From d397abe6e9ca0f340e97ee2810223462053c6390 Mon Sep 17 00:00:00 2001 From: James Antill Date: Thu, 26 May 2022 14:33:05 -0400 Subject: [PATCH] Auto sync2gitlab import of sqlite-3.26.0-15.el8.src.rpm --- .gitignore | 3 + EMPTY | 1 - sources | 3 + sqlite-3.12.2-no-malloc-usable-size.patch | 24 + sqlite-3.16-datetest-2.2c.patch | 14 + sqlite-3.18.0-sync2-dirsync.patch | 90 ++ sqlite-3.26-CVE-2019-13752.patch | 149 ++++ sqlite-3.26-CVE-2019-13753.patch | 25 + sqlite-3.26.0-CVE-2019-13734.patch | 107 +++ sqlite-3.26.0-CVE-2019-13750.patch | 158 ++++ sqlite-3.26.0-CVE-2019-13751.patch | 22 + sqlite-3.26.0-CVE-2019-16168.patch | 65 ++ sqlite-3.26.0-CVE-2019-19603.patch | 124 +++ sqlite-3.26.0-CVE-2019-19923.patch | 67 ++ sqlite-3.26.0-CVE-2019-19924.patch | 60 ++ sqlite-3.26.0-CVE-2019-19925.patch | 50 ++ sqlite-3.26.0-CVE-2019-19959.patch | 63 ++ sqlite-3.26.0-CVE-2019-20218.patch | 102 +++ sqlite-3.26.0-CVE-2019-5018.patch | 281 ++++++ sqlite-3.26.0-CVE-2019-5827.patch | 442 ++++++++++ sqlite-3.26.0-CVE-2020-13434.patch | 73 ++ sqlite-3.26.0-CVE-2020-13435.patch | 144 ++++ sqlite-3.26.0-CVE-2020-13630.patch | 88 ++ sqlite-3.26.0-CVE-2020-13631.patch | 98 +++ sqlite-3.26.0-CVE-2020-13632.patch | 67 ++ sqlite-3.26.0-CVE-2020-15358.patch | 88 ++ sqlite-3.26.0-CVE-2020-6405.patch | 27 + sqlite-3.26.0-CVE-2020-9327.patch | 106 +++ sqlite-3.26.0-out-of-bounds-read.patch | 89 ++ sqlite-3.26.0-zPath-covscan.patch | 71 ++ sqlite-3.6.23-lemon-system-template.patch | 21 + sqlite-3.7.7.1-stupid-openfiles-test.patch | 37 + sqlite-3.8.0-percentile-test.patch | 15 + sqlite-3.8.10.1-tcl-regress-tests.patch | 137 +++ sqlite.spec | 960 +++++++++++++++++++++ 35 files changed, 3870 insertions(+), 1 deletion(-) create mode 100644 .gitignore delete mode 100644 EMPTY create mode 100644 sources create mode 100644 sqlite-3.12.2-no-malloc-usable-size.patch create mode 100644 sqlite-3.16-datetest-2.2c.patch create mode 100644 sqlite-3.18.0-sync2-dirsync.patch create mode 100644 sqlite-3.26-CVE-2019-13752.patch create mode 100644 sqlite-3.26-CVE-2019-13753.patch create mode 100644 sqlite-3.26.0-CVE-2019-13734.patch create mode 100644 sqlite-3.26.0-CVE-2019-13750.patch create mode 100644 sqlite-3.26.0-CVE-2019-13751.patch create mode 100644 sqlite-3.26.0-CVE-2019-16168.patch create mode 100644 sqlite-3.26.0-CVE-2019-19603.patch create mode 100644 sqlite-3.26.0-CVE-2019-19923.patch create mode 100644 sqlite-3.26.0-CVE-2019-19924.patch create mode 100644 sqlite-3.26.0-CVE-2019-19925.patch create mode 100644 sqlite-3.26.0-CVE-2019-19959.patch create mode 100644 sqlite-3.26.0-CVE-2019-20218.patch create mode 100644 sqlite-3.26.0-CVE-2019-5018.patch create mode 100644 sqlite-3.26.0-CVE-2019-5827.patch create mode 100644 sqlite-3.26.0-CVE-2020-13434.patch create mode 100644 sqlite-3.26.0-CVE-2020-13435.patch create mode 100644 sqlite-3.26.0-CVE-2020-13630.patch create mode 100644 sqlite-3.26.0-CVE-2020-13631.patch create mode 100644 sqlite-3.26.0-CVE-2020-13632.patch create mode 100644 sqlite-3.26.0-CVE-2020-15358.patch create mode 100644 sqlite-3.26.0-CVE-2020-6405.patch create mode 100644 sqlite-3.26.0-CVE-2020-9327.patch create mode 100644 sqlite-3.26.0-out-of-bounds-read.patch create mode 100644 sqlite-3.26.0-zPath-covscan.patch create mode 100644 sqlite-3.6.23-lemon-system-template.patch create mode 100644 sqlite-3.7.7.1-stupid-openfiles-test.patch create mode 100644 sqlite-3.8.0-percentile-test.patch create mode 100644 sqlite-3.8.10.1-tcl-regress-tests.patch create mode 100644 sqlite.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3c0c7a6 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +/sqlite-autoconf-3260000.tar.gz +/sqlite-doc-3260000.zip +/sqlite-src-3260000.zip diff --git a/EMPTY b/EMPTY deleted file mode 100644 index 0519ecb..0000000 --- a/EMPTY +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/sources b/sources new file mode 100644 index 0000000..ca0ff79 --- /dev/null +++ b/sources @@ -0,0 +1,3 @@ +SHA512 (sqlite-autoconf-3260000.tar.gz) = 8c3306b3814a0e9bc69b741f62bdb6efc9f1e07163ca3e3a1581994465de163a7924223522e812d6b3663c1525c7012a6f6d73ad333556eba9f97ce9326fbdb8 +SHA512 (sqlite-doc-3260000.zip) = e59f74369adb3ffe3afc235e4369101b8ba077f9cac34d524e2425278c3a30f63340613e5baa0fc3c693265525377b6830a1c6b5e97fb06702b89eb604b1eade +SHA512 (sqlite-src-3260000.zip) = 02faacd831781f25a12ffc8858d648f481d8bbdb68814b18c4c96e3a661233d0e25d675b95feeb35eee4b5ea88e5e0a1fc5fbaecbe434d3f7246d80e81bff6a3 diff --git a/sqlite-3.12.2-no-malloc-usable-size.patch b/sqlite-3.12.2-no-malloc-usable-size.patch new file mode 100644 index 0000000..b983bd3 --- /dev/null +++ b/sqlite-3.12.2-no-malloc-usable-size.patch @@ -0,0 +1,24 @@ +diff -up sqlite-src-3120200/configure.ac.malloc_usable_size sqlite-src-3120200/configure.ac +--- sqlite-src-3120200/configure.ac.malloc_usable_size 2016-04-25 09:46:48.134690570 +0200 ++++ sqlite-src-3120200/configure.ac 2016-04-25 09:48:41.622637181 +0200 +@@ -108,7 +108,7 @@ AC_CHECK_HEADERS([sys/types.h stdlib.h s + ######### + # Figure out whether or not we have these functions + # +-AC_CHECK_FUNCS([fdatasync gmtime_r isnan localtime_r localtime_s malloc_usable_size strchrnul usleep utime pread pread64 pwrite pwrite64]) ++AC_CHECK_FUNCS([fdatasync gmtime_r isnan localtime_r localtime_s strchrnul usleep utime pread pread64 pwrite pwrite64]) + + ######### + # By default, we use the amalgamation (this may be changed below...) +diff -up sqlite-src-3120200/configure.malloc_usable_size sqlite-src-3120200/configure +--- sqlite-src-3120200/configure.malloc_usable_size 2016-04-25 09:47:12.594679063 +0200 ++++ sqlite-src-3120200/configure 2016-04-25 09:49:28.684615042 +0200 +@@ -10275,7 +10275,7 @@ done + ######### + # Figure out whether or not we have these functions + # +-for ac_func in fdatasync gmtime_r isnan localtime_r localtime_s malloc_usable_size strchrnul usleep utime pread pread64 pwrite pwrite64 ++for ac_func in fdatasync gmtime_r isnan localtime_r localtime_s strchrnul usleep utime pread pread64 pwrite pwrite64 + do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` + ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" diff --git a/sqlite-3.16-datetest-2.2c.patch b/sqlite-3.16-datetest-2.2c.patch new file mode 100644 index 0000000..63857db --- /dev/null +++ b/sqlite-3.16-datetest-2.2c.patch @@ -0,0 +1,14 @@ +--- sqlite-src-3160100/test/date.test.orig 2017-01-04 14:48:46.113737093 +0100 ++++ sqlite-src-3160100/test/date.test 2017-01-04 14:49:11.144833563 +0100 +@@ -76,11 +76,6 @@ datetest 2.1c datetime(0,'unixepochx') N + datetest 2.1d datetime('2003-10-22','unixepoch') NULL + datetest 2.2 datetime(946684800,'unixepoch') {2000-01-01 00:00:00} + datetest 2.2b datetime('946684800','unixepoch') {2000-01-01 00:00:00} +-for {set i 0} {$i<1000} {incr i} { +- set sql [format {strftime('%%H:%%M:%%f',1237962480.%03d,'unixepoch')} $i] +- set res [format {06:28:00.%03d} $i] +- datetest 2.2c-$i $sql $res +-} + datetest 2.3 {date('2003-10-22','weekday 0')} 2003-10-26 + datetest 2.4 {date('2003-10-22','weekday 1')} 2003-10-27 + datetest 2.4a {date('2003-10-22','weekday 1')} 2003-10-27 diff --git a/sqlite-3.18.0-sync2-dirsync.patch b/sqlite-3.18.0-sync2-dirsync.patch new file mode 100644 index 0000000..0c7d0a5 --- /dev/null +++ b/sqlite-3.18.0-sync2-dirsync.patch @@ -0,0 +1,90 @@ +--- sqlite-src-3180000/test/sync2.test.sync2-dirsync 2017-03-30 21:26:42.000000000 +0200 ++++ sqlite-src-3180000/test/sync2.test 2017-04-03 13:16:14.422329691 +0200 +@@ -44,6 +44,15 @@ + uplevel [list do_test $tn [list execsql_sync $sql] [list {*}$res]] + } + ++# Wrapper over the expected sync count, takes DIRSYNC into consideration ++proc expected_sync_count {sync_count} { ++ ifcapable dirsync { ++ return $sync_count ++ } else { ++ return [ incr sync_count -1 ] ++ } ++} ++ + #----------------------------------------------------------------------- + # Tests for journal mode. + # +@@ -53,13 +62,13 @@ + INSERT INTO t1 VALUES(1, 2); + } + +-do_execsql_sync_test 1.1 { INSERT INTO t1 VALUES(3, 4) } 4 ++do_execsql_sync_test 1.1 { INSERT INTO t1 VALUES(3, 4) } [ expected_sync_count 4 ] + + # synchronous=normal. So, 1 sync on the directory, 1 on the journal, 1 + # on the db file. 3 in total. + do_execsql_test 1.2.1 { PRAGMA main.synchronous = NORMAL } + do_execsql_test 1.2.2 { PRAGMA main.synchronous } 1 +-do_execsql_sync_test 1.2.3 { INSERT INTO t1 VALUES(5, 6) } 3 ++do_execsql_sync_test 1.2.3 { INSERT INTO t1 VALUES(5, 6) } [ expected_sync_count 3 ] + + # synchronous=off. No syncs. + do_execsql_test 1.3.1 { PRAGMA main.synchronous = OFF } +@@ -70,7 +79,7 @@ + # 2 on the journal, 1 on the db file. 4 in total. + do_execsql_test 1.4.1 { PRAGMA main.synchronous = FULL } + do_execsql_test 1.4.2 { PRAGMA main.synchronous } 2 +-do_execsql_sync_test 1.4.3 { INSERT INTO t1 VALUES(9, 10) } 4 ++do_execsql_sync_test 1.4.3 { INSERT INTO t1 VALUES(9, 10) } [ expected_sync_count 4 ] + + #----------------------------------------------------------------------- + # Tests for wal mode. +@@ -79,7 +88,7 @@ + + # sync=full, journal_mode=wal. One sync on the directory, two on the + # wal file. +-do_execsql_sync_test 1.6 { INSERT INTO t1 VALUES(11, 12) } 3 ++do_execsql_sync_test 1.6 { INSERT INTO t1 VALUES(11, 12) } [ expected_sync_count 3 ] + + # One sync on the wal file. + do_execsql_sync_test 1.7 { INSERT INTO t1 VALUES(13, 14) } 1 +@@ -112,7 +121,7 @@ + + # Wal mode, sync=normal. The first transaction does one sync on directory, + # one on the wal file. The second does no syncs. +- do_execsql_sync_test 1.11.1 { INSERT INTO t1 VALUES(19, 20) } 2 ++ do_execsql_sync_test 1.11.1 { INSERT INTO t1 VALUES(19, 20) } [ expected_sync_count 2 ] + do_execsql_sync_test 1.11.2 { INSERT INTO t1 VALUES(21, 22) } 0 + do_execsql_test 1.11.3 { PRAGMA main.synchronous } 1 + +@@ -129,14 +138,14 @@ + # Delete mode, sync=full. The first transaction does one sync on + # directory, two on the journal file, one on the db. The second does + # the same. +- do_execsql_sync_test 1.15.1 { INSERT INTO t1 VALUES(26, 27) } 4 +- do_execsql_sync_test 1.15.2 { INSERT INTO t1 VALUES(28, 29) } 4 ++ do_execsql_sync_test 1.15.1 { INSERT INTO t1 VALUES(26, 27) } [ expected_sync_count 4 ] ++ do_execsql_sync_test 1.15.2 { INSERT INTO t1 VALUES(28, 29) } [ expected_sync_count 4 ] + do_execsql_test 1.15.3 { PRAGMA main.synchronous } 2 + + # Switch back to wal mode. + do_execsql_test 1.16 { PRAGMA journal_mode = wal } {wal} + +- do_execsql_sync_test 