fix for CVE-2020-24736
Resolves: CVE-2020-24736
This commit is contained in:
Zuzana Miklankova
parent
a2298459b0
commit
98cb41e69b
114
sqlite-3.26.0-CVE-2020-24736.patch
Normal file
114
sqlite-3.26.0-CVE-2020-24736.patch
Normal file
@ -0,0 +1,114 @@
|
||||
From f030b376820102ff6cda49565c8b8173b2d44606 Mon Sep 17 00:00:00 2001
|
||||
From: dan <dan@noemail.net>
|
||||
Date: Fri, 22 Feb 2019 19:24:16 +0000
|
||||
Subject: [PATCH] Internally, remove all references to a Window object that
|
||||
belongs to an expression in an ORDER BY clause if that expression is
|
||||
converted to an alias of a result-set expression. Fix for [4feb3159c6].
|
||||
|
||||
FossilOrigin-Name: 579b66eaa0816561c6e47ea116b46f229188f0fc84c1173bfe0d21df2dff9a9a
|
||||
---
|
||||
src/resolve.c | 49 ++++++++++++++++++++++++++++++++++-------------
|
||||
test/window1.test | 20 +++++++++++++++++++
|
||||
2 files changed, 56 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/src/resolve.c b/src/resolve.c
|
||||
index 9410bc020..fd2cf539a 100644
|
||||
--- a/src/resolve.c
|
||||
+++ b/src/resolve.c
|
||||
@@ -1243,6 +1243,38 @@ int sqlite3ResolveOrderGroupBy(
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifndef SQLITE_OMIT_WINDOWFUNC
|
||||
+/*
|
||||
+** Walker callback for resolveRemoveWindows().
|
||||
+*/
|
||||
+static int resolveRemoveWindowsCb(Walker *pWalker, Expr *pExpr){
|
||||
+ if( ExprHasProperty(pExpr, EP_WinFunc) ){
|
||||
+ Window **pp;
|
||||
+ for(pp=&pWalker->u.pSelect->pWin; *pp; pp=&(*pp)->pNextWin){
|
||||
+ if( *pp==pExpr->y.pWin ){
|
||||
+ *pp = (*pp)->pNextWin;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ return WRC_Continue;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+** Remove any Window objects owned by the expression pExpr from the
|
||||
+** Select.pWin list of Select object pSelect.
|
||||
+*/
|
||||
+static void resolveRemoveWindows(Select *pSelect, Expr *pExpr){
|
||||
+ Walker sWalker;
|
||||
+ memset(&sWalker, 0, sizeof(Walker));
|
||||
+ sWalker.xExprCallback = resolveRemoveWindowsCb;
|
||||
+ sWalker.u.pSelect = pSelect;
|
||||
+ sqlite3WalkExpr(&sWalker, pExpr);
|
||||
+}
|
||||
+#else
|
||||
+# define resolveRemoveWindows(x,y)
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
** pOrderBy is an ORDER BY or GROUP BY clause in SELECT statement pSelect.
|
||||
** The Name context of the SELECT statement is pNC. zType is either
|
||||
@@ -1309,19 +1341,10 @@ static int resolveOrderGroupBy(
|
||||
}
|
||||
for(j=0; j<pSelect->pEList->nExpr; j++){
|
||||
if( sqlite3ExprCompare(0, pE, pSelect->pEList->a[j].pExpr, -1)==0 ){
|
||||
-#ifndef SQLITE_OMIT_WINDOWFUNC
|
||||
- if( ExprHasProperty(pE, EP_WinFunc) ){
|
||||
- /* Since this window function is being changed into a reference
|
||||
- ** to the same window function the result set, remove the instance
|
||||
- ** of this window function from the Select.pWin list. */
|
||||
- Window **pp;
|
||||
- for(pp=&pSelect->pWin; *pp; pp=&(*pp)->pNextWin){
|
||||
- if( *pp==pE->y.pWin ){
|
||||
- *pp = (*pp)->pNextWin;
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
-#endif
|
||||
+ /* Since this expresion is being changed into a reference
|
||||
+ ** to an identical expression in the result set, remove all Window
|
||||
+ ** objects belonging to the expression from the Select.pWin list. */
|
||||
+ resolveRemoveWindows(pSelect, pE);
|
||||
pItem->u.x.iOrderByCol = j+1;
|
||||
}
|
||||
}
|
||||
diff --git a/test/window1.test b/test/window1.test
|
||||
index 2c504205e..b3073985b 100644
|
||||
--- a/test/window1.test
|
||||
+++ b/test/window1.test
|
||||
@@ -594,6 +594,26 @@
|
||||
} {
|
||||
}
|
||||
|
||||
+#-------------------------------------------------------------------------
|
||||
+do_execsql_test 17.0 {
|
||||
+ CREATE TABLE t8(a);
|
||||
+ INSERT INTO t8 VALUES(1), (2), (3);
|
||||
+}
|
||||
+
|
||||
+do_execsql_test 17.1 {
|
||||
+ SELECT +sum(0) OVER () ORDER BY +sum(0) OVER ();
|
||||
+} {0}
|
||||
+
|
||||
+do_execsql_test 17.2 {
|
||||
+ select +sum(a) OVER () FROM t8 ORDER BY +sum(a) OVER () DESC;
|
||||
+} {6 6 6}
|
||||
+
|
||||
+do_execsql_test 17.3 {
|
||||
+ SELECT 10+sum(a) OVER (ORDER BY a)
|
||||
+ FROM t8
|
||||
+ ORDER BY 10+sum(a) OVER (ORDER BY a) DESC;
|
||||
+} {16 13 11}
|
||||
+
|
||||
# 2020-05-23
|
||||
# ticket 7a5279a25c57adf1
|
||||
#
|
||||
--
|
||||
2.39.2
|
||||
|
||||
@ -10,7 +10,7 @@
|
||||
Summary: Library that implements an embeddable SQL database engine
|
||||
Name: sqlite
|
||||
Version: %{rpmver}
|
||||
Release: 17%{?dist}
|
||||
Release: 18%{?dist}
|
||||
License: Public Domain
|
||||
Group: Applications/Databases
|
||||
URL: http://www.sqlite.org/
|
||||
@ -101,6 +101,9 @@ Patch36: sqlite-3.26.0-CVE-2020-35525.patch
|
||||
# Fix for CVE-2022-35737
|
||||
# https://www.sqlite.org/src/info/26db4fc22fe66658
|
||||
Patch37: sqlite-3.26.0-CVE-2022-35737.patch
|
||||
# Fix for CVE-2020-24736
|
||||
# https://www.sqlite.org/src/info/579b66eaa0816561
|
||||
Patch38: sqlite-3.26.0-CVE-2020-24736.patch
|
||||
|
||||
BuildRequires: ncurses-devel readline-devel glibc-devel
|
||||
BuildRequires: autoconf
|
||||
@ -233,6 +236,7 @@ This package contains the analysis program for %{name}.
|
||||
%patch35 -p1
|
||||
%patch36 -p1
|
||||
%patch37 -p1
|
||||
%patch38 -p1
|
||||
|
||||
|
||||
# Remove backup-file
|
||||
@ -334,6 +338,9 @@ make test
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Apr 14 2023 Zuzana Miklankova <zmiklank@redhat.com> - 3.26.0-18
|
||||
- Fixed CVE-2022-24736
|
||||
|
||||
* Tue Nov 15 2022 Zuzana Miklankova <zmiklank@redhat.com> - 3.26.0-17
|
||||
- Fixed CVE-2022-35737
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user