diff --git a/SOURCES/sqlite-3.26.0-CVE-2019-20218.patch b/SOURCES/sqlite-3.26.0-CVE-2019-20218.patch new file mode 100644 index 0000000..cda14f1 --- /dev/null +++ b/SOURCES/sqlite-3.26.0-CVE-2019-20218.patch @@ -0,0 +1,26 @@ +From 8fd3688e01f5839120d7477ca94e013f5809edcf Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Tue, 24 Mar 2020 11:33:04 +0100 +Subject: [PATCH] Do not attempt to unwind the WITH stack in the Parse object + following an error. + +--- + src/select.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/select.c b/src/select.c +index 0205a08..bbd13a4 100644 +--- a/src/select.c ++++ b/src/select.c +@@ -4910,7 +4910,7 @@ static int selectExpander(Walker *pWalker, Select *p){ + + /* Process NATURAL keywords, and ON and USING clauses of joins. + */ +- if( db->mallocFailed || sqliteProcessJoin(pParse, p) ){ ++ if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){ + return WRC_Abort; + } + +-- +2.24.1 + diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-6405.patch b/SOURCES/sqlite-3.26.0-CVE-2020-6405.patch new file mode 100644 index 0000000..cf1fff5 --- /dev/null +++ b/SOURCES/sqlite-3.26.0-CVE-2020-6405.patch @@ -0,0 +1,27 @@ +From 1668926bc3c7da0b2870a60382b179a0e3edb5de Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Thu, 26 Mar 2020 08:14:29 +0100 +Subject: [PATCH] Do not allow the constant-propagation optimization to apple + to ON/USING clause terms as it does not help and it might cause downstream + problems. + +--- + src/select.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/select.c b/src/select.c +index bbd13a4..88a43df 100644 +--- a/src/select.c ++++ b/src/select.c +@@ -4171,7 +4171,7 @@ static int propagateConstantExprRewrite(Walker *pWalker, Expr *pExpr){ + int i; + WhereConst *pConst; + if( pExpr->op!=TK_COLUMN ) return WRC_Continue; +- if( ExprHasProperty(pExpr, EP_FixedCol) ) return WRC_Continue; ++ if( ExprHasProperty(pExpr, EP_FixedCol|EP_FromJoin) ) return WRC_Continue; + pConst = pWalker->u.pConst; + for(i=0; inConst; i++){ + Expr *pColumn = pConst->apExpr[i*2]; +-- +2.24.1 + diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-9327.patch b/SOURCES/sqlite-3.26.0-CVE-2020-9327.patch new file mode 100644 index 0000000..24b1eb9 --- /dev/null +++ b/SOURCES/sqlite-3.26.0-CVE-2020-9327.patch @@ -0,0 +1,106 @@ +From 2d788539b0018d34d3cabb328387ba6bec41ec42 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Thu, 26 Mar 2020 09:43:43 +0100 +Subject: [PATCH] NULL pointer dereference and segmentation fault because of + generated column optimizations + +Take care when checking the table of a TK_COLUMN expression node to +see if the table is a virtual table to first ensure that the +Expr.y.pTab pointer is not null due to generated column optimizations. +--- + src/expr.c | 13 ++++++++++--- + src/sqliteInt.h | 3 +++ + src/whereexpr.c | 12 ++++++++---- + 3 files changed, 21 insertions(+), 7 deletions(-) + +diff --git a/src/expr.c b/src/expr.c +index b081ca2..5f98f76 100644 +--- a/src/expr.c ++++ b/src/expr.c +@@ -4901,18 +4901,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){ + case TK_LT: + case TK_LE: + case TK_GT: +- case TK_GE: ++ case TK_GE: { ++ Expr *pLeft = pExpr->pLeft; ++ Expr *pRight = pExpr->pRight; + testcase( pExpr->op==TK_EQ ); + testcase( pExpr->op==TK_NE ); + testcase( pExpr->op==TK_LT ); + testcase( pExpr->op==TK_LE ); + testcase( pExpr->op==TK_GT ); + testcase( pExpr->op==TK_GE ); +- if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->y.pTab)) +- || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->y.pTab)) ++ /* The y.pTab=0 assignment in wherecode.c always happens after the ++ ** impliesNotNullRow() test */ ++ if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->y.pTab!