1.17.1 { INSERT INTO t1 VALUES(30, 31) } 2 ++ do_execsql_sync_test 1.17.1 { INSERT INTO t1 VALUES(30, 31) } [ expected_sync_count 2 ] + do_execsql_sync_test 1.17.2 { INSERT INTO t1 VALUES(32, 33) } 0 + do_execsql_test 1.17.3 { PRAGMA main.synchronous } 1 + +@@ -152,8 +161,8 @@ + # Close and reopen the db. Back to synchronous=normal. + db close + sqlite3 db test.db +- do_execsql_sync_test 1.20.1 { INSERT INTO t1 VALUES(38, 39) } 4 +- do_execsql_sync_test 1.20.2 { INSERT INTO t1 VALUES(40, 41) } 4 ++ do_execsql_sync_test 1.20.1 { INSERT INTO t1 VALUES(38, 39) } [ expected_sync_count 4 ] ++ do_execsql_sync_test 1.20.2 { INSERT INTO t1 VALUES(40, 41) } [ expected_sync_count 4 ] + do_execsql_test 1.20.3 { PRAGMA main.synchronous } 2 + } + diff --git a/sqlite-3.26-CVE-2019-13752.patch b/sqlite-3.26-CVE-2019-13752.patch new file mode 100644 index 0000000..b298a21 --- /dev/null +++ b/sqlite-3.26-CVE-2019-13752.patch @@ -0,0 +1,149 @@ +From 92b243715eea17997ed9707540757d0667ad9eb2 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Thu, 2 Jan 2020 09:54:41 +0100 +Subject: [PATCH] Improved detection of corrupt shadow tables in FTS3. Enable + the debugging special-inserts for FTS3 for both SQLITE_DEBUG and SQLITE_TEST. + +Resolves: CVE-2019-13752 +--- + ext/fts3/fts3.c | 2 +- + ext/fts3/fts3Int.h | 2 +- + ext/fts3/fts3_write.c | 42 +++++++++++++++++++++++++++--------------- + 3 files changed, 29 insertions(+), 17 deletions(-) + +diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c +index f6fb931..6d6bd46 100644 +--- a/ext/fts3/fts3.c ++++ b/ext/fts3/fts3.c +@@ -4304,7 +4304,7 @@ static int fts3EvalPhraseStart(Fts3Cursor *pCsr, int bOptOk, Fts3Phrase *p){ + int bIncrOk = (bOptOk + && pCsr->bDesc==pTab->bDescIdx + && p->nToken<=MAX_INCR_PHRASE_TOKENS && p->nToken>0 +-#ifdef SQLITE_TEST ++#if defined(SQLITE_DEBUG) || defined(SQLITE_TEST) + && pTab->bNoIncrDoclist==0 + #endif + ); +diff --git a/ext/fts3/fts3Int.h b/ext/fts3/fts3Int.h +index 077bad7..6f5a7a0 100644 +--- a/ext/fts3/fts3Int.h ++++ b/ext/fts3/fts3Int.h +@@ -283,7 +283,7 @@ struct Fts3Table { + int mxSavepoint; /* Largest valid xSavepoint integer */ + #endif + +-#ifdef SQLITE_TEST ++#if defined(SQLITE_DEBUG) || defined(SQLITE_TEST) + /* True to disable the incremental doclist optimization. This is controled + ** by special insert command 'test-no-incr-doclist'. */ + int bNoIncrDoclist; +diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c +index 8fc6589..ee668aa 100644 +--- a/ext/fts3/fts3_write.c ++++ b/ext/fts3/fts3_write.c +@@ -23,7 +23,7 @@ + #include + #include + #include +- ++#include + + #define FTS_MAX_APPENDABLE_HEIGHT 16 + +@@ -2021,6 +2021,11 @@ static int fts3NodeAddTerm( + nPrefix = fts3PrefixCompress(pTree->zTerm, pTree->nTerm, zTerm, nTerm); + nSuffix = nTerm-nPrefix; + ++ /* If nSuffix is zero or less, then zTerm/nTerm must be a prefix of ++ ** pWriter->zTerm/pWriter->nTerm. i.e. must be equal to or less than when ++ ** compared with BINARY collation. This indicates corruption. */ ++ if( nSuffix<=0 ) return FTS_CORRUPT_VTAB; ++ + nReq += sqlite3Fts3VarintLen(nPrefix)+sqlite3Fts3VarintLen(nSuffix)+nSuffix; + if( nReq<=p->nNodeSize || !pTree->zTerm ){ + +@@ -2309,9 +2314,11 @@ static int fts3SegWriterAdd( + /* Append the prefix-compressed term and doclist to the buffer. */ + nData += sqlite3Fts3PutVarint(&pWriter->aData[nData], nPrefix); + nData += sqlite3Fts3PutVarint(&pWriter->aData[nData], nSuffix); ++ assert( nSuffix>0 ); + memcpy(&pWriter->aData[nData], &zTerm[nPrefix], nSuffix); + nData += nSuffix; + nData += sqlite3Fts3PutVarint(&pWriter->aData[nData], nDoclist); ++ assert( nDoclist>0 ); + memcpy(&pWriter->aData[nData], aDoclist, nDoclist); + pWriter->nData = nData + nDoclist; + +@@ -2331,6 +2338,7 @@ static int fts3SegWriterAdd( + pWriter->zTerm = zNew; + } + assert( pWriter->zTerm==pWriter->zMalloc ); ++ assert( nTerm>0 ); + memcpy(pWriter->zTerm, zTerm, nTerm); + }else{ + pWriter->zTerm = (char *)zTerm; +@@ -2639,6 +2647,7 @@ static int fts3MsrBufferData( + pMsr->aBuffer = pNew; + } + ++ assert( nList>0 ); + memcpy(pMsr->aBuffer, pList, nList); + return SQLITE_OK; + } +@@ -3821,6 +3830,7 @@ static int fts3IncrmergePush( + ** be added to. */ + nPrefix = fts3PrefixCompress(pNode->key.a, pNode->key.n, zTerm, nTerm); + nSuffix = nTerm - nPrefix; ++ if( NEVER(nSuffix<=0) ) return FTS_CORRUPT_VTAB; + nSpace = sqlite3Fts3VarintLen(nPrefix); + nSpace += sqlite3Fts3VarintLen(nSuffix) + nSuffix; + +@@ -5300,7 +5310,7 @@ static int fts3DoIntegrityCheck( + ** meaningful value to insert is the text 'optimize'. + */ + static int fts3SpecialInsert(Fts3Table *p, sqlite3_value *pVal){ +- int rc; /* Return Code */ ++ int rc = SQLITE_ERROR; /* Return Code */ + const char *zVal = (const char *)sqlite3_value_text(pVal); + int nVal = sqlite3_value_bytes(pVal); + +@@ -5316,21 +5326,23 @@ static int fts3SpecialInsert(Fts3Table *p, sqlite3_value *pVal){ + rc = fts3DoIncrmerge(p, &zVal[6]); + }else if( nVal>10 && 0==sqlite3_strnicmp(zVal, "automerge=", 10) ){ + rc = fts3DoAutoincrmerge(p, &zVal[10]); +-#ifdef SQLITE_TEST +- }else if( nVal>9 && 0==sqlite3_strnicmp(zVal, "nodesize=", 9) ){ +- p->nNodeSize = atoi(&zVal[9]); +- rc = SQLITE_OK; +- }else if( nVal>11 && 0==sqlite3_strnicmp(zVal, "maxpending=", 9) ){ +- p->nMaxPendingData = atoi(&zVal[11]); +- rc = SQLITE_OK; +- }else if( nVal>21 && 0==sqlite3_strnicmp(zVal, "test-no-incr-doclist=", 21) ){ +- p->bNoIncrDoclist = atoi(&zVal[21]); +- rc = SQLITE_OK; +-#endif ++#if defined(SQLITE_DEBUG) || defined(SQLITE_TEST) + }else{ +- rc = SQLITE_ERROR; ++ int v; ++ if( nVal>9 && 0==sqlite3_strnicmp(zVal, "nodesize=", 9) ){ ++ v = atoi(&zVal[9]); ++ if( v>=24 && v<=p->nPgsz-35 ) p->nNodeSize = v; ++ rc = SQLITE_OK; ++ }else if( nVal>11 && 0==sqlite3_strnicmp(zVal, "maxpending=", 9) ){ ++ v = atoi(&zVal[11]); ++ if( v>=64 && v<=FTS3_MAX_PENDING_DATA ) p->nMaxPendingData = v; ++ rc = SQLITE_OK; ++ }else if( nVal>21 && 0==sqlite3_strnicmp(zVal,"test-no-incr-doclist=",21) ){ ++ p->bNoIncrDoclist = atoi(&zVal[21]); ++ rc = SQLITE_OK; ++ } ++#endif + } +- + return rc; + } + +-- +2.19.1 + diff --git a/sqlite-3.26-CVE-2019-13753.patch b/sqlite-3.26-CVE-2019-13753.patch new file mode 100644 index 0000000..cc21b6d --- /dev/null +++ b/sqlite-3.26-CVE-2019-13753.patch @@ -0,0 +1,25 @@ +From 0b3ba64a9c7f785f6b3f1c1c15c5b0f1e41e0461 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Thu, 2 Jan 2020 10:25:58 +0100 +Subject: [PATCH] Remove a reachable NEVER() in FTS3. + +--- + ext/fts3/fts3_write.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c +index ee668aa..8624329 100644 +--- a/ext/fts3/fts3_write.c ++++ b/ext/fts3/fts3_write.c +@@ -3830,7 +3830,7 @@ static int fts3IncrmergePush( + ** be added to. */ + nPrefix = fts3PrefixCompress(pNode->key.a, pNode->key.n, zTerm, nTerm); + nSuffix = nTerm - nPrefix; +- if( NEVER(nSuffix<=0) ) return FTS_CORRUPT_VTAB; ++ if(nSuffix<=0 ) return FTS_CORRUPT_VTAB; + nSpace = sqlite3Fts3VarintLen(nPrefix); + nSpace += sqlite3Fts3VarintLen(nSuffix) + nSuffix; + +-- +2.19.1 + diff --git a/sqlite-3.26.0-CVE-2019-13734.patch b/sqlite-3.26.0-CVE-2019-13734.patch new file mode 100644 index 0000000..9cb8e4c --- /dev/null +++ b/sqlite-3.26.0-CVE-2019-13734.patch @@ -0,0 +1,107 @@ +From 5f4ce30babee8085fc36680c6103d9a06be49ef7 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Thu, 2 Jan 2020 11:58:39 +0100 +Subject: [PATCH] More improvements to shadow table corruption detection in + FTS3. + +--- + ext/fts3/fts3.c | 4 ++++ + ext/fts3/fts3Int.h | 10 ++++++++++ + ext/fts3/fts3_write.c | 14 +++++++++++--- + 3 files changed, 25 insertions(+), 3 deletions(-) + +diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c +index 6d6bd46..84fc8a5 100644 +--- a/ext/fts3/fts3.c ++++ b/ext/fts3/fts3.c +@@ -1460,6 +1460,10 @@ static int fts3InitVtab( + fts3DatabasePageSize(&rc, p); + p->nNodeSize = p->nPgsz-35; + ++#if defined(SQLITE_DEBUG)||defined(SQLITE_TEST) ++ p->nMergeCount = FTS3_MERGE_COUNT; ++#endif ++ + /* Declare the table schema to SQLite. */ + fts3DeclareVtab(&rc, p); + +diff --git a/ext/fts3/fts3Int.h b/ext/fts3/fts3Int.h +index 6f5a7a0..0d1b491 100644 +--- a/ext/fts3/fts3Int.h ++++ b/ext/fts3/fts3Int.h +@@ -287,9 +287,19 @@ struct Fts3Table { + /* True to disable the incremental doclist optimization. This is controled + ** by special insert command 'test-no-incr-doclist'. */ + int bNoIncrDoclist; ++ ++ /* Number of segments in a level */ ++ int nMergeCount; + #endif + }; + ++/* Macro to find the number of segments to merge */ ++#if defined(SQLITE_DEBUG) || defined(SQLITE_TEST) ++# define MergeCount(P) ((P)->nMergeCount) ++#else ++# define MergeCount(P) FTS3_MERGE_COUNT ++#endif ++ + /* + ** When the core wants to read from the virtual table, it creates a + ** virtual table cursor (an instance of the following structure) using +diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c +index 8624329..d57d265 100644 +--- a/ext/fts3/fts3_write.c ++++ b/ext/fts3/fts3_write.c +@@ -1152,7 +1152,7 @@ static int fts3AllocateSegdirIdx( + ** segment and allocate (newly freed) index 0 at level iLevel. Otherwise, + ** if iNext is less than FTS3_MERGE_COUNT, allocate index iNext. + */ +- if( iNext>=FTS3_MERGE_COUNT ){ ++ if( iNext>=MergeCount(p) ){ + fts3LogMerge(16, getAbsoluteLevel(p, iLangid, iIndex, iLevel)); + rc = fts3SegmentMerge(p, iLangid, iIndex, iLevel); + *piIdx = 0; +@@ -4259,6 +4259,10 @@ static int fts3IncrmergeLoad( + int i; + int nHeight = (int)aRoot[0]; + NodeWriter *pNode; ++ if( nHeight<1 || nHeight>FTS_MAX_APPENDABLE_HEIGHT ){ ++ sqlite3_reset(pSelect); ++ return FTS_CORRUPT_VTAB; ++ } + + pWriter->nLeafEst = (int)((iEnd - iStart) + 1)/FTS_MAX_APPENDABLE_HEIGHT; + pWriter->iStart = iStart; +@@ -5007,7 +5011,7 @@ static int fts3DoIncrmerge( + const char *zParam /* Nul-terminated string containing "A,B" */ + ){ + int rc; +- int nMin = (FTS3_MERGE_COUNT / 2); ++ int nMin = (MergeCount(p) / 2); + int nMerge = 0; + const char *z = zParam; + +@@ -5052,7 +5056,7 @@ static int fts3DoAutoincrmerge( + int rc = SQLITE_OK; + sqlite3_stmt *pStmt = 0; + p->nAutoincrmerge = fts3Getint(&zParam); +- if( p->nAutoincrmerge==1 || p->nAutoincrmerge>FTS3_MERGE_COUNT ){ ++ if( p->nAutoincrmerge==1 || p->nAutoincrmerge>MergeCount(p) ){ + p->nAutoincrmerge = 8; + } + if( !p->bHasStat ){ +@@ -5340,6 +5344,10 @@ static int fts3SpecialInsert(Fts3Table *p, sqlite3_value *pVal){ + }else if( nVal>21 && 0==sqlite3_strnicmp(zVal,"test-no-incr-doclist=",21) ){ + p->bNoIncrDoclist = atoi(&zVal[21]); + rc = SQLITE_OK; ++ }else if( nVal>11 && 0==sqlite3_strnicmp(zVal,"mergecount=",11) ){ ++ v = atoi(&zVal[11]); ++ if( v>=4 && v<=FTS3_MERGE_COUNT && (v&1)==0 ) p->nMergeCount = v; ++ rc = SQLITE_OK; + } + #endif + } +-- +2.19.1 + diff --git a/sqlite-3.26.0-CVE-2019-13750.patch b/sqlite-3.26.0-CVE-2019-13750.patch new file mode 100644 index 0000000..7b2adab --- /dev/null +++ b/sqlite-3.26.0-CVE-2019-13750.patch @@ -0,0 +1,158 @@ +Subject: [PATCH] In defensive mode, do not allow shadow tables to be renamed + using ALTER TABLE and do not allow shadow tables to be dropped. + +diff --git a/src/alter.c b/src/alter.c +index 0fa24c0..707472a 100644 +--- a/src/alter.c ++++ b/src/alter.c +@@ -28,9 +28,16 @@ + ** + ** Or, if zName is not a system table, zero is returned. + */ +-static int isSystemTable(Parse *pParse, const char *zName){ +- if( 0==sqlite3StrNICmp(zName, "sqlite_", 7) ){ +- sqlite3ErrorMsg(pParse, "table %s may not be altered", zName); ++static int isAlterableTable(Parse *pParse, Table *pTab){ ++ if( 0==sqlite3StrNICmp(pTab->zName, "sqlite_", 7) ++#ifndef SQLITE_OMIT_VIRTUALTABLE ++ || ( (pTab->tabFlags & TF_Shadow) ++ && (pParse->db->flags & SQLITE_Defensive) ++ && pParse->db->nVdbeExec==0 ++ ) ++#endif ++ ){ ++ sqlite3ErrorMsg(pParse, "table %s may not be altered", pTab->zName); + return 1; + } + return 0; +@@ -129,7 +136,7 @@ void sqlite3AlterRenameTable( + /* Make sure it is not a system table being altered, or a reserved name + ** that the table is being renamed to. + */ +- if( SQLITE_OK!