diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-13630.patch b/SOURCES/sqlite-3.26.0-CVE-2020-13630.patch
new file mode 100644
index 0000000..17525f6
--- /dev/null
+++ b/SOURCES/sqlite-3.26.0-CVE-2020-13630.patch
@@ -0,0 +1,88 @@
+Subject: [PATCH] Fix a use-after-free bug in the fts3 snippet() function.
+
+---
+ ext/fts3/fts3.c | 1 +
+ test/fts3snippet2.test | 59 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 60 insertions(+)
+ create mode 100644 test/fts3snippet2.test
+
+diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c
+index 84fc8a5..9ddd201 100644
+--- a/ext/fts3/fts3.c
++++ b/ext/fts3/fts3.c
+@@ -5213,6 +5213,7 @@ static void fts3EvalNextRow(
+ fts3EvalNextRow(pCsr, pLeft, pRc);
+ }
+ }
++ pRight->bEof = pLeft->bEof = 1;
+ }
+ }
+ break;
+diff --git a/test/fts3snippet2.test b/test/fts3snippet2.test
+new file mode 100644
+index 0000000..607b01e
+--- /dev/null
++++ b/test/fts3snippet2.test
+@@ -0,0 +1,59 @@
++# 2020-05-14
++#
++# The author disclaims copyright to this source code. In place of
++# a legal notice, here is a blessing:
++#
++# May you do good and not evil.
++# May you find forgiveness for yourself and forgive others.
++# May you share freely, never taking more than you give.
++#
++#*************************************************************************
++#
++# The tests in this file test the FTS3 auxillary functions offsets(),
++# snippet() and matchinfo() work. At time of writing, running this file
++# provides full coverage of fts3_snippet.c.
++#
++
++set testdir [file dirname $argv0]
++source $testdir/tester.tcl
++set testprefix fts3snippet
++
++# If SQLITE_ENABLE_FTS3 is not defined, omit this file.
++ifcapable !fts3 { finish_test ; return }
++source $testdir/fts3_common.tcl
++
++set sqlite_fts3_enable_parentheses 1
++#-------------------------------------------------------------------------
++# Request a snippet from a query with more than 64 phrases.
++#
++reset_db
++do_execsql_test 1.0 {
++ CREATE VIRTUAL TABLE f USING fts3(b);
++ INSERT INTO f VALUES ( x'746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218');
++}
++
++do_execsql_test 1.1 {
++ SELECT length(snippet(f))>0 FROM f WHERE b MATCH x'1065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a010f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c2a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e0f42';
++} {1}
++
++reset_db
++do_execsql_test 2.0 {
++ CREATE VIRTUAL TABLE t0 USING fts3(col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY);
++ INSERT INTO t0 VALUES (1, '1234','aaaa','bbbb');
++ SELECT snippet(t0) FROM t0 WHERE t0 MATCH x'0a4d4d4d4d320a4f52d70a310a310a4e4541520a0a31f6ce0a4f520a0a310a310a310a4f520a75fc2a242424' ;
++} {1}
++
++reset_db
++do_execsql_test 2.1 {
++ CREATE VIRTUAL TABLE t0 USING fts3(
++ col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY
++ );
++ INSERT INTO t0 VALUES ('one', '1234','aaaa','bbbb');
++}
++do_execsql_test 2.2 {
++ SELECT snippet(t0) FROM t0 WHERE t0 MATCH
++ '(def AND (one NEAR abc)) OR one'
++} {one}
++
++set sqlite_fts3_enable_parentheses 0
++finish_test
+--
+2.24.1
+
diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch b/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch
new file mode 100644
index 0000000..626e5be
--- /dev/null
+++ b/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch
@@ -0,0 +1,97 @@
+Subject: [PATCH] Do not allow a virtual table to be renamed into the name of
+ one of its shadows.
+
+---
+ src/alter.c | 5 ++++-
+ src/build.c | 28 ++++++++++++++++++++++------
+ src/sqliteInt.h | 5 +++++
+ 3 files changed, 31 insertions(+), 7 deletions(-)
+
+diff --git a/src/alter.c b/src/alter.c
+index 1280e90..0fa24c0 100644
+--- a/src/alter.c
++++ b/src/alter.c
+@@ -117,7 +117,10 @@ void sqlite3AlterRenameTable(
+ /* Check that a table or index named 'zName' does not already exist
+ ** in database iDb. If so, this is an error.
