import sqlite-3.26.0-11.el8

SOURCES/sqlite-3.26.0-CVE-2019-16168.patch

@@ -0,0 +1,65 @@
+From ab17169870e985b062e520ecf95e6c79ad784f38 Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Thu, 23 Apr 2020 11:25:13 +0200
+Subject: [PATCH] fixed CVE-2019-16168 (rhbz#1826897)
+
+---
+ src/analyze.c      |  4 +++-
+ src/where.c        |  1 +
+ test/analyzeC.test | 13 +++++++++++++
+ 3 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/src/analyze.c b/src/analyze.c
+index 5075b57..e47c0f5 100644
+--- a/src/analyze.c
++++ b/src/analyze.c
+@@ -1497,7 +1497,9 @@ static void decodeIntArray(
+       if( sqlite3_strglob("unordered*", z)==0 ){
+         pIndex->bUnordered = 1;
+       }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){
+-        pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3));
++        int sz = sqlite3Atoi(z+3);
++        if( sz<2 ) sz = 2;
++        pIndex->szIdxRow = sqlite3LogEst(sz); 
+       }else if( sqlite3_strglob("noskipscan*", z)==0 ){
+         pIndex->noSkipScan = 1;
+       }
+diff --git a/src/where.c b/src/where.c
+index 8e01660..1a4fa51 100644
+--- a/src/where.c
++++ b/src/where.c
+@@ -2655,6 +2655,7 @@ static int whereLoopAddBtreeIndex(
+     ** it to pNew->rRun, which is currently set to the cost of the index
+     ** seek only. Then, if this is a non-covering index, add the cost of
+     ** visiting the rows in the main table.  */
++    assert( pSrc->pTab->szTabRow>0 );
+     rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;
+     pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx);
+     if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){
+diff --git a/test/analyzeC.test b/test/analyzeC.test
+index 02faa9c..3595c9d 100644
+--- a/test/analyzeC.test
++++ b/test/analyzeC.test
+@@ -132,6 +132,19 @@ do_execsql_test 4.3 {
+   SELECT count(a) FROM t1;
+ } {/.*INDEX t1ca.*/}
+ 
++# 2019-08-15.
++# Ticket https://www.sqlite.org/src/tktview/e4598ecbdd18bd82945f602901
++# The sz=N parameter in the sqlite_stat1 table needs to have a value of
++# 2 or more to avoid a division by zero in the query planner.
++#
++do_execsql_test 4.4 {
++  DROP TABLE IF EXISTS t44;
++  CREATE TABLE t44(a PRIMARY KEY);
++  INSERT INTO sqlite_stat1 VALUES('t44',null,'sz=0');
++  ANALYZE sqlite_master;
++  SELECT 0 FROM t44 WHERE a IN(1,2,3);
++} {} 
++
+ 
+ # The sz=NNN parameter works even if there is other extraneous text
+ # in the sqlite_stat1.stat column.
+-- 
+2.24.1
+

SOURCES/sqlite-3.26.0-CVE-2019-20218.patch

@@ -0,0 +1,102 @@
+From ff5f246e41239cc4dd33ffa73883fa07f78674e1 Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Fri, 7 Aug 2020 07:00:29 +0200
+Subject: [PATCH] Do not attempt to unwind the WITH stack in the Parse object
+ following an error.
+
+---
+ src/select.c        |  5 ++++-
+ src/util.c          |  1 +
+ test/altertab2.test | 20 ++++++++++++++++++++
+ test/with3.test     | 10 +++++++++-
+ 4 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/src/select.c b/src/select.c
+index c46f177..a6d1757 100644
+--- a/src/select.c
++++ b/src/select.c
+@@ -4639,6 +4639,9 @@ static int withExpand(
+   With *pWith;                    /* WITH clause that pCte belongs to */
+ 
+   assert( pFrom->pTab==0 );
++  if( pParse->nErr ){
++    return SQLITE_ERROR;
++  }
+ 
+   pCte = searchWith(pParse->pWith, pFrom, &pWith);
+   if( pCte ){
+@@ -4908,7 +4911,7 @@ static int selectExpander(Walker *pWalker, Select *p){
+ 
+   /* Process NATURAL keywords, and ON and USING clauses of joins.
+   */
+-  if( db->mallocFailed || sqliteProcessJoin(pParse, p) ){
++  if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){
+     return WRC_Abort;
+   }
+ 
+diff --git a/src/util.c b/src/util.c
+index 54f9b93..96b0b14 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -222,6 +222,7 @@ void sqlite3ErrorMsg(Parse *pParse, const char *zFormat, ...){
+     sqlite3DbFree(db, pParse->zErrMsg);
+     pParse->zErrMsg = zMsg;
+     pParse->rc = SQLITE_ERROR;
++    pParse->pWith = 0;
+   }
+ }
+ 
+diff --git a/test/altertab2.test b/test/altertab2.test
+index 2e4212c..2102e02 100644
+--- a/test/altertab2.test
++++ b/test/altertab2.test
+@@ -85,5 +85,25 @@ do_execsql_test 2.3 {
+   {CREATE TABLE c3(x, FOREIGN KEY (x) REFERENCES "p3"(a))}
+ }
+ 
++#------------------------------------------------------------------------
++#
++reset_db
++do_execsql_test 3.0 {
++  CREATE TABLE v0 (a);
++  CREATE VIEW v2 (v3) AS 
++    WITH x1 AS (SELECT * FROM v2) 
++    SELECT v3 AS x, v3 AS y FROM v2; 
++}
++
++do_catchsql_test 3.1 {
++  SELECT * FROM v2
++} {1 {view v2 is circularly defined}}
++
++db close
++sqlite3 db test.db
++
++do_catchsql_test 3.2 {
++  ALTER TABLE v0 RENAME TO t3 ;
++} {1 {error in view v2: view v2 is circularly defined}}
+ 
+ finish_test
+diff --git a/test/with3.test b/test/with3.test
+index de150b1..4a3a5a7 100644
+--- a/test/with3.test
++++ b/test/with3.test
+@@ -30,7 +30,15 @@ do_catchsql_test 1.0 {
+     SELECT 5 FROM t0 UNION SELECT 8 FROM m
+   )
+   SELECT * FROM i;
+-} {1 {no such table: m}}
++} {1 {no such table: t0}}
++
++# 2019-11-09 dbfuzzcheck find
++do_catchsql_test 1.1 {
++  CREATE VIEW v1(x,y) AS
++    WITH t1(a,b) AS (VALUES(1,2))
++    SELECT * FROM nosuchtable JOIN t1;
++  SELECT * FROM v1;
++} {1 {no such table: main.nosuchtable}}
+ 
+ # Additional test cases that came out of the work to
+ # fix for Kostya's problem.
+-- 
+2.26.0
+