=isSystemTable(pParse, pTab->zName) ){ ++ if( SQLITE_OK!=isAlterableTable(pParse, pTab) ){ + goto exit_rename_table; + } + if( SQLITE_OK!=sqlite3CheckObjectName(pParse, zName) ){ goto +@@ -427,7 +434,7 @@ void sqlite3AlterBeginAddColumn(Parse *pParse, SrcList *pSrc){ + sqlite3ErrorMsg(pParse, "Cannot add a column to a view"); + goto exit_begin_add_column; + } +- if( SQLITE_OK!=isSystemTable(pParse, pTab->zName) ){ ++ if( SQLITE_OK!=isAlterableTable(pParse, pTab) ){ + goto exit_begin_add_column; + } + +@@ -529,7 +536,7 @@ void sqlite3AlterRenameColumn( + if( !pTab ) goto exit_rename_column; + + /* Cannot alter a system table */ +- if( SQLITE_OK!=isSystemTable(pParse, pTab->zName) ) goto exit_rename_column; ++ if( SQLITE_OK!=isAlterableTable(pParse, pTab) ) goto exit_rename_column; + if( SQLITE_OK!=isRealTable(pParse, pTab) ) goto exit_rename_column; + + /* Which schema holds the table to be altered */ +diff --git a/src/build.c b/src/build.c +index 1dc2614..3412670 100644 +--- a/src/build.c ++++ b/src/build.c +@@ -2661,6 +2661,22 @@ void sqlite3CodeDropTable(Parse *pParse, Table *pTab, int iDb, int isView){ + sqliteViewResetAll(db, iDb); + } + ++/* ++** Return true if it is not allowed to drop the given table ++*/ ++static int tableMayNotBeDropped(Parse *pParse, Table *pTab){ ++ if( sqlite3StrNICmp(pTab->zName, "sqlite_", 7)==0 ){ ++ if( sqlite3StrNICmp(pTab->zName+7, "stat", 4)==0 ) return 0; ++ if( sqlite3StrNICmp(pTab->zName+7, "parameters", 10)==0 ) return 0; ++ return 1; ++ } ++ if( pTab->tabFlags & TF_Shadow ){ ++ sqlite3 *db = pParse->db; ++ if( (db->flags & SQLITE_Defensive)!=0 && db->nVdbeExec==0 ) return 1; ++ } ++ return 0; ++} ++ + /* + ** This routine is called to do the work of a DROP TABLE statement. + ** pName is the name of the table to be dropped. +@@ -2730,8 +2746,7 @@ void sqlite3DropTable(Parse *pParse, SrcList *pName, int isView, int noErr){ + } + } + #endif +- if( sqlite3StrNICmp(pTab->zName, "sqlite_", 7)==0 +- && sqlite3StrNICmp(pTab->zName, "sqlite_stat", 11)!=0 ){ ++ if( tableMayNotBeDropped(pParse, pTab) ){ + sqlite3ErrorMsg(pParse, "table %s may not be dropped", pTab->zName); + goto exit_drop_table; + } +diff --git a/test/altertab.test b/test/altertab.test +index a364207..891b081 100644 +--- a/test/altertab.test ++++ b/test/altertab.test +@@ -505,5 +505,62 @@ do_execsql_test 15.5 { + SELECT sql FROM sqlite_master WHERE name = 'y'; + } {{CREATE VIEW y AS SELECT f2 AS f1 FROM x}} + ++#------------------------------------------------------------------------- ++# Test that it is not possible to rename a shadow table in DEFENSIVE mode. ++# ++ifcapable fts3 { ++ proc vtab_command {method args} { ++ switch -- $method { ++ xConnect { ++ if {[info exists ::vtab_connect_sql]} { ++ execsql $::vtab_connect_sql ++ } ++ return "CREATE TABLE t1(a, b, c)" ++ } ++ ++ xBestIndex { ++ set clist [lindex $args 0] ++ if {[llength $clist]!=1} { error "unexpected constraint list" } ++ catch { array unset C } ++ array set C [lindex $clist 0] ++ if {$C(usable)} { ++ return "omit 0 cost 0 rows 1 idxnum 555 idxstr eq!" ++ } else { ++ return "cost 1000000 rows 0 idxnum 0 idxstr scan..." ++ } ++ } ++ } ++ ++ return {} ++ } ++ ++ register_tcl_module db ++ ++ sqlite3_db_config db DEFENSIVE 1 ++ ++ do_execsql_test 16.0 { ++ CREATE VIRTUAL TABLE y1 USING fts3; ++ } ++ ++ do_catchsql_test 16.10 { ++ INSERT INTO y1_segments VALUES(1, X'1234567890'); ++ } {1 {table y1_segments may not be modified}} ++ ++ do_catchsql_test 16.20 { ++ ALTER TABLE y1_segments RENAME TO abc; ++ } {1 {table y1_segments may not be altered}} ++ ++ do_catchsql_test 16.21 { ++ DROP TABLE y1_segments; ++ } {1 {table y1_segments may not be dropped}} ++ ++ do_execsql_test 16.30 { ++ ALTER TABLE y1 RENAME TO z1; ++ } ++ ++ do_execsql_test 16.40 { ++ SELECT * FROM z1_segments; ++ } ++} + + finish_test diff --git a/sqlite-3.26.0-CVE-2019-13751.patch b/sqlite-3.26.0-CVE-2019-13751.patch new file mode 100644 index 0000000..e0e345b --- /dev/null +++ b/sqlite-3.26.0-CVE-2019-13751.patch @@ -0,0 +1,22 @@ +Subject: [PATCH] Further improve detection of corrupt records in fts3 + +--- + ext/fts3/fts3_write.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/fts3/fts3_write.c b/ext/fts3/fts3_write.c +index 5330b4c..0647bd7 100644 +--- a/ext/fts3/fts3_write.c ++++ b/ext/fts3/fts3_write.c +@@ -1376,7 +1376,7 @@ static int fts3SegReaderNext( + pNext += fts3GetVarint32(pNext, &nSuffix); + if( nSuffix<=0 + || (&pReader->aNode[pReader->nNode] - pNext)pReader->nTermAlloc ++ || nPrefix>pReader->nTerm + ){ + return FTS_CORRUPT_VTAB; + } +-- +2.30.2 + diff --git a/sqlite-3.26.0-CVE-2019-16168.patch b/sqlite-3.26.0-CVE-2019-16168.patch new file mode 100644 index 0000000..d968605 --- /dev/null +++ b/sqlite-3.26.0-CVE-2019-16168.patch @@ -0,0 +1,65 @@ +From ab17169870e985b062e520ecf95e6c79ad784f38 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Thu, 23 Apr 2020 11:25:13 +0200 +Subject: [PATCH] fixed CVE-2019-16168 (rhbz#1826897) + +--- + src/analyze.c | 4 +++- + src/where.c | 1 + + test/analyzeC.test | 13 +++++++++++++ + 3 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/src/analyze.c b/src/analyze.c +index 5075b57..e47c0f5 100644 +--- a/src/analyze.c ++++ b/src/analyze.c +@@ -1497,7 +1497,9 @@ static void decodeIntArray( + if( sqlite3_strglob("unordered*", z)==0 ){ + pIndex->bUnordered = 1; + }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){ +- pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3)); ++ int sz = sqlite3Atoi(z+3); ++ if( sz<2 ) sz = 2; ++ pIndex->szIdxRow = sqlite3LogEst(sz); + }else if( sqlite3_strglob("noskipscan*", z)==0 ){ + pIndex->noSkipScan = 1; + } +diff --git a/src/where.c b/src/where.c +index 8e01660..1a4fa51 100644 +--- a/src/where.c ++++ b/src/where.c +@@ -2655,6 +2655,7 @@ static int whereLoopAddBtreeIndex( + ** it to pNew->rRun, which is currently set to the cost of the index + ** seek only. Then, if this is a non-covering index, add the cost of + ** visiting the rows in the main table. */ ++ assert( pSrc->pTab->szTabRow>0 ); + rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow; + pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx); + if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){ +diff --git a/test/analyzeC.test b/test/analyzeC.test +index 02faa9c..3595c9d 100644 +--- a/test/analyzeC.test ++++ b/test/analyzeC.test +@@ -132,6 +132,19 @@ do_execsql_test 4.3 { + SELECT count(a) FROM t1; + } {/.*INDEX t1ca.*/} + ++# 2019-08-15. ++# Ticket https://www.sqlite.org/src/tktview/e4598ecbdd18bd82945f602901 ++# The sz=N parameter in the sqlite_stat1 table needs to have a value of ++# 2 or more to avoid a division by zero in the query planner. ++# ++do_execsql_test 4.4 { ++ DROP TABLE IF EXISTS t44; ++ CREATE TABLE t44(a PRIMARY KEY); ++ INSERT INTO sqlite_stat1 VALUES('t44',null,'sz=0'); ++ ANALYZE sqlite_master; ++ SELECT 0 FROM t44 WHERE a IN(1,2,3); ++} {} ++ + + # The sz=NNN parameter works even if there is other extraneous text + # in the sqlite_stat1.stat column. +-- +2.24.1 + diff --git a/sqlite-3.26.0-CVE-2019-19603.patch b/sqlite-3.26.0-CVE-2019-19603.patch new file mode 100644 index 0000000..23402b0 --- /dev/null +++ b/sqlite-3.26.0-CVE-2019-19603.patch @@ -0,0 +1,124 @@ +Subject: [PATCH] Do not allow CREATE TABLE or CREATE VIEW of an object with a name + that looks like a shadow table name. + +diff --git a/src/build.c b/src/build.c +index 3412670..f273394 100644 +--- a/src/build.c ++++ b/src/build.c +@@ -814,6 +814,22 @@ int sqlite3WritableSchema(sqlite3 *db){ + return (db->flags&(SQLITE_WriteSchema|SQLITE_Defensive))==SQLITE_WriteSchema; + } + ++/* ++** Return TRUE if shadow tables should be read-only in the current ++** context. ++*/ ++int sqlite3ReadOnlyShadowTables(sqlite3 *db){ ++#ifndef SQLITE_OMIT_VIRTUALTABLE ++ if( (db->flags & SQLITE_Defensive)!