd3688e01f5839120d7477ca94e013f5809edcf Mon Sep 17 00:00:00 2001 +From ff5f246e41239cc4dd33ffa73883fa07f78674e1 Mon Sep 17 00:00:00 2001 From: Ondrej Dubaj -Date: Tue, 24 Mar 2020 11:33:04 +0100 +Date: Fri, 7 Aug 2020 07:00:29 +0200 Subject: [PATCH] Do not attempt to unwind the WITH stack in the Parse object following an error. --- - src/select.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + src/select.c | 5 ++++- + src/util.c | 1 + + test/altertab2.test | 20 ++++++++++++++++++++ + test/with3.test | 10 +++++++++- + 4 files changed, 34 insertions(+), 2 deletions(-) diff --git a/src/select.c b/src/select.c -index 0205a08..bbd13a4 100644 +index c46f177..a6d1757 100644 --- a/src/select.c +++ b/src/select.c -@@ -4910,7 +4910,7 @@ static int selectExpander(Walker *pWalker, Select *p){ +@@ -4639,6 +4639,9 @@ static int withExpand( + With *pWith; /* WITH clause that pCte belongs to */ + + assert( pFrom->pTab==0 ); ++ if( pParse->nErr ){ ++ return SQLITE_ERROR; ++ } + + pCte = searchWith(pParse->pWith, pFrom, &pWith); + if( pCte ){ +@@ -4908,7 +4911,7 @@ static int selectExpander(Walker *pWalker, Select *p){ /* Process NATURAL keywords, and ON and USING clauses of joins. */ @@ -21,6 +34,69 @@ index 0205a08..bbd13a4 100644 return WRC_Abort; } +diff --git a/src/util.c b/src/util.c +index 54f9b93..96b0b14 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -222,6 +222,7 @@ void sqlite3ErrorMsg(Parse *pParse, const char *zFormat, ...){ + sqlite3DbFree(db, pParse->zErrMsg); + pParse->zErrMsg = zMsg; + pParse->rc = SQLITE_ERROR; ++ pParse->pWith = 0; + } + } + +diff --git a/test/altertab2.test b/test/altertab2.test +index 2e4212c..2102e02 100644 +--- a/test/altertab2.test ++++ b/test/altertab2.test +@@ -85,5 +85,25 @@ do_execsql_test 2.3 { + {CREATE TABLE c3(x, FOREIGN KEY (x) REFERENCES "p3"(a))} + } + ++#------------------------------------------------------------------------ ++# ++reset_db ++do_execsql_test 3.0 { ++ CREATE TABLE v0 (a); ++ CREATE VIEW v2 (v3) AS ++ WITH x1 AS (SELECT * FROM v2) ++ SELECT v3 AS x, v3 AS y FROM v2; ++} ++ ++do_catchsql_test 3.1 { ++ SELECT * FROM v2 ++} {1 {view v2 is circularly defined}} ++ ++db close ++sqlite3 db test.db ++ ++do_catchsql_test 3.2 { ++ ALTER TABLE v0 RENAME TO t3 ; ++} {1 {error in view v2: view v2 is circularly defined}} + + finish_test +diff --git a/test/with3.test b/test/with3.test +index de150b1..4a3a5a7 100644 +--- a/test/with3.test ++++ b/test/with3.test +@@ -30,7 +30,15 @@ do_catchsql_test 1.0 { + SELECT 5 FROM t0 UNION SELECT 8 FROM m + ) + SELECT * FROM i; +-} {1 {no such table: m}} ++} {1 {no such table: t0}} ++ ++# 2019-11-09 dbfuzzcheck find ++do_catchsql_test 1.1 { ++ CREATE VIEW v1(x,y) AS ++ WITH t1(a,b) AS (VALUES(1,2)) ++ SELECT * FROM nosuchtable JOIN t1; ++ SELECT * FROM v1; ++} {1 {no such table: main.nosuchtable}} + + # Additional test cases that came out of the work to + # fix for Kostya's problem. -- -2.24.1 +2.26.0 diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-13434.patch b/SOURCES/sqlite-3.26.0-CVE-2020-13434.patch new file mode 100644 index 0000000..ec015ab --- /dev/null +++ b/SOURCES/sqlite-3.26.0-CVE-2020-13434.patch @@ -0,0 +1,73 @@ +Subject: [PATCH] Limit the "precision" of floating-point