+ */
+- if( sqlite3FindTable(db, zName, zDb) || sqlite3FindIndex(db, zName, zDb) ){
++ if( sqlite3FindTable(db, zName, zDb)
++ || sqlite3FindIndex(db, zName, zDb)
++ || sqlite3IsShadowTableOf(db, pTab, zName)
++ ){
+ sqlite3ErrorMsg(pParse,
+ "there is already another table or index with this name: %s", zName);
+ goto exit_rename_table;
+diff --git a/src/build.c b/src/build.c
+index e0fed8a..426428b 100644
+--- a/src/build.c
++++ b/src/build.c
+@@ -1899,6 +1899,27 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
+ recomputeColumnsNotIndexed(pPk);
+ }
+
++
++#ifndef SQLITE_OMIT_VIRTUALTABLE
++/*
++** Return true if pTab is a virtual table and zName is a shadow table name
++** for that virtual table.
++*/
++int sqlite3IsShadowTableOf(sqlite3 *db, Table *pTab, const char *zName){
++ int nName; /* Length of zName */
++
++ if( !IsVirtual(pTab) ) return 0;
++ nName = sqlite3Strlen30(pTab->zName);
++ if( sqlite3_strnicmp(zName, pTab->zName, nName)!=0 ) return 0;
++ if( zName[nName]!='_' ) return 0;
++ Module *pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
++ if( pMod==0 ) return 0;
++ if( pMod->pModule->iVersion<3 ) return 0;
++ if( pMod->pModule->xShadowName==0 ) return 0;
++ return pMod->pModule->xShadowName(zName+nName+1);
++}
++#endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */
++
+ #ifndef SQLITE_OMIT_VIRTUALTABLE
+ /*
+ ** Return true if zName is a shadow table name in the current database
+@@ -1910,7 +1931,6 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
+ static int isShadowTableName(sqlite3 *db, char *zName){
+ char *zTail; /* Pointer to the last "_" in zName */
+ Table *pTab; /* Table that zName is a shadow of */
+- Module *pMod; /* Module for the virtual table */
+
+ zTail = strrchr(zName, '_');
+ if( zTail==0 ) return 0;
+@@ -1919,11 +1939,7 @@ static int isShadowTableName(sqlite3 *db, char *zName){
+ *zTail = '_';
+ if( pTab==0 ) return 0;
+ if( !IsVirtual(pTab) ) return 0;
+- pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
+- if( pMod==0 ) return 0;
+- if( pMod->pModule->iVersion<3 ) return 0;
+- if( pMod->pModule->xShadowName==0 ) return 0;
+- return pMod->pModule->xShadowName(zTail+1);
++ return sqlite3IsShadowTableOf(db, pTab, zName);
+ }
+ #else
+ # define isShadowTableName(x,y) 0
+diff --git a/src/sqliteInt.h b/src/sqliteInt.h
+index b7d3571..76337f7 100644
+--- a/src/sqliteInt.h
++++ b/src/sqliteInt.h
+@@ -4407,6 +4407,11 @@ void sqlite3AutoLoadExtensions(sqlite3*);
+ );
+ # define sqlite3VtabInSync(db) ((db)->nVTrans>0 && (db)->aVTrans==0)
+ #endif
++#ifndef SQLITE_OMIT_VIRTUALTABLE
++ int sqlite3IsShadowTableOf(sqlite3*,Table*,const char*);
++#else
++# define sqlite3IsShadowTableOf(A,B,C) 0
++#endif
+ int sqlite3VtabEponymousTableInit(Parse*,Module*);
+ void sqlite3VtabEponymousTableClear(sqlite3*,Module*);
+ void sqlite3VtabMakeWritable(Parse*,Table*);
+--
+2.24.1
+
diff --git a/SOURCES/sqlite-3.26.0-CVE-2020-13632.patch b/SOURCES/sqlite-3.26.0-CVE-2020-13632.patch
new file mode 100644
index 0000000..f72b8d9
--- /dev/null
+++ b/SOURCES/sqlite-3.26.0-CVE-2020-13632.patch
@@ -0,0 +1,67 @@
+Subject: [PATCH] Fix a null pointer deference that can occur on a strange
+ matchinfo() query.
+
+---
+ ext/fts3/fts3_snippet.c | 2 +-
+ test/fts3matchinfo2.test | 35 +++++++++++++++++++++++++++++++++++
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+ create mode 100644 test/fts3matchinfo2.test
+
+diff --git a/ext/fts3/fts3_snippet.c b/ext/fts3/fts3_snippet.c
+index a0771c0..5778620 100644
+--- a/ext/fts3/fts3_snippet.c
++++ b/ext/fts3/fts3_snippet.c
+@@ -869,7 +869,7 @@ static void fts3ExprLHits(
+ iStart = pExpr->iPhrase * ((p->nCol + 31) / 32);
+ }
+
+- while( 1 ){
++ if( pIter ) while( 1 ){
+ int nHit = fts3ColumnlistCount(&pIter);
+ if( (pPhrase->iColumn>=pTab->nColumn || pPhrase->iColumn==iCol) ){
+ if( p->flag==FTS3_MATCHINFO_LHITS ){
+diff --git a/test/fts3matchinfo2.test b/test/fts3matchinfo2.test
+new file mode 100644
+index 0000000..d6b3ad0
+--- /dev/null
++++ b/test/fts3matchinfo2.test
+@@ -0,0 +1,35 @@
++# 2020-05-14
++#
++# The author disclaims copyright to this source code. In place of
++# a legal notice, here is a blessing:
++#
++# May you do good and not evil.