=0 ++ && db->pVtabCtx==0 ++ && db->nVdbeExec==0 ++ ){ ++ return 1; ++ } ++#endif ++ return 0; ++} ++ + /* + ** This routine is used to check if the UTF-8 string zName is a legal + ** unqualified name for a new schema object (table, index, view or +@@ -822,9 +838,10 @@ int sqlite3WritableSchema(sqlite3 *db){ + ** is reserved for internal use. + */ + int sqlite3CheckObjectName(Parse *pParse, const char *zName){ +- if( !pParse->db->init.busy && pParse->nested==0 ++ if(( !pParse->db->init.busy && pParse->nested==0 + && sqlite3WritableSchema(pParse->db)==0 +- && 0==sqlite3StrNICmp(zName, "sqlite_", 7) ){ ++ && 0==sqlite3StrNICmp(zName, "sqlite_", 7) ) || ++ (sqlite3ReadOnlyShadowTables(pParse->db) && sqlite3ShadowTableName(pParse->db, zName))){ + sqlite3ErrorMsg(pParse, "object name reserved for internal use: %s", zName); + return SQLITE_ERROR; + } +@@ -1929,7 +1946,7 @@ int sqlite3IsShadowTableOf(sqlite3 *db, Table *pTab, const char *zName){ + ** zName is temporarily modified while this routine is running, but is + ** restored to its original value prior to this routine returning. + */ +-static int isShadowTableName(sqlite3 *db, char *zName){ ++int sqlite3ShadowTableName(sqlite3 *db, const char *zName){ + char *zTail; /* Pointer to the last "_" in zName */ + Table *pTab; /* Table that zName is a shadow of */ + +@@ -1942,8 +1959,6 @@ static int isShadowTableName(sqlite3 *db, char *zName){ + if( !IsVirtual(pTab) ) return 0; + return sqlite3IsShadowTableOf(db, pTab, zName); + } +-#else +-# define isShadowTableName(x,y) 0 + #endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */ + + /* +@@ -1985,7 +2000,7 @@ void sqlite3EndTable( + p = pParse->pNewTable; + if( p==0 ) return; + +- if( pSelect==0 && isShadowTableName(db, p->zName) ){ ++ if( pSelect==0 && sqlite3ShadowTableName(db, p->zName) ){ + p->tabFlags |= TF_Shadow; + } + +diff --git a/src/sqliteInt.h b/src/sqliteInt.h +index 60b2ebd..e5ba8a0 100644 +--- a/src/sqliteInt.h ++++ b/src/sqliteInt.h +@@ -4408,6 +4408,11 @@ void sqlite3AutoLoadExtensions(sqlite3*); + ); + # define sqlite3VtabInSync(db) ((db)->nVTrans>0 && (db)->aVTrans==0) + #endif ++#ifndef SQLITE_OMIT_VIRTUALTABLE ++ int sqlite3ShadowTableName(sqlite3 *db, const char *zName); ++#else ++# define sqlite3ShadowTableName(A,B) 0 ++#endif + #ifndef SQLITE_OMIT_VIRTUALTABLE + int sqlite3IsShadowTableOf(sqlite3*,Table*,const char*); + #else +diff --git a/test/altertab.test b/test/altertab.test +index 891b081..0705abc 100644 +--- a/test/altertab.test ++++ b/test/altertab.test +@@ -547,13 +547,29 @@ ifcapable fts3 { + } {1 {table y1_segments may not be modified}} + + do_catchsql_test 16.20 { +- ALTER TABLE y1_segments RENAME TO abc; +- } {1 {table y1_segments may not be altered}} +- +- do_catchsql_test 16.21 { + DROP TABLE y1_segments; + } {1 {table y1_segments may not be dropped}} + ++ do_catchsql_test 16.20 { ++ ALTER TABLE y1_segments RENAME TO abc; ++ } {1 {table y1_segments may not be altered}} ++ sqlite3_db_config db DEFENSIVE 0 ++ do_catchsql_test 16.22 { ++ ALTER TABLE y1_segments RENAME TO abc; ++ } {0 {}} ++ sqlite3_db_config db DEFENSIVE 1 ++ do_catchsql_test 16.23 { ++ CREATE TABLE y1_segments AS SELECT * FROM abc; ++ } {1 {object name reserved for internal use: y1_segments}} ++ do_catchsql_test 16.24 { ++ CREATE VIEW y1_segments AS SELECT * FROM abc; ++ } {1 {object name reserved for internal use: y1_segments}} ++ sqlite3_db_config db DEFENSIVE 0 ++ do_catchsql_test 16.25 { ++ ALTER TABLE abc RENAME TO y1_segments; ++ } {0 {}} ++ sqlite3_db_config db DEFENSIVE 1 ++ + do_execsql_test 16.30 { + ALTER TABLE y1 RENAME TO z1; + } diff --git a/sqlite-3.26.0-CVE-2019-19923.patch b/sqlite-3.26.0-CVE-2019-19923.patch new file mode 100644 index 0000000..ea95b19 --- /dev/null +++ b/sqlite-3.26.0-CVE-2019-19923.patch @@ -0,0 +1,67 @@ +From 7d47517d579601bb6e59e33bf0896f0ed36aa0aa Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Mon, 20 Jan 2020 09:34:41 +0100 +Subject: [PATCH] Continue to back away from the LEFT JOIN optimization of + check-in + +by disallowing query flattening if the outer query is DISTINCT. Without this fix, +if an index scan is run on the table within the view on the right-hand side of the +LEFT JOIN, stale result registers might be accessed yielding incorrect results, +and/or an OP_IfNullRow opcode might be invoked on the un-opened table, resulting +in a NULL-pointer dereference. This problem was found by the Yongheng and Rui fuzzer. +--- + src/select.c | 8 ++++++-- + test/join.test | 13 +++++++++++++ + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/src/select.c b/src/select.c +index c60ff27..0205a08 100644 +--- a/src/select.c ++++ b/src/select.c +@@ -3569,6 +3569,7 @@ static void substSelect( + ** (3b) the FROM clause of the subquery may not contain a virtual + ** table and + ** (3c) the outer query may not be an aggregate. ++** (3d) the outer query may not be DISTINCT. + ** + ** (4) The subquery can not be DISTINCT. + ** +@@ -3765,8 +3766,11 @@ static int flattenSubquery( + */ + if( (pSubitem->fg.jointype & JT_OUTER)!=0 ){ + isLeftJoin = 1; +- if( pSubSrc->nSrc>1 || isAgg || IsVirtual(pSubSrc->a[0].pTab) ){ +- /* (3a) (3c) (3b) */ ++ if( pSubSrc->nSrc>1 /* (3a) */ ++ || isAgg /* (3b) */ ++ || IsVirtual(pSubSrc->a[0].pTab) /* (3c) */ ++ || (p->selFlags & SF_Distinct)!=0 /* (3d) */ ++ ){ + return 0; + } + } +diff --git a/test/join.test b/test/join.test +index 8c6f463..8c6a53d 100644 +--- a/test/join.test ++++ b/test/join.test +@@ -844,4 +844,17 @@ do_execsql_test join-15.110 { + ORDER BY a1, a2, a3, a4, a5; + } {1 {} {} {} {} 1 11 {} {} {} 1 12 {} {} {} 1 12 121 {} {} 1 13 {} {} {}} + ++# 2019-12-18 problem with a LEFT JOIN where the RHS is a view. ++# Detected by Yongheng and Rui. ++# Follows from the optimization attempt of check-in 41c27bc0ff1d3135 ++# on 2017-04-18 ++# ++reset_db ++do_execsql_test join-22.10 { ++ CREATE TABLE t0(a, b); ++ CREATE INDEX t0a ON t0(a); ++ INSERT INTO t0 VALUES(10,10),(10,11),(10,12); ++ SELECT DISTINCT c FROM t0 LEFT JOIN (SELECT a+1 AS c FROM t0) ORDER BY c ; ++} {11} ++ + finish_test +-- +2.19.1 + diff --git a/sqlite-3.26.0-CVE-2019-19924.patch b/sqlite-3.26.0-CVE-2019-19924.patch new file mode 100644 index 0000000..df29238 --- /dev/null +++ b/sqlite-3.26.0-CVE-2019-19924.patch @@ -0,0 +1,60 @@ +From 6b06304c2a46e17a6dc4402eadc75ccac24da893 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Fri, 17 Jan 2020 13:03:54 +0100 +Subject: [PATCH] When an error occurs while rewriting the parser tree for + window functions in the sqlite3WindowRewrite() routine, make sure that + pParse->nErr is set, and make sure that this shuts down any subsequent code + generation that might depend on the transformations that were implemented. + This fixes a problem discovered by the Yongheng and Rui fuzzer. + +--- + src/expr.c | 1 + + src/vdbeaux.c | 3 ++- + src/window.c | 5 +++++ + 3 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/expr.c b/src/expr.c +index d4eb9de..b081ca2 100644 +--- a/src/expr.c ++++ b/src/expr.c +@@ -344,6 +344,7 @@ static int codeCompare( + int addr; + CollSeq *p4; + ++ if( pParse->nErr ) return 0; + p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight); + p5 = binaryCompareP5(pLeft, pRight, jumpIfNull); + addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1, +diff --git a/src/vdbeaux.c b/src/vdbeaux.c +index f1496a3..b74141b 100644 +--- a/src/vdbeaux.c ++++ b/src/vdbeaux.c +@@ -1160,7 +1160,8 @@ void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){ + */ + static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){ + assert( p->nOp>0 || p->aOp==0 ); +- assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed ); ++ assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed ++ || p->pParse->nErr>0 ); + if( p->nOp ){ + assert( p->aOp ); + sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment); +diff --git a/src/window.c b/src/window.c +index f5deae9..56c0145 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -843,6 +843,11 @@ int sqlite3WindowRewrite(Parse *pParse, Select *p){ + if( db->mallocFailed ) rc = SQLITE_NOMEM; + } + ++ if( rc && pParse->nErr==0 ){ ++ assert( pParse->db->mallocFailed ); ++ return SQLITE_NOMEM; ++ } ++ + return rc; + } + +-- +2.19.1 + diff --git a/sqlite-3.26.0-CVE-2019-19925.patch b/sqlite-3.26.0-CVE-2019-19925.patch new file mode 100644 index 0000000..bed5060 --- /dev/null +++ b/sqlite-3.26.0-CVE-2019-19925.patch @@ -0,0 +1,50 @@ +From 1986c6384122947b10804cbc5c4d7af85e097404 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Mon, 20 Jan 2020 10:09:55 +0100 +Subject: [PATCH] Fix the zipfile extension so that INSERT works even if the + pathname of + +the file being inserted is a NULL. Bug discovered by the +Yongheng and Rui fuzzer. +--- + ext/misc/zipfile.c | 1 + + test/zipfile.test | 13 +++++++++++++ + 2 files changed, 14 insertions(+) + +diff --git a/ext/misc/zipfile.c b/ext/misc/zipfile.c +index e57dc38..6f48d0f 100644 +--- a/ext/misc/zipfile.c ++++ b/ext/misc/zipfile.c +@@ -1618,6 +1618,7 @@ static int zipfileUpdate( + + if( rc==SQLITE_OK ){ + zPath = (const char*)sqlite3_value_text(apVal[2]); ++ if( zPath==0 ) zPath = ""; + nPath = (int)strlen(zPath); + mTime = zipfileGetTime(apVal[4]); + } +diff --git a/test/zipfile.test b/test/zipfile.test +index 2bab066..5bca10b 100644 +--- a/test/zipfile.test ++++ b/test/zipfile.test +@@ -795,4 +795,17 @@ if {$tcl_platform(platform)!="windows"} { + } {. ./x1.txt ./x2.txt} + } + ++# 2019-12-18 Yongheng and Rui fuzzer ++# ++do_execsql_test 13.10 { ++ DROP TABLE IF EXISTS t0; ++ DROP TABLE IF EXISTS t1; ++ CREATE TABLE t0(a,b,c,d,e,f,g); ++ REPLACE INTO t0(c,b,f) VALUES(10,10,10); ++ CREATE VIRTUAL TABLE t1 USING zipfile('h.zip'); ++ REPLACE INTO t1 SELECT * FROM t0; ++ SELECT quote(name),quote(mode),quote(mtime),quote(sz),quote(rawdata), ++ quote(data),quote(method) FROM t1; ++} {'' 10 10 2 X'3130' X'3130' 0} ++ + finish_test +-- +2.19.1 + diff --git a/sqlite-3.26.0-CVE-2019-19959.patch b/sqlite-3.26.0-CVE-2019-19959.patch new file mode 100644 index 0000000..ec1965c --- /dev/null +++ b/sqlite-3.26.0-CVE-2019-19959.patch @@ -0,0 +1,63 @@ +From 16c5290d72cb8059e9dfe545613183b850fc44e4 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Mon, 20 Jan 2020 10:26:35 +0100 +Subject: [PATCH] Fix the zipfile() function in the zipfile extension so that + it is able to + +deal with goofy filenames that contain embedded zeros. +--- + ext/misc/zipfile.c | 4 ++-- + test/zipfile.test | 13 +++++++++++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/ext/misc/zipfile.c b/ext/misc/zipfile.c +index 6f48d0f..e6141ef 100644 +--- a/ext/misc/zipfile.c ++++ b/ext/misc/zipfile.c +@@ -1632,7 +1632,7 @@ static int zipfileUpdate( + zFree = sqlite3_mprintf("%s/", zPath); + if( zFree==0 ){ rc = SQLITE_NOMEM; } + zPath = (const char*)zFree; +- nPath++; ++ nPath = (int)strlen(zPath); + } + } + +@@ -2033,11 +2033,11 @@ void zipfileStep(sqlite3_context *pCtx, int nVal, sqlite3_value **apVal){ + }else{ + if( zName[nName-1]!