SOURCES/sqlite-3.26.0-CVE-2019-5018.patch

@@ -0,0 +1,281 @@
+Subject: [PATCH] Prevent aliases of window functions expressions from being
+ used as arguments to aggregate or other window functions.
+
+---
+ src/resolve.c       |  21 ++++++---
+ src/sqliteInt.h     |   2 +
+ test/windowerr.tcl  |  59 ++++++++++++++++++++++++++
+ test/windowerr.test | 99 ++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 176 insertions(+), 5 deletions(-)
+ create mode 100644 test/windowerr.tcl
+ create mode 100644 test/windowerr.test
+
+diff --git a/src/resolve.c b/src/resolve.c
+index 0c7dfc0..cdcf4d9 100644
+--- a/src/resolve.c
++++ b/src/resolve.c
+@@ -436,6 +436,10 @@ static int lookupName(
+             sqlite3ErrorMsg(pParse, "misuse of aliased aggregate %s", zAs);
+             return WRC_Abort;
+           }
++          if( (pNC->ncFlags&NC_AllowWin)==0 && ExprHasProperty(pOrig, EP_Win) ){
++            sqlite3ErrorMsg(pParse, "misuse of aliased window function %s",zAs);
++            return WRC_Abort;
++          }
+           if( sqlite3ExprVectorSize(pOrig)!=1 ){
+             sqlite3ErrorMsg(pParse, "row value misused");
+             return WRC_Abort;
+@@ -707,6 +711,7 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){
+       const char *zId;            /* The function name. */
+       FuncDef *pDef;              /* Information about the function */
+       u8 enc = ENC(pParse->db);   /* The database encoding */
++      int savedAllowFlags = (pNC->ncFlags & (NC_AllowAgg | NC_AllowWin));
+ 
+       assert( !ExprHasProperty(pExpr, EP_xIsSelect) );
+       zId = pExpr->u.zToken;
+@@ -828,8 +833,11 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){
+           pNC->nErr++;
+         }
+         if( is_agg ){
++          /* Window functions may not be arguments of aggregate functions.
++          ** Or arguments of other window functions. But aggregate functions
++          ** may be arguments for window functions.  */
+ #ifndef SQLITE_OMIT_WINDOWFUNC
+-          pNC->ncFlags &= ~(pExpr->y.pWin ? NC_AllowWin : NC_AllowAgg);
++          pNC->ncFlags &= ~(NC_AllowWin | (!pExpr->y.pWin ? NC_AllowAgg : 0));
+ #else
+           pNC->ncFlags &= ~NC_AllowAgg;
+ #endif
+@@ -850,7 +858,7 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){
+             pExpr->y.pWin->pNextWin = pSel->pWin;
+             pSel->pWin = pExpr->y.pWin;
+           }
+-          pNC->ncFlags |= NC_AllowWin;
++          pNC->ncFlags |= NC_HasWin;
+         }else
+ #endif /* SQLITE_OMIT_WINDOWFUNC */
+         {
+@@ -868,8 +876,8 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){
+             pNC2->ncFlags |= NC_HasAgg | (pDef->funcFlags & SQLITE_FUNC_MINMAX);
+ 
+           }
+-          pNC->ncFlags |= NC_AllowAgg;
+         }
++        pNC->ncFlags |= savedAllowFlags;
+       }
+       /* FIX ME:  Compute pExpr->affinity based on the expected return
+       ** type of the function 
+@@ -1573,8 +1581,8 @@ int sqlite3ResolveExprNames(
+   Walker w;
+ 
+   if( pExpr==0 ) return SQLITE_OK;
+-  savedHasAgg = pNC->ncFlags & (NC_HasAgg|NC_MinMaxAgg);
+-  pNC->ncFlags &= ~(NC_HasAgg|NC_MinMaxAgg);
++  savedHasAgg = pNC->ncFlags & (NC_HasAgg|NC_MinMaxAgg|NC_HasWin);
++  pNC->ncFlags &= ~(NC_HasAgg|NC_MinMaxAgg|NC_HasWin);
+   w.pParse = pNC->pParse;
+   w.xExprCallback = resolveExprStep;
+   w.xSelectCallback = resolveSelectStep;
+@@ -1593,6 +1601,9 @@ int sqlite3ResolveExprNames(
+   if( pNC->ncFlags & NC_HasAgg ){
+     ExprSetProperty(pExpr, EP_Agg);
+   }
++  if( pNC->ncFlags & NC_HasWin ){
++    ExprSetProperty(pExpr, EP_Win);
++  }
+   pNC->ncFlags |= savedHasAgg;
+   return pNC->nErr>0 || w.pParse->nErr>0;
+ }
+diff --git a/src/sqliteInt.h b/src/sqliteInt.h
+index 5f5f3cc..b7d3571 100644
+--- a/src/sqliteInt.h
++++ b/src/sqliteInt.h
+@@ -2517,6 +2517,7 @@ struct Expr {
+ #define EP_Alias     0x400000 /* Is an alias for a result set column */
+ #define EP_Leaf      0x800000 /* Expr.pLeft, .pRight, .u.pSelect all NULL */
+ #define EP_WinFunc  0x1000000 /* TK_FUNCTION with Expr.y.pWin set */
++#define EP_Win      0x8000000 /* Contains window functions */
+ 
+ /*
+ ** The EP_Propagate mask is a set of properties that automatically propagate
+@@ -2773,6 +2774,7 @@ struct NameContext {
+ #define NC_MinMaxAgg 0x1000  /* min/max aggregates seen.  See note above */
+ #define NC_Complex   0x2000  /* True if a function or subquery seen */
+ #define NC_AllowWin  0x4000  /* Window functions are allowed here */
++#define NC_HasWin    0x8000  /* One or more window functions seen */
+ 
+ /*
+ ** An instance of the following object describes a single ON CONFLICT
+diff --git a/test/windowerr.tcl b/test/windowerr.tcl
+new file mode 100644
+index 0000000..80f464d
+--- /dev/null
++++ b/test/windowerr.tcl
+@@ -0,0 +1,59 @@
++# 2018 May 19
++#
++# The author disclaims copyright to this source code.  In place of
++# a legal notice, here is a blessing:
++#
++#    May you do good and not evil.