++# May you find forgiveness for yourself and forgive others.
++# May you share freely, never taking more than you give.
++#
++#***********************************************************************
++# This file implements regression tests for the FTS3 module. The focus
++# of this file is tables created with the "matchinfo=fts3" option.
++#
++
++set testdir [file dirname $argv0]
++source $testdir/tester.tcl
++
++# If SQLITE_ENABLE_FTS3 is not defined, omit this file.
++ifcapable !fts3 { finish_test ; return }
++
++set sqlite_fts3_enable_parentheses 1
++
++# Crash case found by cyg0810 at gmail.com 2020-05-14. Reported to
++# chromium (which is not vulnerable) who kindly referred it to us.
++#
++do_execsql_test 1.0 {
++ CREATE TABLE t_content(col0 INTEGER);
++ CREATE VIRTUAL TABLE t0 USING fts3(col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY);
++ INSERT INTO t0 VALUES (1, '1234','aaaa','bbbb');
++ SELECT hex(matchinfo(t0,'yxy')) FROM t0 WHERE t0 MATCH x'2b0a312b0a312a312a2a0b5d0a0b0b0a312a0a0b0b0a312a0b310a392a0b0a27312a2a0b5d0a312a0b310a31315d0b310a312a316d2a0b313b15bceaa50a312a0b0a27312a2a0b5d0a312a0b310a312b0b2a310a312a0b2a0b2a0b2e5d0a0bff313336e34a2a312a0b0a3c310b0a0b4b4b0b4b2a4bec40322b2a0b310a0a312a0a0a0a0a0a0a0a0a0b310a312a2a2a0b5d0a0b0b0a312a0b310a312a0b0a4e4541530b310a5df5ced70a0a0a0a0a4f520a0a0a0a0a0a0a312a0b0a4e4541520b310a5d616161610a0a0a0a4f520a0a0a0a0a0a312b0a312a312a0a0a0a0a0a0a004a0b0a310b220a0b0a310a4a22310a0b0a7e6fe0e0e030e0e0e0e0e01176e02000e0e0e0e0e01131320226310a0b0a310a4a22310a0b0a310a766f8b8b4ee0e0300ae0090909090909090909090909090909090909090909090909090909090909090947aaaa540b09090909090909090909090909090909090909090909090909090909090909fae0e0f2f22164e0e0f273e07fefefef7d6dfafafafa6d6d6d6d';
++} {/000000.*0000000/}
++
++
++set sqlite_fts3_enable_parentheses 0
++finish_test
+\ No newline at end of file
+--
+2.24.1
+
diff --git a/SPECS/sqlite.spec b/SPECS/sqlite.spec
index b0a11b6..526fe90 100644
--- a/SPECS/sqlite.spec
+++ b/SPECS/sqlite.spec
@@ -10,7 +10,7 @@
Summary: Library that implements an embeddable SQL database engine
Name: sqlite
Version: %{rpmver}
-Release: 9%{?dist}
+Release: 10%{?dist}
License: Public Domain
Group: Applications/Databases
URL: http://www.sqlite.org/
@@ -63,6 +63,12 @@ Patch20: sqlite-3.26.0-CVE-2020-9327.patch
Patch21: sqlite-3.26.0-CVE-2019-16168.patch
# Fix for CVE-2019-5018
Patch22: sqlite-3.26.0-CVE-2019-5018.patch
+# Fix for CVE-2020-13632
+Patch23: sqlite-3.26.0-CVE-2020-13632.patch
+# Fix for CVE-2020-13631
+Patch24: sqlite-3.26.0-CVE-2020-13631.patch
+# Fix for CVE-2020-13630
+Patch25: sqlite-3.26.0-CVE-2020-13630.patch
BuildRequires: ncurses-devel readline-devel glibc-devel
BuildRequires: autoconf
@@ -182,6 +188,9 @@ This package contains the analysis program for %{name}.
%patch20 -p1
%patch21 -p1
%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch25 -p1
# Remove backup-file
rm -f %{name}-doc-%{docver}/sqlite.css~ || :
@@ -286,6 +295,11 @@ make test
%endif
%changelog
+* Wed Jun 10 2020 Ondrej Dubaj - 3.26.0-10
+- Fixed CVE-2020-13632 (#1845572)
+- Fixed CVE-2020-13631 (#1845474)
+- Fixed CVE-2020-13630 (#1845153)
+
* Tue Jun 02 2020 Ondrej Dubaj - 3.26.0-9
- Fixed CVE-2019-5018 (#1721509)