to text conversions + in the printf() function to 100,000,000. + +--- + src/printf.c | 12 ++++++++++++ + test/printf.test | 16 +++++++++++++--- + 2 files changed, 25 insertions(+), 3 deletions(-) + +diff --git a/src/printf.c b/src/printf.c +index 7bce83f..260bf79 100644 +--- a/src/printf.c ++++ b/src/printf.c +@@ -165,6 +165,13 @@ static char *getTextArg(PrintfArguments *p){ + #endif + #define etBUFSIZE SQLITE_PRINT_BUF_SIZE /* Size of the output buffer */ + ++/* ++** Hard limit on the precision of floating-point conversions. ++*/ ++#ifndef SQLITE_PRINTF_PRECISION_LIMIT ++# define SQLITE_FP_PRECISION_LIMIT 100000000 ++#endif ++ + /* + ** Render a string given by "fmt" into the StrAccum object. + */ +@@ -471,6 +478,11 @@ void sqlite3_str_vappendf( + length = 0; + #else + if( precision<0 ) precision = 6; /* Set default precision */ ++#ifdef SQLITE_FP_PRECISION_LIMIT ++ if( precision>SQLITE_FP_PRECISION_LIMIT ){ ++ precision = SQLITE_FP_PRECISION_LIMIT; ++ } ++#endif + if( realvalue<0.0 ){ + realvalue = -realvalue; + prefix = '-'; +diff --git a/test/printf.test b/test/printf.test +index d768898..a2b5e2a 100644 +--- a/test/printf.test ++++ b/test/printf.test +@@ -538,9 +538,11 @@ do_test printf-2.1.2.8 { + do_test printf-2.1.2.9 { + sqlite3_mprintf_double {abc: %d %d (%1.1g) :xyz} 1 1 1.0e-20 + } {abc: 1 1 (1e-20) :xyz} +-do_test printf-2.1.2.10 { +- sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20 +-} {abc: } ++if {$SQLITE_MAX_LENGTH<=[expr 1000*1000*1000]} { ++ do_test printf-2.1.2.10 { ++ sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20 ++ } {} ++} + do_test printf-2.1.3.1 { + sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0 + } {abc: (1.0) :xyz} +@@ -3777,4 +3779,12 @@ foreach ::iRepeat {0 1} { + } + } + ++# 2020-05-23 ++# ticket 23439ea582241138 ++# ++do_execsql_test printf-16.1 { ++ SELECT printf('%.*g',2147483647,0.01); ++} {0.01} ++ ++ + finish_test +-- +2.24.1 + diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch b/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch index 626e5be..0813c9a 100644 --- a/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch +++ b/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch @@ -3,9 +3,9 @@ Subject: [PATCH] Do not allow a virtual table to be renamed into the name of --- src/alter.c | 5 ++++- - src/build.c | 28 ++++++++++++++++++++++------ + src/build.c | 29 +++++++++++++++++++++++------ src/sqliteInt.h | 5 +++++ - 3 files changed, 31 insertions(+), 7 deletions(-) + 3 files changed, 32 insertions(+), 7 deletions(-) diff --git a/src/alter.c b/src/alter.c index 1280e90..0fa24c0 100644 @@ -24,10 +24,10 @@ index 1280e90..0fa24c0 100644 "there is already another table or index with this name: %s", zName); goto exit_rename_table; diff --git a/src/build.c b/src/build.c -index e0fed8a..426428b 100644 +index e0fed8a..afe4171 100644 --- a/src/build.c +++ b/src/build.c -@@ -1899,6 +1899,27 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){ +@@ -1899,6 +1899,28 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){ recomputeColumnsNotIndexed(pPk); } @@ -39,12 +39,13 @@ index e0fed8a..426428b 100644 +*/ +int sqlite3IsShadowTableOf(sqlite3 *db, Table *pTab, const char *zName){ + int nName; /* Length of zName */ ++ Module *pMod; /* Module for the virtual table */ + + if( !IsVirtual(pTab) ) return 0; + nName = sqlite3Strlen30(pTab->zName); + if( sqlite3_strnicmp(zName, pTab->zName, nName)!