++#    May you find forgiveness for yourself and forgive others.
++#    May you share freely, never taking more than you give.
++#
++#***********************************************************************
++#
++
++source [file join [file dirname $argv0] pg_common.tcl]
++
++#=========================================================================
++
++start_test windowerr "2019 March 01"
++ifcapable !windowfunc
++
++execsql_test 1.0 {
++  DROP TABLE IF EXISTS t1;
++  CREATE TABLE t1(a INTEGER, b INTEGER);
++  INSERT INTO t1 VALUES(1, 1);
++  INSERT INTO t1 VALUES(2, 2);
++  INSERT INTO t1 VALUES(3, 3);
++  INSERT INTO t1 VALUES(4, 4);
++  INSERT INTO t1 VALUES(5, 5);
++}
++
++foreach {tn frame} {
++  1 "ORDER BY a ROWS BETWEEN -1 PRECEDING AND 1 FOLLOWING"
++  2 "ORDER BY a ROWS BETWEEN  1 PRECEDING AND -1 FOLLOWING"
++
++  3 "ORDER BY a RANGE BETWEEN -1 PRECEDING AND 1 FOLLOWING"
++  4 "ORDER BY a RANGE BETWEEN  1 PRECEDING AND -1 FOLLOWING"
++
++  5 "ORDER BY a GROUPS BETWEEN -1 PRECEDING AND 1 FOLLOWING"
++  6 "ORDER BY a GROUPS BETWEEN  1 PRECEDING AND -1 FOLLOWING"
++
++  7 "ORDER BY a,b RANGE BETWEEN  1 PRECEDING AND 1 FOLLOWING"
++
++  8 "PARTITION BY a RANGE BETWEEN  1 PRECEDING AND 1 FOLLOWING"
++} {
++  errorsql_test 1.$tn "
++  SELECT a, sum(b) OVER (
++    $frame
++  ) FROM t1 ORDER BY 1
++  "
++}
++errorsql_test 2.1 {
++  SELECT sum( sum(a) OVER () ) FROM t1;
++}
++
++errorsql_test 2.2 {
++  SELECT sum(a) OVER () AS xyz FROM t1 ORDER BY sum(xyz);
++}
++
++
++finish_test
+diff --git a/test/windowerr.test b/test/windowerr.test
+new file mode 100644
+index 0000000..97dae64
+--- /dev/null
++++ b/test/windowerr.test
+@@ -0,0 +1,99 @@
++# 2019 March 01
++#
++# The author disclaims copyright to this source code.  In place of
++# a legal notice, here is a blessing:
++#
++#    May you do good and not evil.
++#    May you find forgiveness for yourself and forgive others.
++#    May you share freely, never taking more than you give.
++#
++#***********************************************************************
++# This file implements regression tests for SQLite library.
++#
++
++####################################################
++# DO NOT EDIT! THIS FILE IS AUTOMATICALLY GENERATED!
++####################################################
++
++set testdir [file dirname $argv0]
++source $testdir/tester.tcl
++set testprefix windowerr
++
++ifcapable !windowfunc { finish_test ; return }
++do_execsql_test 1.0 {
++  DROP TABLE IF EXISTS t1;
++  CREATE TABLE t1(a INTEGER, b INTEGER);
++  INSERT INTO t1 VALUES(1, 1);
++  INSERT INTO t1 VALUES(2, 2);
++  INSERT INTO t1 VALUES(3, 3);
++  INSERT INTO t1 VALUES(4, 4);
++  INSERT INTO t1 VALUES(5, 5);
++} {}
++
++# PG says ERROR:  frame starting offset must not be negative
++do_test 1.1 { catch { execsql {
++  SELECT a, sum(b) OVER (
++    ORDER BY a ROWS BETWEEN -1 PRECEDING AND 1 FOLLOWING
++  ) FROM t1 ORDER BY 1
++} } } 1
++
++# PG says ERROR:  frame ending offset must not be negative
++do_test 1.2 { catch { execsql {
++  SELECT a, sum(b) OVER (
++    ORDER BY a ROWS BETWEEN  1 PRECEDING AND -1 FOLLOWING
++  ) FROM t1 ORDER BY 1
++} } } 1
++
++# PG says ERROR:  invalid preceding or following size in window function
++do_test 1.3 { catch { execsql {
++  SELECT a, sum(b) OVER (
++    ORDER BY a RANGE BETWEEN -1 PRECEDING AND 1 FOLLOWING
++  ) FROM t1 ORDER BY 1
++} } } 1
++
++# PG says ERROR:  invalid preceding or following size in window function
++do_test 1.4 { catch { execsql {
++  SELECT a, sum(b) OVER (
++    ORDER BY a RANGE BETWEEN  1 PRECEDING AND -1 FOLLOWING
++  ) FROM t1 ORDER BY 1
++} } } 1
++
++# PG says ERROR:  frame starting offset must not be negative
++do_test 1.5 { catch { execsql {
++  SELECT a, sum(b) OVER (
++    ORDER BY a GROUPS BETWEEN -1 PRECEDING AND 1 FOLLOWING
++  ) FROM t1 ORDER BY 1
++} } } 1
++
++# PG says ERROR:  frame ending offset must not be negative
++do_test 1.6 { catch { execsql {
++  SELECT a, sum(b) OVER (
++    ORDER BY a GROUPS BETWEEN  1 PRECEDING AND -1 FOLLOWING
++  ) FROM t1 ORDER BY 1
++} } } 1
++
++# PG says ERROR:  RANGE with offset PRECEDING/FOLLOWING requires exactly one ORDER BY column
++do_test 1.7 { catch { execsql {
++  SELECT a, sum(b) OVER (
++    ORDER BY a,b RANGE BETWEEN  1 PRECEDING AND 1 FOLLOWING
++  ) FROM t1 ORDER BY 1
++} } } 1
++
++# PG says ERROR:  RANGE with offset PRECEDING/FOLLOWING requires exactly one ORDER BY column
++do_test 1.8 { catch { execsql {
++  SELECT a, sum(b) OVER (
++    PARTITION BY a RANGE BETWEEN  1 PRECEDING AND 1 FOLLOWING
++  ) FROM t1 ORDER BY 1
++} } } 1
++
++# PG says ERROR:  aggregate function calls cannot contain window function calls
++do_test 2.1 { catch { execsql {
++  SELECT sum( sum(a) OVER () ) FROM t1;
++} } } 1
++
++# PG says ERROR:  column "xyz" does not exist
++do_test 2.2 { catch { execsql {
++  SELECT sum(a) OVER () AS xyz FROM t1 ORDER BY sum(xyz);
++} } } 1
++
++finish_test
+-- 
+2.24.1
+