='/' ){ + zName = zFree = sqlite3_mprintf("%s/", zName); +- nName++; + if( zName==0 ){ + rc = SQLITE_NOMEM; + goto zipfile_step_out; + } ++ nName = (int)strlen(zName); + }else{ + while( nName>1 && zName[nName-2]=='/' ) nName--; + } +diff --git a/test/zipfile.test b/test/zipfile.test +index 5bca10b..e4b8088 100644 +--- a/test/zipfile.test ++++ b/test/zipfile.test +@@ -808,4 +808,17 @@ do_execsql_test 13.10 { + quote(data),quote(method) FROM t1; + } {'' 10 10 2 X'3130' X'3130' 0} + ++# 2019-12-23 Yongheng and Rui fuzzer ++# Run using valgrind to see the problem. ++# ++do_execsql_test 14.10 { ++ DROP TABLE t1; ++ CREATE TABLE t1(x char); ++ INSERT INTO t1(x) VALUES('1'); ++ INSERT INTO t1(x) SELECT zipfile(x, 'xyz') FROM t1; ++ INSERT INTO t1(x) SELECT zipfile(x, 'uvw') FROM t1; ++ SELECT count(*) FROM t1; ++ PRAGMA integrity_check; ++} {3 ok} ++ + finish_test +-- +2.19.1 + diff --git a/sqlite-3.26.0-CVE-2019-20218.patch b/sqlite-3.26.0-CVE-2019-20218.patch new file mode 100644 index 0000000..befc39b --- /dev/null +++ b/sqlite-3.26.0-CVE-2019-20218.patch @@ -0,0 +1,102 @@ +From ff5f246e41239cc4dd33ffa73883fa07f78674e1 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Fri, 7 Aug 2020 07:00:29 +0200 +Subject: [PATCH] Do not attempt to unwind the WITH stack in the Parse object + following an error. + +--- + src/select.c | 5 ++++- + src/util.c | 1 + + test/altertab2.test | 20 ++++++++++++++++++++ + test/with3.test | 10 +++++++++- + 4 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/src/select.c b/src/select.c +index c46f177..a6d1757 100644 +--- a/src/select.c ++++ b/src/select.c +@@ -4639,6 +4639,9 @@ static int withExpand( + With *pWith; /* WITH clause that pCte belongs to */ + + assert( pFrom->pTab==0 ); ++ if( pParse->nErr ){ ++ return SQLITE_ERROR; ++ } + + pCte = searchWith(pParse->pWith, pFrom, &pWith); + if( pCte ){ +@@ -4908,7 +4911,7 @@ static int selectExpander(Walker *pWalker, Select *p){ + + /* Process NATURAL keywords, and ON and USING clauses of joins. + */ +- if( db->mallocFailed || sqliteProcessJoin(pParse, p) ){ ++ if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){ + return WRC_Abort; + } + +diff --git a/src/util.c b/src/util.c +index 54f9b93..96b0b14 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -222,6 +222,7 @@ void sqlite3ErrorMsg(Parse *pParse, const char *zFormat, ...){ + sqlite3DbFree(db, pParse->zErrMsg); + pParse->zErrMsg = zMsg; + pParse->rc = SQLITE_ERROR; ++ pParse->pWith = 0; + } + } + +diff --git a/test/altertab2.test b/test/altertab2.test +index 2e4212c..2102e02 100644 +--- a/test/altertab2.test ++++ b/test/altertab2.test +@@ -85,5 +85,25 @@ do_execsql_test 2.3 { + {CREATE TABLE c3(x, FOREIGN KEY (x) REFERENCES "p3"(a))} + } + ++#------------------------------------------------------------------------ ++# ++reset_db ++do_execsql_test 3.0 { ++ CREATE TABLE v0 (a); ++ CREATE VIEW v2 (v3) AS ++ WITH x1 AS (SELECT * FROM v2) ++ SELECT v3 AS x, v3 AS y FROM v2; ++} ++ ++do_catchsql_test 3.1 { ++ SELECT * FROM v2 ++} {1 {view v2 is circularly defined}} ++ ++db close ++sqlite3 db test.db ++ ++do_catchsql_test 3.2 { ++ ALTER TABLE v0 RENAME TO t3 ; ++} {1 {error in view v2: view v2 is circularly defined}} + + finish_test +diff --git a/test/with3.test b/test/with3.test +index de150b1..4a3a5a7 100644 +--- a/test/with3.test ++++ b/test/with3.test +@@ -30,7 +30,15 @@ do_catchsql_test 1.0 { + SELECT 5 FROM t0 UNION SELECT 8 FROM m + ) + SELECT * FROM i; +-} {1 {no such table: m}} ++} {1 {no such table: t0}} ++ ++# 2019-11-09 dbfuzzcheck find ++do_catchsql_test 1.1 { ++ CREATE VIEW v1(x,y) AS ++ WITH t1(a,b) AS (VALUES(1,2)) ++ SELECT * FROM nosuchtable JOIN t1; ++ SELECT * FROM v1; ++} {1 {no such table: main.nosuchtable}} + + # Additional test cases that came out of the work to + # fix for Kostya's problem. +-- +2.26.0 + diff --git a/sqlite-3.26.0-CVE-2019-5018.patch b/sqlite-3.26.0-CVE-2019-5018.patch new file mode 100644 index 0000000..fde7e0a --- /dev/null +++ b/sqlite-3.26.0-CVE-2019-5018.patch @@ -0,0 +1,281 @@ +Subject: [PATCH] Prevent aliases of window functions expressions from being + used as arguments to aggregate or other window functions. + +--- + src/resolve.c | 21 ++++++--- + src/sqliteInt.h | 2 + + test/windowerr.tcl | 59 ++++++++++++++++++++++++++ + test/windowerr.test | 99 ++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 176 insertions(+), 5 deletions(-) + create mode 100644 test/windowerr.tcl + create mode 100644 test/windowerr.test + +diff --git a/src/resolve.c b/src/resolve.c +index 0c7dfc0..cdcf4d9 100644 +--- a/src/resolve.c ++++ b/src/resolve.c +@@ -436,6 +436,10 @@ static int lookupName( + sqlite3ErrorMsg(pParse, "misuse of aliased aggregate %s", zAs); + return WRC_Abort; + } ++ if( (pNC->ncFlags&NC_AllowWin)==0 && ExprHasProperty(pOrig, EP_Win) ){ ++ sqlite3ErrorMsg(pParse, "misuse of aliased window function %s",zAs); ++ return WRC_Abort; ++ } + if( sqlite3ExprVectorSize(pOrig)!=1 ){ + sqlite3ErrorMsg(pParse, "row value misused"); + return WRC_Abort; +@@ -707,6 +711,7 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){ + const char *zId; /* The function name. */ + FuncDef *pDef; /* Information about the function */ + u8 enc = ENC(pParse->db); /* The database encoding */ ++ int savedAllowFlags = (pNC->ncFlags & (NC_AllowAgg | NC_AllowWin)); + + assert( !ExprHasProperty(pExpr, EP_xIsSelect) ); + zId = pExpr->u.zToken; +@@ -828,8 +833,11 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){ + pNC->nErr++; + } + if( is_agg ){ ++ /* Window functions may not be arguments of aggregate functions. ++ ** Or arguments of other window functions. But aggregate functions ++ ** may be arguments for window functions. */ + #ifndef SQLITE_OMIT_WINDOWFUNC +- pNC->ncFlags &= ~(pExpr->y.pWin ? NC_AllowWin : NC_AllowAgg); ++ pNC->ncFlags &= ~(NC_AllowWin | (!pExpr->y.pWin ? NC_AllowAgg : 0)); + #else + pNC->ncFlags &= ~NC_AllowAgg; + #endif +@@ -850,7 +858,7 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){ + pExpr->y.pWin->pNextWin = pSel->pWin; + pSel->pWin = pExpr->y.pWin; + } +- pNC->ncFlags |= NC_AllowWin; ++ pNC->ncFlags |= NC_HasWin; + }else + #endif /* SQLITE_OMIT_WINDOWFUNC */ + { +@@ -868,8 +876,8 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){ + pNC2->ncFlags |= NC_HasAgg | (pDef->funcFlags & SQLITE_FUNC_MINMAX); + + } +- pNC->ncFlags |= NC_AllowAgg; + } ++ pNC->ncFlags |= savedAllowFlags; + } + /* FIX ME: Compute pExpr->affinity based on the expected return + ** type of the function +@@ -1573,8 +1581,8 @@ int sqlite3ResolveExprNames( + Walker w; + + if( pExpr==0 ) return SQLITE_OK; +- savedHasAgg = pNC->ncFlags & (NC_HasAgg|NC_MinMaxAgg); +- pNC->ncFlags &= ~(NC_HasAgg|NC_MinMaxAgg); ++ savedHasAgg = pNC->ncFlags & (NC_HasAgg|NC_MinMaxAgg|NC_HasWin); ++ pNC->ncFlags &= ~(NC_HasAgg|NC_MinMaxAgg|NC_HasWin); + w.pParse = pNC->pParse; + w.xExprCallback = resolveExprStep; + w.xSelectCallback = resolveSelectStep; +@@ -1593,6 +1601,9 @@ int sqlite3ResolveExprNames( + if( pNC->ncFlags & NC_HasAgg ){ + ExprSetProperty(pExpr, EP_Agg); + } ++ if( pNC->ncFlags & NC_HasWin ){ ++ ExprSetProperty(pExpr, EP_Win); ++ } + pNC->ncFlags |= savedHasAgg; + return pNC->nErr>0 || w.pParse->nErr>0; + } +diff --git a/src/sqliteInt.h b/src/sqliteInt.h +index 5f5f3cc..b7d3571 100644 +--- a/src/sqliteInt.h ++++ b/src/sqliteInt.h +@@ -2517,6 +2517,7 @@ struct Expr { + #define EP_Alias 0x400000 /* Is an alias for a result set column */ + #define EP_Leaf 0x800000 /* Expr.pLeft, .pRight, .u.pSelect all NULL */ + #define EP_WinFunc 0x1000000 /* TK_FUNCTION with Expr.y.pWin set */ ++#define EP_Win 0x8000000 /* Contains window functions */ + + /* + ** The EP_Propagate mask is a set of properties that automatically propagate +@@ -2773,6 +2774,7 @@ struct NameContext { + #define NC_MinMaxAgg 0x1000 /* min/max aggregates seen. See note above */ + #define NC_Complex 0x2000 /* True if a function or subquery seen */ + #define NC_AllowWin 0x4000 /* Window functions are allowed here */ ++#define NC_HasWin 0x8000 /* One or more window functions seen */ + + /* + ** An instance of the following object describes a single ON CONFLICT +diff --git a/test/windowerr.tcl b/test/windowerr.tcl +new file mode 100644 +index 0000000..80f464d +--- /dev/null ++++ b/test/windowerr.tcl +@@ -0,0 +1,59 @@ ++# 2018 May 19 ++# ++# The author disclaims copyright to this source code. In place of ++# a legal notice, here is a blessing: ++# ++# May you do good and not evil. ++# May you find forgiveness for yourself and forgive others. ++# May you share freely, never taking more than you give. ++# ++#*********************************************************************** ++# ++ ++source [file join [file dirname $argv0] pg_common.tcl] ++ ++#========================================================================= ++ ++start_test windowerr "2019 March 01" ++ifcapable !windowfunc ++ ++execsql_test 1.0 { ++ DROP TABLE IF EXISTS t1; ++ CREATE TABLE t1(a INTEGER, b INTEGER); ++ INSERT INTO t1 VALUES(1, 1); ++ INSERT INTO t1 VALUES(2, 2); ++ INSERT INTO t1 VALUES(3, 3); ++ INSERT INTO t1 VALUES(4, 4); ++ INSERT INTO t1 VALUES(5, 5); ++} ++ ++foreach {tn frame} { ++ 1 "ORDER BY a ROWS BETWEEN -1 PRECEDING AND 1 FOLLOWING" ++ 2 "ORDER BY a ROWS BETWEEN 1 PRECEDING AND -1 FOLLOWING" ++ ++ 3 "ORDER BY a RANGE BETWEEN -1 PRECEDING AND 1 FOLLOWING" ++ 4 "ORDER BY a RANGE BETWEEN 1 PRECEDING AND -1 FOLLOWING" ++ ++ 5 "ORDER BY a GROUPS BETWEEN -1 PRECEDING AND 1 FOLLOWING" ++ 6 "ORDER BY a GROUPS BETWEEN 1 PRECEDING AND -1 FOLLOWING" ++ ++ 7 "ORDER BY a,b RANGE BETWEEN 1 PRECEDING AND 1 FOLLOWING" ++ ++ 8 "PARTITION BY a RANGE BETWEEN 1 PRECEDING AND 1 FOLLOWING" ++} { ++ errorsql_test 1.