=0 ) return 0; + if( zName[nName]!='_' ) return 0; -+ Module *pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]); ++ pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]); + if( pMod==0 ) return 0; + if( pMod->pModule->iVersion<3 ) return 0; + if( pMod->pModule->xShadowName==0 ) return 0; @@ -55,7 +56,7 @@ index e0fed8a..426428b 100644 #ifndef SQLITE_OMIT_VIRTUALTABLE /* ** Return true if zName is a shadow table name in the current database -@@ -1910,7 +1931,6 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){ +@@ -1910,7 +1932,6 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){ static int isShadowTableName(sqlite3 *db, char *zName){ char *zTail; /* Pointer to the last "_" in zName */ Table *pTab; /* Table that zName is a shadow of */ @@ -63,7 +64,7 @@ index e0fed8a..426428b 100644 zTail = strrchr(zName, '_'); if( zTail==0 ) return 0; -@@ -1919,11 +1939,7 @@ static int isShadowTableName(sqlite3 *db, char *zName){ +@@ -1919,11 +1940,7 @@ static int isShadowTableName(sqlite3 *db, char *zName){ *zTail = '_'; if( pTab==0 ) return 0; if( !IsVirtual(pTab) ) return 0; diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-15358.patch b/SOURCES/sqlite-3.26.0-CVE-2020-15358.patch new file mode 100644 index 0000000..2cff0ad --- /dev/null +++ b/SOURCES/sqlite-3.26.0-CVE-2020-15358.patch @@ -0,0 +1,88 @@ +Subject: [PATCH] Fix a defect in the query-flattener optimization + +--- + src/select.c | 8 ++++---- + src/sqliteInt.h | 1 + + test/selectA.test | 22 ++++++++++++++++++++++ + 3 files changed, 27 insertions(+), 4 deletions(-) + +diff --git a/src/select.c b/src/select.c +index 88a43df..a513d36 100644 +--- a/src/select.c ++++ b/src/select.c +@@ -2686,9 +2686,7 @@ static int multiSelect( + selectOpName(p->op))); + rc = sqlite3Select(pParse, p, &uniondest); + testcase( rc!=SQLITE_OK ); +- /* Query flattening in sqlite3Select() might refill p->pOrderBy. +- ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */ +- sqlite3ExprListDelete(db, p->pOrderBy); ++ assert( p->pOrderBy==0 ); + pDelete = p->pPrior; + p->pPrior = pPrior; + p->pOrderBy = 0; +@@ -4010,7 +4008,7 @@ static int flattenSubquery( + ** We look at every expression in the outer query and every place we see + ** "a" we substitute "x*3" and every place we see "b" we substitute "y+10". + */ +- if( pSub->pOrderBy ){ ++ if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){ + /* At this point, any non-zero iOrderByCol values indicate that the + ** ORDER BY column expression is identical to the iOrderByCol'th + ** expression returned by SELECT statement pSub. Since these values +@@ -5633,6 +5631,8 @@ int sqlite3Select( + sqlite3ExprListDelete(db, p->pOrderBy); + p->pOrderBy = 0; + p->selFlags &= ~SF_Distinct; ++ p->selFlags |= SF_NoopOrderBy; ++ + } + sqlite3SelectPrep(pParse, p, 0); + if( pParse->nErr || db->mallocFailed ){ +diff --git a/src/sqliteInt.h b/src/sqliteInt.h +index 76337f7..60b2ebd 100644 +--- a/src/sqliteInt.h ++++ b/src/sqliteInt.h +@@ -2874,6 +2874,7 @@ struct Select { + #define SF_Converted 0x10000 /* By convertCompoundSelectToSubquery() */ + #define SF_IncludeHidden 0x20000 /* Include hidden columns in output */ + #define SF_ComplexResult 0x40000 /* Result contains subquery or function */ ++#define SF_NoopOrderBy 0x0400000 /* ORDER BY is ignored for this query */ + + /* + ** The results of a SELECT can be distributed in several ways, as defined +diff --git a/test/selectA.test b/test/selectA.test +index 838e5f4..2626008 100644 +--- a/test/selectA.test ++++ b/test/selectA.test +@@ -1446,5 +1446,27 @@ do_execsql_test 6.1 { + SELECT * FROM (SELECT a FROM t1 UNION SELECT b FROM t2) WHERE a=a; + } {12345} + ++# 2020-06-15 ticket 8f157e8010b22af0 ++# ++reset_db ++do_execsql_test 7.1 { ++ CREATE TABLE t1(c1); INSERT INTO t1 VALUES(12),(123),(1234),(NULL),('abc'); ++ CREATE TABLE t2(c2); INSERT INTO t2 VALUES(44),(55),(123); ++ CREATE TABLE t3(c3,c4); INSERT INTO t3 VALUES(66,1),(123,2),(77,3); ++ CREATE VIEW t4 AS SELECT c3 FROM t3; ++ CREATE VIEW t5 AS SELECT c3 FROM t3 ORDER BY c4; ++} ++do_execsql_test 7.2 { ++ SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t4) AND c1=123; ++} {123 123} ++do_execsql_test 7.3 { ++ SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t5) AND c1=123; ++} {123 123} ++do_execsql_test 7.4 { ++ CREATE TABLE a(b); ++ CREATE VIEW c(d) AS SELECT b FROM a ORDER BY b; ++ SELECT sum(d) OVER( PARTITION BY(SELECT 0 FROM c JOIN a WHERE b =(SELECT b INTERSECT SELECT d FROM c) AND b = 123)) FROM c; ++} {} ++ + + finish_test +-- +2.24.1 + diff --git a/SPECS/sqlite.spec b/SPECS/sqlite.spec index 526fe90..75f8760 100644 --- a/SPECS/sqlite.spec +++ b/SPECS/sqlite.spec @@ -10,7 +10,7 @@ Summary: Library that implements an embeddable SQL database engine Name: sqlite Version: %{rpmver} -Release: 10%{?dist} +Release: 13%{?dist} License: Public Domain Group: Applications/Databases URL: http://www.sqlite.org/ @@ -69,6 +69,12 @@ Patch23: sqlite-3.26.0-CVE-2020-13632.patch Patch24: sqlite-3.26.0-CVE-2020-13631.patch # Fix for CVE-2020-13630 Patch25: sqlite-3.26.0-CVE-2020-13630.patch +# Fix for CVE-2020-13434 +# upstream commit: https://www.sqlite.org/src/info/d08d3405878d394e +Patch26: sqlite-3.26.0-CVE-2020-13434.patch +# Fix for CVE-2020-15358 +# upstream commit: https://www.sqlite.org/src/info/10fa79d00f8091e5 +Patch27: sqlite-3.26.0-CVE-2020-15358.patch BuildRequires: ncurses-devel readline-devel glibc-devel BuildRequires: autoconf @@ -191,6 +197,9 @@ This package contains the analysis program for %{name}. %patch23 -p1 %patch24 -p1 %patch25 -p1 +%patch26 -p1 +%patch27 -p1 + # Remove backup-file rm -f %{name}-doc-%{docver}/sqlite.css~ || : @@ -253,10 +262,6 @@ export MALLOC_CHECK_=3 rm test/csv01.test %endif -%ifarch s390x ppc64 -rm test/fts3conf.test -%endif - make test %endif # with check @@ -295,6 +300,16 @@ make test %endif %changelog +* Tue Dec 01 2020 Ondrej Dubaj - 3.26.0-13 +- enabled fts3conf.test on s390x and ppc64 architectures + +* Mon Aug 17 2020 Ondrej Dubaj - 3.26.0-12 +- Fixed CVE-2020-13434 (#1845843) +- Fixed CVE-2020-15358 (#1855208) + +* Fri Aug 07 2020 Ondrej Dubaj - 3.26.0-11 +- Fixed bug in CVE-2019-20218 (#1791592) + * Wed Jun 10 2020 Ondrej Dubaj - 3.26.0-10 - Fixed CVE-2020-13632 (#1845572) - Fixed CVE-2020-13631 (#1845474)