SOURCES/sqlite-3.26.0-CVE-2020-13630.patch

@@ -0,0 +1,88 @@
+Subject: [PATCH] Fix a use-after-free bug in the fts3 snippet() function.
+
+---
+ ext/fts3/fts3.c        |  1 +
+ test/fts3snippet2.test | 59 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 60 insertions(+)
+ create mode 100644 test/fts3snippet2.test
+
+diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c
+index 84fc8a5..9ddd201 100644
+--- a/ext/fts3/fts3.c
++++ b/ext/fts3/fts3.c
+@@ -5213,6 +5213,7 @@ static void fts3EvalNextRow(
+                 fts3EvalNextRow(pCsr, pLeft, pRc);
+               }
+             }
++            pRight->bEof = pLeft->bEof = 1;
+           }
+         }
+         break;
+diff --git a/test/fts3snippet2.test b/test/fts3snippet2.test
+new file mode 100644
+index 0000000..607b01e
+--- /dev/null
++++ b/test/fts3snippet2.test
+@@ -0,0 +1,59 @@
++# 2020-05-14
++#
++# The author disclaims copyright to this source code.  In place of
++# a legal notice, here is a blessing:
++#
++#    May you do good and not evil.
++#    May you find forgiveness for yourself and forgive others.
++#    May you share freely, never taking more than you give.
++#
++#*************************************************************************
++#
++# The tests in this file test the FTS3 auxillary functions offsets(), 
++# snippet() and matchinfo() work. At time of writing, running this file 
++# provides full coverage of fts3_snippet.c.
++#
++
++set testdir [file dirname $argv0]
++source $testdir/tester.tcl
++set testprefix fts3snippet
++
++# If SQLITE_ENABLE_FTS3 is not defined, omit this file.
++ifcapable !fts3 { finish_test ; return }
++source $testdir/fts3_common.tcl
++
++set sqlite_fts3_enable_parentheses 1
++#-------------------------------------------------------------------------
++# Request a snippet from a query with more than 64 phrases.
++#
++reset_db
++do_execsql_test 1.0 {
++  CREATE VIRTUAL TABLE f USING fts3(b);
++  INSERT INTO f VALUES ( x'746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218');
++}
++
++do_execsql_test 1.1 {
++  SELECT  length(snippet(f))>0  FROM f WHERE b MATCH x'1065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a010f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c2a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e0f42';
++} {1}
++
++reset_db
++do_execsql_test 2.0 {
++  CREATE VIRTUAL TABLE t0 USING fts3(col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY);
++  INSERT INTO t0 VALUES (1, '1234','aaaa','bbbb');
++  SELECT snippet(t0)  FROM t0 WHERE t0 MATCH x'0a4d4d4d4d320a4f52d70a310a310a4e4541520a0a31f6ce0a4f520a0a310a310a310a4f520a75fc2a242424' ;
++} {<b>1</b>}
++
++reset_db
++do_execsql_test 2.1 {
++  CREATE VIRTUAL TABLE t0 USING fts3(
++      col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY
++  );
++  INSERT INTO t0 VALUES ('one', '1234','aaaa','bbbb');
++}
++do_execsql_test 2.2 {
++  SELECT snippet(t0)  FROM t0 WHERE t0 MATCH 
++  '(def AND (one NEAR abc)) OR one'
++} {<b>one</b>}
++
++set sqlite_fts3_enable_parentheses 0
++finish_test
+-- 
+2.24.1
+