$tn " ++ SELECT a, sum(b) OVER ( ++ $frame ++ ) FROM t1 ORDER BY 1 ++ " ++} ++errorsql_test 2.1 { ++ SELECT sum( sum(a) OVER () ) FROM t1; ++} ++ ++errorsql_test 2.2 { ++ SELECT sum(a) OVER () AS xyz FROM t1 ORDER BY sum(xyz); ++} ++ ++ ++finish_test +diff --git a/test/windowerr.test b/test/windowerr.test +new file mode 100644 +index 0000000..97dae64 +--- /dev/null ++++ b/test/windowerr.test +@@ -0,0 +1,99 @@ ++# 2019 March 01 ++# ++# The author disclaims copyright to this source code. In place of ++# a legal notice, here is a blessing: ++# ++# May you do good and not evil. ++# May you find forgiveness for yourself and forgive others. ++# May you share freely, never taking more than you give. ++# ++#*********************************************************************** ++# This file implements regression tests for SQLite library. ++# ++ ++#################################################### ++# DO NOT EDIT! THIS FILE IS AUTOMATICALLY GENERATED! ++#################################################### ++ ++set testdir [file dirname $argv0] ++source $testdir/tester.tcl ++set testprefix windowerr ++ ++ifcapable !windowfunc { finish_test ; return } ++do_execsql_test 1.0 { ++ DROP TABLE IF EXISTS t1; ++ CREATE TABLE t1(a INTEGER, b INTEGER); ++ INSERT INTO t1 VALUES(1, 1); ++ INSERT INTO t1 VALUES(2, 2); ++ INSERT INTO t1 VALUES(3, 3); ++ INSERT INTO t1 VALUES(4, 4); ++ INSERT INTO t1 VALUES(5, 5); ++} {} ++ ++# PG says ERROR: frame starting offset must not be negative ++do_test 1.1 { catch { execsql { ++ SELECT a, sum(b) OVER ( ++ ORDER BY a ROWS BETWEEN -1 PRECEDING AND 1 FOLLOWING ++ ) FROM t1 ORDER BY 1 ++} } } 1 ++ ++# PG says ERROR: frame ending offset must not be negative ++do_test 1.2 { catch { execsql { ++ SELECT a, sum(b) OVER ( ++ ORDER BY a ROWS BETWEEN 1 PRECEDING AND -1 FOLLOWING ++ ) FROM t1 ORDER BY 1 ++} } } 1 ++ ++# PG says ERROR: invalid preceding or following size in window function ++do_test 1.3 { catch { execsql { ++ SELECT a, sum(b) OVER ( ++ ORDER BY a RANGE BETWEEN -1 PRECEDING AND 1 FOLLOWING ++ ) FROM t1 ORDER BY 1 ++} } } 1 ++ ++# PG says ERROR: invalid preceding or following size in window function ++do_test 1.4 { catch { execsql { ++ SELECT a, sum(b) OVER ( ++ ORDER BY a RANGE BETWEEN 1 PRECEDING AND -1 FOLLOWING ++ ) FROM t1 ORDER BY 1 ++} } } 1 ++ ++# PG says ERROR: frame starting offset must not be negative ++do_test 1.5 { catch { execsql { ++ SELECT a, sum(b) OVER ( ++ ORDER BY a GROUPS BETWEEN -1 PRECEDING AND 1 FOLLOWING ++ ) FROM t1 ORDER BY 1 ++} } } 1 ++ ++# PG says ERROR: frame ending offset must not be negative ++do_test 1.6 { catch { execsql { ++ SELECT a, sum(b) OVER ( ++ ORDER BY a GROUPS BETWEEN 1 PRECEDING AND -1 FOLLOWING ++ ) FROM t1 ORDER BY 1 ++} } } 1 ++ ++# PG says ERROR: RANGE with offset PRECEDING/FOLLOWING requires exactly one ORDER BY column ++do_test 1.7 { catch { execsql { ++ SELECT a, sum(b) OVER ( ++ ORDER BY a,b RANGE BETWEEN 1 PRECEDING AND 1 FOLLOWING ++ ) FROM t1 ORDER BY 1 ++} } } 1 ++ ++# PG says ERROR: RANGE with offset PRECEDING/FOLLOWING requires exactly one ORDER BY column ++do_test 1.8 { catch { execsql { ++ SELECT a, sum(b) OVER ( ++ PARTITION BY a RANGE BETWEEN 1 PRECEDING AND 1 FOLLOWING ++ ) FROM t1 ORDER BY 1 ++} } } 1 ++ ++# PG says ERROR: aggregate function calls cannot contain window function calls ++do_test 2.1 { catch { execsql { ++ SELECT sum( sum(a) OVER () ) FROM t1; ++} } } 1 ++ ++# PG says ERROR: column "xyz" does not exist ++do_test 2.2 { catch { execsql { ++ SELECT sum(a) OVER () AS xyz FROM t1 ORDER BY sum(xyz); ++} } } 1 ++ ++finish_test +-- +2.24.1 + diff --git a/sqlite-3.26.0-CVE-2019-5827.patch b/sqlite-3.26.0-CVE-2019-5827.patch new file mode 100644 index 0000000..c2a9410 --- /dev/null +++ b/sqlite-3.26.0-CVE-2019-5827.patch @@ -0,0 +1,442 @@ +Subject: [PATCH] Use the 64-bit memory allocator interfaces in extensions, + whenever possible and Enforce the SQLITE_LIMIT_COLUMN limit on virtual tables + +--- + ext/fts3/fts3_snippet.c | 7 ++++--- + ext/fts3/fts3_test.c | 6 +++--- + ext/fts3/fts3_tokenize_vtab.c | 2 +- + ext/fts3/fts3_tokenizer.c | 4 ++-- + ext/fts3/fts3_write.c | 19 ++++++++++--------- + ext/fts5/fts5_tokenize.c | 2 +- + ext/rtree/geopoly.c | 20 ++++++++++---------- + src/build.c | 8 ++++---- + src/expr.c | 2 +- + src/main.c | 2 +- + src/test_fs.c | 2 +- + src/util.c | 2 +- + src/vdbeaux.c | 8 +++++--- + src/vdbesort.c | 4 ++-- + src/vtab.c | 25 +++++++++++++++---------- + 15 files changed, 61 insertions(+), 52 deletions(-) + +diff --git a/ext/fts3/fts3_snippet.c b/ext/fts3/fts3_snippet.c +index 5778620..efffff3 100644 +--- a/ext/fts3/fts3_snippet.c ++++ b/ext/fts3/fts3_snippet.c +@@ -130,10 +130,11 @@ struct StrBuffer { + */ + static MatchinfoBuffer *fts3MIBufferNew(int nElem, const char *zMatchinfo){ + MatchinfoBuffer *pRet; +- int nByte = sizeof(u32) * (2*nElem + 1) + sizeof(MatchinfoBuffer); +- int nStr = (int)strlen(zMatchinfo); ++ sqlite3_int64 nByte = sizeof(u32) * (2*(sqlite3_int64)nElem + 1) ++ + sizeof(MatchinfoBuffer); ++ sqlite3_int64 nStr = strlen(zMatchinfo); + +- pRet = sqlite3_malloc(nByte + nStr+1); ++ pRet = sqlite3_malloc64(nByte + nStr+1); + if( pRet ){ + memset(pRet, 0, nByte); + pRet->aMatchinfo[0] = (u8*)(&pRet->aMatchinfo[1]) - (u8*)pRet; +diff --git a/ext/fts3/fts3_test.c b/ext/fts3/fts3_test.c +index a48a556..0b4edcc 100644 +--- a/ext/fts3/fts3_test.c ++++ b/ext/fts3/fts3_test.c +@@ -448,14 +448,14 @@ static int testTokenizerNext( + }else{ + /* Advance to the end of the token */ + const char *pToken = p; +- int nToken; ++ sqlite3_int64 nToken; + while( ppCsr->nBuffer ){ + sqlite3_free(pCsr->aBuffer); +- pCsr->aBuffer = sqlite3_malloc(nToken); ++ pCsr->aBuffer = sqlite3_malloc64(nToken); + } + if( pCsr->aBuffer==0 ){ + rc = SQLITE_NOMEM; +diff --git a/ext/fts3/fts3_tokenize_vtab.c b/ext/fts3/fts3_tokenize_vtab.c +index a3d24bc..5b4085b 100644 +--- a/ext/fts3/fts3_tokenize_vtab.c ++++ b/ext/fts3/fts3_tokenize_vtab.c +@@ -346,7 +346,7 @@ static int fts3tokFilterMethod( + if( idxNum==1 ){ + const char *zByte = (const char *)sqlite3_value_text(apVal[0]); + int nByte = sqlite3_value_bytes(apVal[0]); +- pCsr->zInput = sqlite3_malloc(nByte+1); ++ pCsr->zInput = sqlite3_malloc64(nByte+1); + if( pCsr->zInput==0 ){ + rc = SQLITE_NOMEM; + }else{ +diff --git a/ext/fts3/fts3_tokenizer.c b/ext/fts3/fts3_tokenizer.c +index bfc36af..fe2003e 100644 +--- a/ext/fts3/fts3_tokenizer.c ++++ b/ext/fts3/fts3_tokenizer.c +@@ -194,8 +194,8 @@ int sqlite3Fts3InitTokenizer( + int iArg = 0; + z = &z[n+1]; + while( z0 ){ +- int nByte = sizeof(Fts3SegReader) + (nElem+1)*sizeof(Fts3HashElem *); +- pReader = (Fts3SegReader *)sqlite3_malloc(nByte); ++ sqlite3_int64 nByte; ++ nByte = sizeof(Fts3SegReader) + (nElem+1)*sizeof(Fts3HashElem *); ++ pReader = (Fts3SegReader *)sqlite3_malloc64(nByte); + if( !pReader ){ + rc = SQLITE_NOMEM; + }else{ +@@ -3357,7 +3358,7 @@ static void fts3InsertDocsize( + int rc; /* Result code from subfunctions */ + + if( *pRC ) return; +- pBlob = sqlite3_malloc( 10*p->nColumn ); ++ pBlob = sqlite3_malloc64( 10*(sqlite3_int64)p->nColumn ); + if( pBlob==0 ){ + *pRC = SQLITE_NOMEM; + return; +@@ -3407,7 +3408,7 @@ static void fts3UpdateDocTotals( + const int nStat = p->nColumn+2; + + if( *pRC ) return; +- a = sqlite3_malloc( (sizeof(u32)+10)*nStat ); ++ a = sqlite3_malloc64( (sizeof(u32)+10)*(sqlite3_int64)nStat ); + if( a==0 ){ + *pRC = SQLITE_NOMEM; + return; +@@ -3528,8 +3529,8 @@ static int fts3DoRebuild(Fts3Table *p){ + } + + if( rc==SQLITE_OK ){ +- int nByte = sizeof(u32) * (p->nColumn+1)*3; +- aSz = (u32 *)sqlite3_malloc(nByte); ++ sqlite3_int64 nByte = sizeof(u32) * ((sqlite3_int64)p->nColumn+1)*3; ++ aSz = (u32 *)sqlite3_malloc64(nByte); + if( aSz==0 ){ + rc = SQLITE_NOMEM; + }else{ +@@ -3595,12 +3596,12 @@ static int fts3IncrmergeCsr( + ){ + int rc; /* Return Code */ + sqlite3_stmt *pStmt = 0; /* Statement used to read %_segdir entry */ +- int nByte; /* Bytes allocated at pCsr->apSegment[] */ ++ sqlite3_int64 nByte; /* Bytes allocated at pCsr->apSegment[] */ + + /* Allocate space for the Fts3MultiSegReader.aCsr[] array */ + memset(pCsr, 0, sizeof(*pCsr)); + nByte = sizeof(Fts3SegReader *) * nSeg; +- pCsr->apSegment = (Fts3SegReader **)sqlite3_malloc(nByte); ++ pCsr->apSegment = (Fts3SegReader **)sqlite3_malloc64(nByte); + + if( pCsr->apSegment==0 ){ + rc = SQLITE_NOMEM; +@@ -5591,7 +5592,7 @@ int sqlite3Fts3UpdateMethod( + } + + /* Allocate space to hold the change in document sizes */ +- aSzDel = sqlite3_malloc( sizeof(aSzDel[0])*(p->nColumn+1)*2 ); ++ aSzDel = sqlite3_malloc64(sizeof(aSzDel[0])*((sqlite3_int64)p->nColumn+1)*2); + if( aSzDel==0 ){ + rc = SQLITE_NOMEM; + goto update_out; +diff --git a/ext/fts5/fts5_tokenize.c b/ext/fts5/fts5_tokenize.c +index af2bc22..029efc5 100644 +--- a/ext/fts5/fts5_tokenize.c ++++ b/ext/fts5/fts5_tokenize.c +@@ -363,7 +363,7 @@ static int fts5UnicodeCreate( + + p->bRemoveDiacritic = 1; + p->nFold = 64; +- p->aFold = sqlite3_malloc(p->nFold * sizeof(char)); ++ p->aFold = sqlite3_malloc64(p->nFold * sizeof(char)); + if( p->aFold==0 ){ + rc = SQLITE_NOMEM; + } +diff --git a/ext/rtree/geopoly.c b/ext/rtree/geopoly.c +index f6a31f5..7b97f9b 100644 +--- a/ext/rtree/geopoly.c ++++ b/ext/rtree/geopoly.c +@@ -261,7 +261,7 @@ static GeoPoly *geopolyParseJson(const unsigned char *z, int *pRc){ + GeoPoly *pOut; + int x = 1; + s.nVertex--; /* Remove the redundant vertex at the end */ +- pOut = sqlite3_malloc64( GEOPOLY_SZ(s.nVertex) ); ++ pOut = sqlite3_malloc64( GEOPOLY_SZ((sqlite3_int64)s.nVertex) ); + x = 1; + if( pOut==0 ) goto parse_json_err; + pOut->nVertex = s.nVertex; +@@ -644,7 +644,7 @@ static GeoPoly *geopolyBBox( + if( pRc ) *pRc = SQLITE_OK; + if( aCoord==0 ){ + geopolyBboxFill: +- pOut = sqlite3_realloc(p, GEOPOLY_SZ(4)); ++ pOut = sqlite3_realloc64(p, GEOPOLY_SZ(4)); + if( pOut==0 ){ + sqlite3_free(p); + if( context ) sqlite3_result_error_nomem(context); +@@ -1040,9 +1040,9 @@ static GeoSegment *geopolySortSegmentsByYAndC(GeoSegment *pList){ + ** Determine the overlap between two polygons + */ + static int geopolyOverlap(GeoPoly *p1, GeoPoly *p2){ +- int nVertex = p1->nVertex + p2->nVertex + 2; ++ sqlite3_int64 nVertex = p1->nVertex + p2->nVertex + 2; + GeoOverlap *p; +- int nByte; ++ sqlite3_int64 nByte; + GeoEvent *pThisEvent; + double rX; + int rc = 0; +@@ -1054,7 +1054,7 @@ static int geopolyOverlap(GeoPoly *p1, GeoPoly *p2){ + nByte = sizeof(GeoEvent)*nVertex*2 + + sizeof(GeoSegment)*nVertex + + sizeof(GeoOverlap); +- p = sqlite3_malloc( nByte ); ++ p = sqlite3_malloc64( nByte ); + if( p==0 ) return -1; + p->aEvent = (GeoEvent*)&p[1]; + p->aSegment = (GeoSegment*)&p->aEvent[nVertex*2]; +@@ -1213,8 +1213,8 @@ static int geopolyInit( + ){ + int rc = SQLITE_OK; + Rtree *pRtree; +- int nDb; /* Length of string argv[1] */ +- int nName; /* Length of string argv[2] */ ++ sqlite3_int64 nDb; /* Length of string argv[1] */ ++ sqlite3_int64 nName; /* Length of string argv[2] */ + sqlite3_str *pSql; + char *zSql; + int ii; +@@ -1222,9 +1222,9 @@ static int geopolyInit( + sqlite3_vtab_config(db, SQLITE_VTAB_CONSTRAINT_SUPPORT, 1); + + /* Allocate the sqlite3_vtab structure */ +- nDb = (int)strlen(argv[1]); +- nName = (int)strlen(argv[2]); +- pRtree = (Rtree *)sqlite3_malloc(sizeof(Rtree)+nDb+nName+2); ++ nDb = strlen(argv[1]); ++ nName = strlen(argv[2]); ++ pRtree = (Rtree *)sqlite3_malloc64(sizeof(Rtree)+nDb+nName+2); + if( !pRtree ){ + return SQLITE_NOMEM; + } +diff --git a/src/build.c b/src/build.c +index afe4171..1dc2614 100644 +--- a/src/build.c ++++ b/src/build.c +@@ -3760,9 +3760,9 @@ void *sqlite3ArrayAllocate( + int *pIdx /* Write the index of a new slot here */ + ){ + char *z; +- int n = *pnEntry; ++ sqlite3_int64 n = *pnEntry; + if( (n & (n-1))==0 ){ +- int sz = (n==0) ? 1 : 2*n; ++ sqlite3_int64 sz = (n==0) ? 