=0) ++ && IsVirtual(pLeft->y.pTab)) ++ || (pRight->op==TK_COLUMN && ALWAYS(pRight->y.pTab!=0) ++ && IsVirtual(pRight->y.pTab)) + ){ + return WRC_Prune; + } ++ } + default: + return WRC_Continue; + } +diff --git a/src/sqliteInt.h b/src/sqliteInt.h +index 051aa40..5f5f3cc 100644 +--- a/src/sqliteInt.h ++++ b/src/sqliteInt.h +@@ -2014,8 +2014,11 @@ struct Table { + */ + #ifndef SQLITE_OMIT_VIRTUALTABLE + # define IsVirtual(X) ((X)->nModuleArg) ++# define ExprIsVtab(X) \ ++ ((X)->op==TK_COLUMN && (X)->y.pTab!=0 && (X)->y.pTab->nModuleArg) + #else + # define IsVirtual(X) 0 ++# define ExprIsVtab(X) 0 + #endif + + /* +diff --git a/src/whereexpr.c b/src/whereexpr.c +index dbb7f0d..9d2813a 100644 +--- a/src/whereexpr.c ++++ b/src/whereexpr.c +@@ -382,7 +382,8 @@ static int isAuxiliaryVtabOperator( + ** MATCH(expression,vtab_column) + */ + pCol = pList->a[1].pExpr; +- if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){ ++ testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 ); ++ if( ExprIsVtab(pCol) ){ + for(i=0; iu.zToken, aOp[i].zOp)==0 ){ + *peOp2 = aOp[i].eOp2; +@@ -404,7 +405,8 @@ static int isAuxiliaryVtabOperator( + ** with function names in an arbitrary case. + */ + pCol = pList->a[0].pExpr; +- if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){ ++ testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 ); ++ if( ExprIsVtab(pCol) ){ + sqlite3_vtab *pVtab; + sqlite3_module *pMod; + void (*xNotUsed)(sqlite3_context*,int,sqlite3_value**); +@@ -427,10 +429,12 @@ static int isAuxiliaryVtabOperator( + int res = 0; + Expr *pLeft = pExpr->pLeft; + Expr *pRight = pExpr->pRight; +- if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->y.pTab) ){ ++ testcase( pLeft->op==TK_COLUMN && pLeft->y.pTab==0 ); ++ if( ExprIsVtab(pLeft) ){ + res++; + } +- if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->y.pTab) ){ ++ testcase( pRight && pRight->op==TK_COLUMN && pRight->y.pTab==0 ); ++ if( pRight && ExprIsVtab(pRight) ){ + res++; + SWAP(Expr*, pLeft, pRight); + } +-- +2.24.1 + diff --git a/SPECS/sqlite.spec b/SPECS/sqlite.spec index fb381f2..d586e91 100644 --- a/SPECS/sqlite.spec +++ b/SPECS/sqlite.spec @@ -10,7 +10,7 @@ Summary: Library that implements an embeddable SQL database engine Name: sqlite Version: %{rpmver} -Release: 6%{?dist} +Release: 7%{?dist} License: Public Domain Group: Applications/Databases URL: http://www.sqlite.org/ @@ -51,8 +51,14 @@ Patch14: sqlite-3.26.0-CVE-2019-19923.patch Patch15: sqlite-3.26.0-CVE-2019-19925.patch # Fix for CVE-2019-19959 Patch16: sqlite-3.26.0-CVE-2019-19959.patch -# Fix fr issues found by covscan +# Fix for issues found by covscan Patch17: sqlite-3.26.0-zPath-covscan.patch +# Fix for CVE-2019-20218 +Patch18: sqlite-3.26.0-CVE-2019-20218.patch +# Fix for CVE-2020-6405 +Patch19: sqlite-3.26.0-CVE-2020-6405.patch +# Fix for CVE-2020-9327 +Patch20: sqlite-3.26.0-CVE-2020-9327.patch BuildRequires: ncurses-devel readline-devel glibc-devel BuildRequires: autoconf @@ -167,6 +173,9 @@ This package contains the analysis program for %{name}. %patch15 -p1 %patch16 -p1 %patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 # Remove backup-file rm -f %{name}-doc-%{docver}/sqlite.css~ || : @@ -271,6 +280,11 @@ make test %endif %changelog +* Tue Mar 24 2020 Ondrej Dubaj - 3.26.0-7 +- Fixed CVE-2019-20218 (#1791592) +- Fixed CVE-2020-6405 (#1804823) +- Fixed CVE-2020-0327 (#1816572) + * Thu Jan 23 2020 Ondrej Dubaj - 3.26.0-6 - Fixed issues found by covscan