SOURCES/sqlite-3.26.0-CVE-2020-13631.patch

@@ -0,0 +1,97 @@
+Subject: [PATCH] Do not allow a virtual table to be renamed into the name of
+ one of its shadows.
+
+---
+ src/alter.c     |  5 ++++-
+ src/build.c     | 28 ++++++++++++++++++++++------
+ src/sqliteInt.h |  5 +++++
+ 3 files changed, 31 insertions(+), 7 deletions(-)
+
+diff --git a/src/alter.c b/src/alter.c
+index 1280e90..0fa24c0 100644
+--- a/src/alter.c
++++ b/src/alter.c
+@@ -117,7 +117,10 @@ void sqlite3AlterRenameTable(
+   /* Check that a table or index named 'zName' does not already exist
+   ** in database iDb. If so, this is an error.
+   */
+-  if( sqlite3FindTable(db, zName, zDb) || sqlite3FindIndex(db, zName, zDb) ){
++  if( sqlite3FindTable(db, zName, zDb)
++   || sqlite3FindIndex(db, zName, zDb)
++   || sqlite3IsShadowTableOf(db, pTab, zName)
++  ){
+     sqlite3ErrorMsg(pParse, 
+         "there is already another table or index with this name: %s", zName);
+     goto exit_rename_table;
+diff --git a/src/build.c b/src/build.c
+index e0fed8a..426428b 100644
+--- a/src/build.c
++++ b/src/build.c
+@@ -1899,6 +1899,27 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
+   recomputeColumnsNotIndexed(pPk);
+ }
+ 
++
++#ifndef SQLITE_OMIT_VIRTUALTABLE
++/*
++** Return true if pTab is a virtual table and zName is a shadow table name
++** for that virtual table.
++*/
++int sqlite3IsShadowTableOf(sqlite3 *db, Table *pTab, const char *zName){
++  int nName;                    /* Length of zName */
++
++  if( !IsVirtual(pTab) ) return 0;
++  nName = sqlite3Strlen30(pTab->zName);
++  if( sqlite3_strnicmp(zName, pTab->zName, nName)!=0 ) return 0;
++  if( zName[nName]!='_' ) return 0;
++  Module *pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
++  if( pMod==0 ) return 0;
++  if( pMod->pModule->iVersion<3 ) return 0;
++  if( pMod->pModule->xShadowName==0 ) return 0;
++  return pMod->pModule->xShadowName(zName+nName+1);
++}
++#endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */
++
+ #ifndef SQLITE_OMIT_VIRTUALTABLE
+ /*
+ ** Return true if zName is a shadow table name in the current database
+@@ -1910,7 +1931,6 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
+ static int isShadowTableName(sqlite3 *db, char *zName){
+   char *zTail;                  /* Pointer to the last "_" in zName */
+   Table *pTab;                  /* Table that zName is a shadow of */
+-  Module *pMod;                 /* Module for the virtual table */
+ 
+   zTail = strrchr(zName, '_');
+   if( zTail==0 ) return 0;
+@@ -1919,11 +1939,7 @@ static int isShadowTableName(sqlite3 *db, char *zName){
+   *zTail = '_';
+   if( pTab==0 ) return 0;
+   if( !IsVirtual(pTab) ) return 0;
+-  pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
+-  if( pMod==0 ) return 0;
+-  if( pMod->pModule->iVersion<3 ) return 0;
+-  if( pMod->pModule->xShadowName==0 ) return 0;
+-  return pMod->pModule->xShadowName(zTail+1);
++  return sqlite3IsShadowTableOf(db, pTab, zName);
+ }
+ #else
+ # define isShadowTableName(x,y) 0
+diff --git a/src/sqliteInt.h b/src/sqliteInt.h
+index b7d3571..76337f7 100644
+--- a/src/sqliteInt.h
++++ b/src/sqliteInt.h
+@@ -4407,6 +4407,11 @@ void sqlite3AutoLoadExtensions(sqlite3*);
+    );
+ #  define sqlite3VtabInSync(db) ((db)->nVTrans>0 && (db)->aVTrans==0)
+ #endif
++#ifndef SQLITE_OMIT_VIRTUALTABLE