1 : 2*n; + void *pNew = sqlite3DbRealloc(db, pArray, sz*szEntry); + if( pNew==0 ){ + *pIdx = -1; +@@ -3870,7 +3870,7 @@ SrcList *sqlite3SrcListEnlarge( + /* Allocate additional space if needed */ + if( (u32)pSrc->nSrc+nExtra>pSrc->nAlloc ){ + SrcList *pNew; +- int nAlloc = pSrc->nSrc*2+nExtra; ++ sqlite3_int64 nAlloc = 2*(sqlite3_int64)pSrc->nSrc+nExtra; + int nGot; + pNew = sqlite3DbRealloc(db, pSrc, + sizeof(*pSrc) + (nAlloc-1)*sizeof(pSrc->a[0]) ); +@@ -4612,7 +4612,7 @@ With *sqlite3WithAdd( + } + + if( pWith ){ +- int nByte = sizeof(*pWith) + (sizeof(pWith->a[1]) * pWith->nCte); ++ sqlite3_int64 nByte = sizeof(*pWith) + (sizeof(pWith->a[1]) * pWith->nCte); + pNew = sqlite3DbRealloc(db, pWith, nByte); + }else{ + pNew = sqlite3DbMallocZero(db, sizeof(*pWith)); +diff --git a/src/expr.c b/src/expr.c +index 5f98f76..d64b8eb 100644 +--- a/src/expr.c ++++ b/src/expr.c +@@ -1547,7 +1547,7 @@ ExprList *sqlite3ExprListAppend( + }else if( (pList->nExpr & (pList->nExpr-1))==0 ){ + ExprList *pNew; + pNew = sqlite3DbRealloc(db, pList, +- sizeof(*pList)+(2*pList->nExpr - 1)*sizeof(pList->a[0])); ++ sizeof(*pList)+(2*(sqlite3_int64)pList->nExpr-1)*sizeof(pList->a[0])); + if( pNew==0 ){ + goto no_mem; + } +diff --git a/src/main.c b/src/main.c +index 46c8346..434b898 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -698,7 +698,7 @@ static int setupLookaside(sqlite3 *db, void *pBuf, int sz, int cnt){ + pStart = 0; + }else if( pBuf==0 ){ + sqlite3BeginBenignMalloc(); +- pStart = sqlite3Malloc( sz*cnt ); /* IMP: R-61949-35727 */ ++ pStart = sqlite3Malloc( sz*(sqlite3_int64)cnt ); /* IMP: R-61949-35727 */ + sqlite3EndBenignMalloc(); + if( pStart ) cnt = sqlite3MallocSize(pStart)/sz; + }else{ +diff --git a/src/test_fs.c b/src/test_fs.c +index 8192beb..1feea46 100644 +--- a/src/test_fs.c ++++ b/src/test_fs.c +@@ -744,7 +744,7 @@ static int fsColumn(sqlite3_vtab_cursor *cur, sqlite3_context *ctx, int i){ + fstat(fd, &sbuf); + + if( sbuf.st_size>=pCur->nAlloc ){ +- int nNew = sbuf.st_size*2; ++ sqlite3_int64 nNew = sbuf.st_size*2; + char *zNew; + if( nNew<1024 ) nNew = 1024; + +diff --git a/src/util.c b/src/util.c +index 96b0b14..7f2b977 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -1572,7 +1572,7 @@ VList *sqlite3VListAdd( + assert( pIn==0 || pIn[0]>=3 ); /* Verify ok to add new elements */ + if( pIn==0 || pIn[1]+nInt > pIn[0] ){ + /* Enlarge the allocation */ +- int nAlloc = (pIn ? pIn[0]*2 : 10) + nInt; ++ sqlite3_int64 nAlloc = (pIn ? 2*(sqlite3_int64)pIn[0] : 10) + nInt; + VList *pOut = sqlite3DbRealloc(db, pIn, nAlloc*sizeof(int)); + if( pOut==0 ) return pIn; + if( pIn==0 ) pOut[1] = 2; +diff --git a/src/vdbeaux.c b/src/vdbeaux.c +index b74141b..ffc5d0b 100644 +--- a/src/vdbeaux.c ++++ b/src/vdbeaux.c +@@ -125,9 +125,11 @@ static int growOpArray(Vdbe *v, int nOp){ + ** operation (without SQLITE_TEST_REALLOC_STRESS) is to double the current + ** size of the op array or add 1KB of space, whichever is smaller. */ + #ifdef SQLITE_TEST_REALLOC_STRESS +- int nNew = (p->nOpAlloc>=512 ? p->nOpAlloc*2 : p->nOpAlloc+nOp); ++ sqlite3_int64 nNew = (p->nOpAlloc>=512 ? 2*(sqlite3_int64)p->nOpAlloc ++ : (sqlite3_int64)p->nOpAlloc+nOp); + #else +- int nNew = (p->nOpAlloc ? p->nOpAlloc*2 : (int)(1024/sizeof(Op))); ++ sqlite3_int64 nNew = (p->nOpAlloc ? 2*(sqlite3_int64)p->nOpAlloc ++ : (sqlite3_int64)1024/sizeof(Op)); + UNUSED_PARAMETER(nOp); + #endif + +@@ -875,7 +877,7 @@ void sqlite3VdbeScanStatus( + LogEst nEst, /* Estimated number of output rows */ + const char *zName /* Name of table or index being scanned */ + ){ +- int nByte = (p->nScan+1) * sizeof(ScanStatus); ++ sqlite3_int64 nByte = (p->nScan+1) * sizeof(ScanStatus); + ScanStatus *aNew; + aNew = (ScanStatus*)sqlite3DbRealloc(p->db, p->aScan, nByte); + if( aNew ){ +diff --git a/src/vdbesort.c b/src/vdbesort.c +index b30bc4e..d84a411 100644 +--- a/src/vdbesort.c ++++ b/src/vdbesort.c +@@ -537,7 +537,7 @@ static int vdbePmaReadBlob( + /* Extend the p->aAlloc[] allocation if required. */ + if( p->nAllocnAlloc*2); ++ sqlite3_int64 nNew = MAX(128, 2*(sqlite3_int64)p->nAlloc); + while( nByte>nNew ) nNew = nNew*2; + aNew = sqlite3Realloc(p->aAlloc, nNew); + if( !aNew ) return SQLITE_NOMEM_BKPT; +@@ -1829,7 +1829,7 @@ int sqlite3VdbeSorterWrite( + if( nMin>pSorter->nMemory ){ + u8 *aNew; + int iListOff = (u8*)pSorter->list.pList - pSorter->list.aMemory; +- int nNew = pSorter->nMemory * 2; ++ sqlite3_int64 nNew = 2 * (sqlite3_int64)pSorter->nMemory; + while( nNew < nMin ) nNew = nNew*2; + if( nNew > pSorter->mxPmaSize ) nNew = pSorter->mxPmaSize; + if( nNew < nMin ) nNew = nMin; +diff --git a/src/vtab.c b/src/vtab.c +index 1b8d283..41c6093 100644 +--- a/src/vtab.c ++++ b/src/vtab.c +@@ -302,9 +302,13 @@ void sqlite3VtabClear(sqlite3 *db, Table *p){ + ** string will be freed automatically when the table is + ** deleted. + */ +-static void addModuleArgument(sqlite3 *db, Table *pTable, char *zArg){ +- int nBytes = sizeof(char *)*(2+pTable->nModuleArg); ++static void addModuleArgument(Parse *pParse, Table *pTable, char *zArg){ ++ sqlite3_int64 nBytes = sizeof(char *)*(2+pTable->nModuleArg); + char **azModuleArg; ++ sqlite3 *db = pParse->db; ++ if( pTable->nModuleArg+3>=db->aLimit[SQLITE_LIMIT_COLUMN] ){ ++ sqlite3ErrorMsg(pParse, "too many columns on %s", pTable->zName); ++ } + azModuleArg = sqlite3DbRealloc(db, pTable->azModuleArg, nBytes); + if( azModuleArg==0 ){ + sqlite3DbFree(db, zArg); +@@ -339,9 +343,9 @@ void sqlite3VtabBeginParse( + db = pParse->db; + + assert( pTable->nModuleArg==0 ); +- addModuleArgument(db, pTable, sqlite3NameFromToken(db, pModuleName)); +- addModuleArgument(db, pTable, 0); +- addModuleArgument(db, pTable, sqlite3DbStrDup(db, pTable->zName)); ++ addModuleArgument(pParse, pTable, sqlite3NameFromToken(db, pModuleName)); ++ addModuleArgument(pParse, pTable, 0); ++ addModuleArgument(pParse, pTable, sqlite3DbStrDup(db, pTable->zName)); + assert( (pParse->sNameToken.z==pName2->z && pName2->z!=0) + || (pParse->sNameToken.z==pName1->z && pName2->z==0) + ); +@@ -374,7 +378,7 @@ static void addArgumentToVtab(Parse *pParse){ + const char *z = (const char*)pParse->sArg.z; + int n = pParse->sArg.n; + sqlite3 *db = pParse->db; +- addModuleArgument(db, pParse->pNewTable, sqlite3DbStrNDup(db, z, n)); ++ addModuleArgument(pParse, pParse->pNewTable, sqlite3DbStrNDup(db, z, n)); + } + } + +@@ -663,7 +667,8 @@ static int growVTrans(sqlite3 *db){ + /* Grow the sqlite3.aVTrans array if required */ + if( (db->nVTrans%ARRAY_INCR)==0 ){ + VTable **aVTrans; +- int nBytes = sizeof(sqlite3_vtab *) * (db->nVTrans + ARRAY_INCR); ++ sqlite3_int64 nBytes = sizeof(sqlite3_vtab*)* ++ ((sqlite3_int64)db->nVTrans + ARRAY_INCR); + aVTrans = sqlite3DbRealloc(db, (void *)db->aVTrans, nBytes); + if( !aVTrans ){ + return SQLITE_NOMEM_BKPT; +@@ -1157,9 +1162,9 @@ int sqlite3VtabEponymousTableInit(Parse *pParse, Module *pMod){ + pTab->pSchema = db->aDb[0].pSchema; + assert( pTab->nModuleArg==0 ); + pTab->iPKey = -1; +- addModuleArgument(db, pTab, sqlite3DbStrDup(db, pTab->zName)); +- addModuleArgument(db, pTab, 0); +- addModuleArgument(db, pTab, sqlite3DbStrDup(db, pTab->zName)); ++ addModuleArgument(pParse, pTab, sqlite3DbStrDup(db, pTab->zName)); ++ addModuleArgument(pParse, pTab, 0); ++ addModuleArgument(pParse, pTab, sqlite3DbStrDup(db, pTab->zName)); + rc = vtabCallConstructor(db, pTab, pMod, pModule->xConnect, &zErr); + if( rc ){ + sqlite3ErrorMsg(pParse, "%s", zErr); +-- +2.30.2 + diff --git a/sqlite-3.26.0-CVE-2020-13434.patch b/sqlite-3.26.0-CVE-2020-13434.patch new file mode 100644 index 0000000..ec015ab --- /dev/null +++ b/sqlite-3.26.0-CVE-2020-13434.patch @@ -0,0 +1,73 @@ +Subject: [PATCH] Limit the "precision" of floating-point to text conversions + in the printf() function to 100,000,000. + +--- + src/printf.c | 12 ++++++++++++ + test/printf.test | 16 +++++++++++++--- + 2 files changed, 25 insertions(+), 3 deletions(-) + +diff --git a/src/printf.c b/src/printf.c +index 7bce83f..260bf79 100644 +--- a/src/printf.c ++++ b/src/printf.c +@@ -165,6 +165,13 @@ static char *getTextArg(PrintfArguments *p){ + #endif + #define etBUFSIZE SQLITE_PRINT_BUF_SIZE /* Size of the output buffer */ + ++/* ++** Hard limit on the precision of floating-point conversions. ++*/ ++#ifndef SQLITE_PRINTF_PRECISION_LIMIT ++# define SQLITE_FP_PRECISION_LIMIT 100000000 ++#endif ++ + /* + ** Render a string given by "fmt" into the StrAccum object. + */ +@@ -471,6 +478,11 @@ void sqlite3_str_vappendf( + length = 0; + #else + if( precision<0 ) precision = 6; /* Set default precision */ ++#ifdef SQLITE_FP_PRECISION_LIMIT ++ if( precision>SQLITE_FP_PRECISION_LIMIT ){ ++ precision = SQLITE_FP_PRECISION_LIMIT; ++ } ++#endif + if( realvalue<0.0 ){ + realvalue = -realvalue; + prefix = '-'; +diff --git a/test/printf.test b/test/printf.test +index d768898..a2b5e2a 100644 +--- a/test/printf.test ++++ b/test/printf.test +@@ -538,9 +538,11 @@ do_test printf-2.1.2.8 { + do_test printf-2.1.2.9 { + sqlite3_mprintf_double {abc: %d %d (%1.1g) :xyz} 1 1 1.0e-20 + } {abc: 1 1 (1e-20) :xyz} +-do_test printf-2.1.2.10 { +- sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20 +-} {abc: } ++if {$SQLITE_MAX_LENGTH<=[expr 1000*1000*1000]} { ++ do_test printf-2.1.2.10 { ++ sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20 ++ } {} ++} + do_test printf-2.1.3.1 { + sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0 + } {abc: (1.0) :xyz} +@@ -3777,4 +3779,12 @@ foreach ::iRepeat {0 1} { + } + } + ++# 2020-05-23 ++# ticket 23439ea582241138 ++# ++do_execsql_test printf-16.1 { ++ SELECT printf('%.*g',2147483647,0.01); ++} {0.01} ++ ++ + finish_test +-- +2.24.1 + diff --git a/sqlite-3.26.0-CVE-2020-13435.patch b/sqlite-3.26.0-CVE-2020-13435.patch new file mode 100644 index 0000000..8a88771 --- /dev/null +++ b/sqlite-3.26.0-CVE-2020-13435.patch @@ -0,0 +1,144 @@ +Subject: [PATCH] When rewriting a query for window functions, if the rewrite +changes the depth of TK_AGG_FUNCTION nodes, be sure to adjust the Expr.op2 +field appropriately. + +diff --git a/src/resolve.c b/src/resolve.c +index cdcf4d9..c47f6bb 100644 +--- a/src/resolve.c ++++ b/src/resolve.c +@@ -24,6 +24,8 @@ + ** + ** incrAggFunctionDepth(pExpr,n) is the main routine. incrAggDepth(..) + ** is a helper function - a callback for the tree walker. ++** ++** See also the sqlite3WindowExtraAggFuncDepth() routine in window.c + */ + static int incrAggDepth(Walker *pWalker, Expr *pExpr){ + if( pExpr->op==TK_AGG_FUNCTION ) pExpr->op2 += pWalker->u.n; +diff --git a/src/select.c b/src/select.c +index a6d1757..6f5570c 100644 +--- a/src/select.c ++++ b/src/select.c +@@ -1961,7 +1961,7 @@ int sqlite3ColumnsFromExprList( + assert( pColExpr!