apply upstream fix for CVE-2019-19926 (bz1789441)

2020-01-09 16:44:30 -05:00 · 2020-01-09 16:44:30 -05:00 · 683ae70000
commit 683ae70000
parent 45f87b7215
2 changed files with 19 additions and 1 deletions
--- a/sqlite-3.30.1-CVE-2019-19926.patch
+++ b/sqlite-3.30.1-CVE-2019-19926.patch
@ -0,0 +1,11 @@
+diff -up sqlite-src-3300100/src/select.c.CVE-2019-19926 sqlite-src-3300100/src/select.c
+--- sqlite-src-3300100/src/select.c.CVE-2019-19926	2020-01-09 16:20:12.809275851 -0500
+++ sqlite-src-3300100/src/select.c	2020-01-09 16:20:55.935523511 -0500
+@@ -2805,6 +2805,7 @@ static int multiSelect(
+     }
+   #endif
+   }
+  if( pParse->nErr ) goto multi_select_end;
+   
+   /* Compute collating sequences used by 
+   ** temporary tables needed to implement the compound select.
--- a/sqlite.spec
+++ b/sqlite.spec
@ -10,7 +10,7 @@
 Summary: Library that implements an embeddable SQL database engine
 Name: sqlite
 Version: %{rpmver}
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: Public Domain
 URL: http://www.sqlite.org/

@ -29,6 +29,9 @@ Patch3: sqlite-3.8.0-percentile-test.patch
 Patch4: sqlite-3.16-datetest-2.2c.patch
 # Modify sync2.test to pass with DIRSYNC turned off
 Patch5: sqlite-3.18.0-sync2-dirsync.patch
+# Apply upstream fix for CVE-2019-19880
+# https://github.com/sqlite/sqlite/commit/8428b3b437569338a9d1e10c4cd8154acbe33089
+Patch6: sqlite-3.30.1-CVE-2019-19926.patch

 BuildRequires:  gcc
 BuildRequires: ncurses-devel readline-devel glibc-devel
@ -125,6 +128,7 @@ This package contains the analysis program for %{name}.
 %patch4 -p1
 %endif
 %patch5 -p1
+%patch6 -p1

 # Remove backup-file
 rm -f %{name}-doc-%{docver}/sqlite.css~ || :
@ -229,6 +233,9 @@ make test
 %endif

 %changelog
+* Thu Jan  9 2020 Tom Callaway <spot@fedoraproject.org> - 3.30.1-2
+- apply upstream fix for CVE-2019-19926 (bz1789441)
+
 * Mon Oct 14 2019 Petr Kubat <pkubat@redhat.com> - 3.30.1-1
 - Updated to version 3.30.1 (https://sqlite.org/releaselog/3_30_1.html)