++  int sqlite3IsShadowTableOf(sqlite3*,Table*,const char*);
++#else
++# define sqlite3IsShadowTableOf(A,B,C) 0
++#endif
+ int sqlite3VtabEponymousTableInit(Parse*,Module*);
+ void sqlite3VtabEponymousTableClear(sqlite3*,Module*);
+ void sqlite3VtabMakeWritable(Parse*,Table*);
+-- 
+2.24.1
+

SOURCES/sqlite-3.26.0-CVE-2020-13632.patch

@@ -0,0 +1,67 @@
+Subject: [PATCH] Fix a null pointer deference that can occur on a strange
+ matchinfo() query.
+
+---
+ ext/fts3/fts3_snippet.c  |  2 +-
+ test/fts3matchinfo2.test | 35 +++++++++++++++++++++++++++++++++++
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+ create mode 100644 test/fts3matchinfo2.test
+
+diff --git a/ext/fts3/fts3_snippet.c b/ext/fts3/fts3_snippet.c
+index a0771c0..5778620 100644
+--- a/ext/fts3/fts3_snippet.c
++++ b/ext/fts3/fts3_snippet.c
+@@ -869,7 +869,7 @@ static void fts3ExprLHits(
+     iStart = pExpr->iPhrase * ((p->nCol + 31) / 32);
+   }
+ 
+-  while( 1 ){
++  if( pIter ) while( 1 ){
+     int nHit = fts3ColumnlistCount(&pIter);
+     if( (pPhrase->iColumn>=pTab->nColumn || pPhrase->iColumn==iCol) ){
+       if( p->flag==FTS3_MATCHINFO_LHITS ){
+diff --git a/test/fts3matchinfo2.test b/test/fts3matchinfo2.test
+new file mode 100644
+index 0000000..d6b3ad0
+--- /dev/null
++++ b/test/fts3matchinfo2.test
+@@ -0,0 +1,35 @@
++# 2020-05-14
++#
++# The author disclaims copyright to this source code.  In place of
++# a legal notice, here is a blessing:
++#
++#    May you do good and not evil.
++#    May you find forgiveness for yourself and forgive others.
++#    May you share freely, never taking more than you give.
++#
++#***********************************************************************
++# This file implements regression tests for the FTS3 module. The focus
++# of this file is tables created with the "matchinfo=fts3" option.
++#
++
++set testdir [file dirname $argv0]
++source $testdir/tester.tcl
++
++# If SQLITE_ENABLE_FTS3 is not defined, omit this file.
++ifcapable !fts3 { finish_test ; return }
++
++set sqlite_fts3_enable_parentheses 1
++
++# Crash case found by cyg0810 at gmail.com 2020-05-14.  Reported to
++# chromium (which is not vulnerable) who kindly referred it to us.
++#
++do_execsql_test 1.0 {
++  CREATE TABLE t_content(col0 INTEGER);
++  CREATE VIRTUAL TABLE t0 USING fts3(col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY);
++  INSERT INTO t0 VALUES (1, '1234','aaaa','bbbb');
++  SELECT hex(matchinfo(t0,'yxy'))  FROM t0 WHERE t0 MATCH  x'2b0a312b0a312a312a2a0b5d0a0b0b0a312a0a0b0b0a312a0b310a392a0b0a27312a2a0b5d0a312a0b310a31315d0b310a312a316d2a0b313b15bceaa50a312a0b0a27312a2a0b5d0a312a0b310a312b0b2a310a312a0b2a0b2a0b2e5d0a0bff313336e34a2a312a0b0a3c310b0a0b4b4b0b4b2a4bec40322b2a0b310a0a312a0a0a0a0a0a0a0a0a0b310a312a2a2a0b5d0a0b0b0a312a0b310a312a0b0a4e4541530b310a5df5ced70a0a0a0a0a4f520a0a0a0a0a0a0a312a0b0a4e4541520b310a5d616161610a0a0a0a4f520a0a0a0a0a0a312b0a312a312a0a0a0a0a0a0a004a0b0a310b220a0b0a310a4a22310a0b0a7e6fe0e0e030e0e0e0e0e01176e02000e0e0e0e0e01131320226310a0b0a310a4a22310a0b0a310a766f8b8b4ee0e0300ae0090909090909090909090909090909090909090909090909090909090909090947aaaa540b09090909090909090909090909090909090909090909090909090909090909fae0e0f2f22164e0e0f273e07fefefef7d6dfafafafa6d6d6d6d';
++} {/000000.*0000000/}
++
++
++set sqlite_fts3_enable_parentheses 0
++finish_test
+\ No newline at end of file
+-- 
+2.24.1
+

SOURCES/sqlite-3.26.0-CVE-2020-6405.patch

@@ -0,0 +1,27 @@
+From 1668926bc3c7da0b2870a60382b179a0e3edb5de Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Thu, 26 Mar 2020 08:14:29 +0100
+Subject: [PATCH] Do not allow the constant-propagation optimization to apple
+ to ON/USING clause terms as it does not help and it might cause downstream
+ problems.
+
+---
+ src/select.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/select.c b/src/select.c
+index bbd13a4..88a43df 100644
+--- a/src/select.c
++++ b/src/select.c
+@@ -4171,7 +4171,7 @@ static int propagateConstantExprRewrite(Walker *pWalker, Expr *pExpr){
+   int i;
+   WhereConst *pConst;
+   if( pExpr->op!=TK_COLUMN ) return WRC_Continue;
+-  if( ExprHasProperty(pExpr, EP_FixedCol) ) return WRC_Continue;
++  if( ExprHasProperty(pExpr, EP_FixedCol|EP_FromJoin) ) return WRC_Continue;
+   pConst = pWalker->u.pConst;
+   for(i=0; i<pConst->nConst; i++){
+     Expr *pColumn = pConst->apExpr[i*2];
+-- 
+2.24.1
+

SOURCES/sqlite-3.26.0-CVE-2020-9327.patch

@@ -0,0 +1,106 @@
+From 2d788539b0018d34d3cabb328387ba6bec41ec42 Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Thu, 26 Mar 2020 09:43:43 +0100
+Subject: [PATCH] NULL pointer dereference and segmentation fault because of
+ generated column optimizations
+
+Take care when checking the table of a TK_COLUMN expression node to
+see if the table is a virtual table to first ensure that the
+Expr.y.pTab pointer is not null due to generated column optimizations.
+---
+ src/expr.c      | 13 ++++++++++---
+ src/sqliteInt.h |  3 +++
+ src/whereexpr.c | 12 ++++++++----
+ 3 files changed, 21 insertions(+), 7 deletions(-)
+
+diff --git a/src/expr.c b/src/expr.c
+index b081ca2..5f98f76 100644
+--- a/src/expr.c
++++ b/src/expr.c
+@@ -4901,18 +4901,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){
+     case TK_LT:
+     case TK_LE:
+     case TK_GT:
+-    case TK_GE:
++    case TK_GE: {
++      Expr *pLeft = pExpr->pLeft;
++      Expr *pRight = pExpr->pRight;
+       testcase( pExpr->op==TK_EQ );
+       testcase( pExpr->op==TK_NE );
+       testcase( pExpr->op==TK_LT );
+       testcase( pExpr->op==TK_LE );
+       testcase( pExpr->op==TK_GT );
+       testcase( pExpr->op==TK_GE );
+-      if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->y.pTab))
+-       || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->y.pTab))
++      /* The y.pTab=0 assignment in wherecode.c always happens after the
++      ** impliesNotNullRow() test */
++      if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->y.pTab!=0)
++                               && IsVirtual(pLeft->y.pTab))
++       || (pRight->op==TK_COLUMN && ALWAYS(pRight->y.pTab!=0)
++                               && IsVirtual(pRight->y.pTab))
+       ){
+        return WRC_Prune;
+       }
++    }
+     default:
+       return WRC_Continue;
+   }
+diff --git a/src/sqliteInt.h b/src/sqliteInt.h
+index 051aa40..5f5f3cc 100644
+--- a/src/sqliteInt.h
++++ b/src/sqliteInt.h
+@@ -2014,8 +2014,11 @@ struct Table {
+ */
+ #ifndef SQLITE_OMIT_VIRTUALTABLE
+ #  define IsVirtual(X)      ((X)->nModuleArg)
++#  define ExprIsVtab(X)  \
++              ((X)->op==TK_COLUMN && (X)->y.pTab!=0 && (X)->y.pTab->nModuleArg)
+ #else
+ #  define IsVirtual(X)      0
++#  define ExprIsVtab(X)     0
+ #endif
+ 
+ /*
+diff --git a/src/whereexpr.c b/src/whereexpr.c
+index dbb7f0d..9d2813a 100644
+--- a/src/whereexpr.c
++++ b/src/whereexpr.c
+@@ -382,7 +382,8 @@ static int isAuxiliaryVtabOperator(
+     **       MATCH(expression,vtab_column)
+     */
+     pCol = pList->a[1].pExpr;
+-    if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){
++    testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
++    if( ExprIsVtab(pCol) ){
+       for(i=0; i<ArraySize(aOp); i++){
+         if( sqlite3StrICmp(pExpr->u.zToken, aOp[i].zOp)==0 ){
+           *peOp2 = aOp[i].eOp2;
+@@ -404,7 +405,8 @@ static int isAuxiliaryVtabOperator(
+     ** with function names in an arbitrary case.
+     */
+     pCol = pList->a[0].pExpr;
+-    if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){
++    testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 );
++    if( ExprIsVtab(pCol) ){
+       sqlite3_vtab *pVtab;
+       sqlite3_module *pMod;
+       void (*xNotUsed)(sqlite3_context*,int,sqlite3_value**);
+@@ -427,10 +429,12 @@ static int isAuxiliaryVtabOperator(
+     int res = 0;
+     Expr *pLeft = pExpr->pLeft;
+     Expr *pRight = pExpr->pRight;
+-    if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->y.pTab) ){
++    testcase( pLeft->op==TK_COLUMN && pLeft->y.pTab==0 );
++    if( ExprIsVtab(pLeft) ){
+       res++;
+     }
+-    if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->y.pTab) ){
++    testcase( pRight && pRight->op==TK_COLUMN && pRight->y.pTab==0 );
++    if( pRight && ExprIsVtab(pRight) ){
+       res++;
+       SWAP(Expr*, pLeft, pRight);
+     }
+-- 
+2.24.1
+

SPECS/sqlite.spec

@@ -10,7 +10,7 @@
 Summary: Library that implements an embeddable SQL database engine
 Name: sqlite
 Version: %{rpmver}
-Release: 6%{?dist}
+Release: 11%{?dist}
 License: Public Domain
 Group: Applications/Databases
 URL: http://www.sqlite.org/
@@ -51,8 +51,24 @@ Patch14: sqlite-3.26.0-CVE-2019-19923.patch
 Patch15: sqlite-3.26.0-CVE-2019-19925.patch
 # Fix for CVE-2019-19959
 Patch16: sqlite-3.26.0-CVE-2019-19959.patch
-# Fix fr issues found by covscan
+# Fix for issues found by covscan
 Patch17: sqlite-3.26.0-zPath-covscan.patch
+# Fix for CVE-2019-20218
+Patch18: sqlite-3.26.0-CVE-2019-20218.patch
+# Fix for CVE-2020-6405
+Patch19: sqlite-3.26.0-CVE-2020-6405.patch
+# Fix for CVE-2020-9327
+Patch20: sqlite-3.26.0-CVE-2020-9327.patch
+# Fix for CVE-2019-16168
+Patch21: sqlite-3.26.0-CVE-2019-16168.patch
+# Fix for CVE-2019-5018
+Patch22: sqlite-3.26.0-CVE-2019-5018.patch
+# Fix for CVE-2020-13632
+Patch23: sqlite-3.26.0-CVE-2020-13632.patch
+# Fix for CVE-2020-13631
+Patch24: sqlite-3.26.0-CVE-2020-13631.patch
+# Fix for CVE-2020-13630
+Patch25: sqlite-3.26.0-CVE-2020-13630.patch
 
 BuildRequires: ncurses-devel readline-devel glibc-devel
 BuildRequires: autoconf
@@ -167,6 +183,14 @@ This package contains the analysis program for %{name}.
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch25 -p1
 
 # Remove backup-file
 rm -f %{name}-doc-%{docver}/sqlite.css~ || :
@@ -271,6 +295,25 @@ make test
 %endif
 
 %changelog
+* Fri Aug 07 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-11
+- Fixed bug in CVE-2019-20218 (#1791592)
+
+* Wed Jun 10 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-10
+- Fixed CVE-2020-13632 (#1845572)
+- Fixed CVE-2020-13631 (#1845474)
+- Fixed CVE-2020-13630 (#1845153)
+
+* Tue Jun 02 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-9
+- Fixed CVE-2019-5018 (#1721509)
+
+* Thu Apr 23 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-8
+- Fixed CVE-2019-16168 (#1826897)
+
+* Tue Mar 24 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-7
+- Fixed CVE-2019-20218 (#1791592)
+- Fixed CVE-2020-6405 (#1804823)
+- Fixed CVE-2020-0327 (#1816572)
+
 * Thu Jan 23 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-6
 - Fixed issues found by covscan