=0 ); + } + assert( pColExpr->op!=TK_AGG_COLUMN ); +- if( pColExpr->op==TK_COLUMN ){ ++ if( pColExpr->op==TK_COLUMN && pColExpr->y.pTab ){ + /* For columns use the column name name */ + int iCol = pColExpr->iColumn; + Table *pTab = pColExpr->y.pTab; +diff --git a/src/sqliteInt.h b/src/sqliteInt.h +index 1cf6937..ea9a7ae 100644 +--- a/src/sqliteInt.h ++++ b/src/sqliteInt.h +@@ -3579,6 +3579,8 @@ void sqlite3WindowUpdate(Parse*, Window*, Window*, FuncDef*); + Window *sqlite3WindowDup(sqlite3 *db, Expr *pOwner, Window *p); + Window *sqlite3WindowListDup(sqlite3 *db, Window *p); + void sqlite3WindowFunctions(void); ++int sqlite3WalkerDepthIncrease(Walker*,Select*); ++void sqlite3WalkerDepthDecrease(Walker*,Select*); + #else + # define sqlite3WindowDelete(a,b) + # define sqlite3WindowFunctions() +diff --git a/src/walker.c b/src/walker.c +index c31d94f..8cd3b65 100644 +--- a/src/walker.c ++++ b/src/walker.c +@@ -165,3 +165,16 @@ int sqlite3WalkSelect(Walker *pWalker, Select *p){ + }while( p!=0 ); + return WRC_Continue; + } ++ ++/* Increase the walkerDepth when entering a subquery, and ++** descrease when leaving the subquery. ++*/ ++int sqlite3WalkerDepthIncrease(Walker *pWalker, Select *pSelect){ ++ UNUSED_PARAMETER(pSelect); ++ pWalker->walkerDepth++; ++ return WRC_Continue; ++} ++void sqlite3WalkerDepthDecrease(Walker *pWalker, Select *pSelect){ ++ UNUSED_PARAMETER(pSelect); ++ pWalker->walkerDepth--; ++} +\ No newline at end of file +diff --git a/src/window.c b/src/window.c +index c65eadd..48d8090 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -738,6 +738,23 @@ static ExprList *exprListAppendList( + return pList; + } + ++/* ++** When rewriting a query, if the new subquery in the FROM clause ++** contains TK_AGG_FUNCTION nodes that refer to an outer query, ++** then we have to increase the Expr->op2 values of those nodes ++** due to the extra subquery layer that was added. ++** ++** See also the incrAggDepth() routine in resolve.c ++*/ ++static int sqlite3WindowExtraAggFuncDepth(Walker *pWalker, Expr *pExpr){ ++ if( pExpr->op==TK_AGG_FUNCTION ++ && pExpr->op2>=pWalker->walkerDepth ++ ){ ++ pExpr->op2++; ++ } ++ return WRC_Continue; ++} ++ + /* + ** If the SELECT statement passed as the second argument does not invoke + ** any SQL window functions, this function is a no-op. Otherwise, it +@@ -827,14 +844,24 @@ int sqlite3WindowRewrite(Parse *pParse, Select *p){ + p->pSrc = sqlite3SrcListAppend(db, 0, 0, 0); + assert( p->pSrc || db->mallocFailed ); + if( p->pSrc ){ ++ Table *pTab2; ++ Walker w; + p->pSrc->a[0].pSelect = pSub; + sqlite3SrcListAssignCursors(pParse, p->pSrc); +- if( sqlite3ExpandSubquery(pParse, &p->pSrc->a[0]) ){ ++ pTab2 = sqlite3ResultSetOfSelect(pParse, pSub); ++ if( pTab2==0 ){ + rc = SQLITE_NOMEM; + }else{ + pSub->selFlags |= SF_Expanded; + p->selFlags &= ~SF_Aggregate; + sqlite3SelectPrep(pParse, pSub, 0); ++ pTab2->tabFlags |= TF_Ephemeral; ++ p->pSrc->a[0].pTab = pTab2; ++ memset(&w, 0, sizeof(w)); ++ w.xExprCallback = sqlite3WindowExtraAggFuncDepth; ++ w.xSelectCallback = sqlite3WalkerDepthIncrease; ++ w.xSelectCallback2 = sqlite3WalkerDepthDecrease; ++ sqlite3WalkSelect(&w, pSub); + } + + sqlite3VdbeAddOp2(v, OP_OpenEphemeral, pMWin->iEphCsr, pSublist->nExpr); +diff --git a/test/window1.test b/test/window1.test +index a8399a8..13ecc32 100644 +--- a/test/window1.test ++++ b/test/window1.test +@@ -594,4 +594,20 @@ do_execsql_test 13.5 { + } { + } + ++# 2020-05-23 ++# ticket 7a5279a25c57adf1 ++# ++reset_db ++do_execsql_test 53.0 { ++ CREATE TABLE a(c UNIQUE); ++ INSERT INTO a VALUES(4),(0),(9),(-9); ++ SELECT a.c ++ FROM a ++ JOIN a AS b ON a.c=4 ++ JOIN a AS e ON a.c=e.c ++ WHERE a.c=(SELECT (SELECT coalesce(lead(2) OVER(),0) + sum(d.c)) ++ FROM a AS d ++ WHERE a.c); ++} {4 4 4 4} ++ + finish_test diff --git a/sqlite-3.26.0-CVE-2020-13630.patch b/sqlite-3.26.0-CVE-2020-13630.patch new file mode 100644 index 0000000..17525f6 --- /dev/null +++ b/sqlite-3.26.0-CVE-2020-13630.patch @@ -0,0 +1,88 @@ +Subject: [PATCH] Fix a use-after-free bug in the fts3 snippet() function. + +--- + ext/fts3/fts3.c | 1 + + test/fts3snippet2.test | 59 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 60 insertions(+) + create mode 100644 test/fts3snippet2.test + +diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c +index 84fc8a5..9ddd201 100644 +--- a/ext/fts3/fts3.c ++++ b/ext/fts3/fts3.c +@@ -5213,6 +5213,7 @@ static void fts3EvalNextRow( + fts3EvalNextRow(pCsr, pLeft, pRc); + } + } ++ pRight->bEof = pLeft->bEof = 1; + } + } + break; +diff --git a/test/fts3snippet2.test b/test/fts3snippet2.test +new file mode 100644 +index 0000000..607b01e +--- /dev/null ++++ b/test/fts3snippet2.test +@@ -0,0 +1,59 @@ ++# 2020-05-14 ++# ++# The author disclaims copyright to this source code. In place of ++# a legal notice, here is a blessing: ++# ++# May you do good and not evil. ++# May you find forgiveness for yourself and forgive others. ++# May you share freely, never taking more than you give. ++# ++#************************************************************************* ++# ++# The tests in this file test the FTS3 auxillary functions offsets(), ++# snippet() and matchinfo() work. At time of writing, running this file ++# provides full coverage of fts3_snippet.c. ++# ++ ++set testdir [file dirname $argv0] ++source $testdir/tester.tcl ++set testprefix fts3snippet ++ ++# If SQLITE_ENABLE_FTS3 is not defined, omit this file. ++ifcapable !fts3 { finish_test ; return } ++source $testdir/fts3_common.tcl ++ ++set sqlite_fts3_enable_parentheses 1 ++#------------------------------------------------------------------------- ++# Request a snippet from a query with more than 64 phrases. ++# ++reset_db ++do_execsql_test 1.0 { ++ CREATE VIRTUAL TABLE f USING fts3(b); ++ INSERT INTO f VALUES ( x'746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218'); ++} ++ ++do_execsql_test 1.1 { ++ SELECT length(snippet(f))>0 FROM f WHERE b MATCH x'1065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a010f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c2a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e082a011065616e656d655a616c702a2f65732e0f42014001380230018218021001081e0a3d746e6e6d64612e0f42'; ++} {1} ++ ++reset_db ++do_execsql_test 2.0 { ++ CREATE VIRTUAL TABLE t0 USING fts3(col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY); ++ INSERT INTO t0 VALUES (1, '1234','aaaa','bbbb'); ++ SELECT snippet(t0) FROM t0 WHERE t0 MATCH x'0a4d4d4d4d320a4f52d70a310a310a4e4541520a0a31f6ce0a4f520a0a310a310a310a4f520a75fc2a242424' ; ++} {1} ++ ++reset_db ++do_execsql_test 2.1 { ++ CREATE VIRTUAL TABLE t0 USING fts3( ++ col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY ++ ); ++ INSERT INTO t0 VALUES ('one', '1234','aaaa','bbbb'); ++} ++do_execsql_test 2.2 { ++ SELECT snippet(t0) FROM t0 WHERE t0 MATCH ++ '(def AND (one NEAR abc)) OR one' ++} {one} ++ ++set sqlite_fts3_enable_parentheses 0 ++finish_test +-- +2.24.1 + diff --git a/sqlite-3.26.0-CVE-2020-13631.patch b/sqlite-3.26.0-CVE-2020-13631.patch new file mode 100644 index 0000000..0813c9a --- /dev/null +++ b/sqlite-3.26.0-CVE-2020-13631.patch @@ -0,0 +1,98 @@ +Subject: [PATCH] Do not allow a virtual table to be renamed into the name of + one of its shadows. + +--- + src/alter.c | 5 ++++- + src/build.c | 29 +++++++++++++++++++++++------ + src/sqliteInt.h | 5 +++++ + 3 files changed, 32 insertions(+), 7 deletions(-) + +diff --git a/src/alter.c b/src/alter.c +index 1280e90..0fa24c0 100644 +--- a/src/alter.c ++++ b/src/alter.c +@@ -117,7 +117,10 @@ void sqlite3AlterRenameTable( + /* Check that a table or index named 'zName' does not already exist + ** in database iDb. If so, this is an error. + */ +- if( sqlite3FindTable(db, zName, zDb) || sqlite3FindIndex(db, zName, zDb) ){ ++ if( sqlite3FindTable(db, zName, zDb) ++ || sqlite3FindIndex(db, zName, zDb) ++ || sqlite3IsShadowTableOf(db, pTab, zName) ++ ){ + sqlite3ErrorMsg(pParse, + "there is already another table or index with this name: %s", zName); + goto exit_rename_table; +diff --git a/src/build.c b/src/build.c +index e0fed8a..afe4171 100644 +--- a/src/build.c ++++ b/src/build.c +@@ -1899,6 +1899,28 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){ + recomputeColumnsNotIndexed(pPk); + } + ++ ++#ifndef SQLITE_OMIT_VIRTUALTABLE ++/* ++** Return true if pTab is a virtual table and zName is a shadow table name ++** for that virtual table. ++*/ ++int sqlite3IsShadowTableOf(sqlite3 *db, Table *pTab, const char *zName){ ++ int nName; /* Length of zName */ ++ Module *pMod; /* Module for the virtual table */ ++ ++ if( !IsVirtual(pTab) ) return 0; ++ nName = sqlite3Strlen30(pTab->zName); ++ if( sqlite3_strnicmp(zName, pTab->zName, nName)!=0 ) return 0; ++ if( zName[nName]!='_' ) return 0; ++ pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]); ++ if( pMod==0 ) return 0; ++ if( pMod->pModule->iVersion<3 ) return 0; ++ if( pMod->pModule->xShadowName==0 ) return 0; ++ return pMod->pModule->xShadowName(zName+nName+1); ++} ++#endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */ ++ + #ifndef SQLITE_OMIT_VIRTUALTABLE + /* + ** Return true if zName is a shadow table name in the current database +@@ -1910,7 +1932,6 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){ + static int isShadowTableName(sqlite3 *db, char *zName){ + char *zTail; /* Pointer to the last "_" in zName */ + Table *pTab; /* Table that zName is a shadow of */ +- Module *pMod; /* Module for the virtual table */ + + zTail = strrchr(zName, '_'); + if( zTail==0 ) return 0; +@@ -1919,11 +1940,7 @@ static int isShadowTableName(sqlite3 *db, char *zName){ + *zTail = '_'; + if( pTab==0 ) return 0; + if( !IsVirtual(pTab) ) return 0; +- pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]); +- if( pMod==0 ) return 0; +- if( pMod->pModule->iVersion<3 ) return 0; +- if( pMod->pModule->xShadowName==0 ) return 0; +- return pMod->pModule->xShadowName(zTail+1); ++ return sqlite3IsShadowTableOf(db, pTab, zName); + } + #else + # define isShadowTableName(x,y) 0 +diff --git a/src/sqliteInt.h b/src/sqliteInt.h +index b7d3571..76337f7 100644 +--- a/src/sqliteInt.h ++++ b/src/sqliteInt.h +@@ -4407,6 +4407,11 @@ void sqlite3AutoLoadExtensions(sqlite3*); + ); + # define sqlite3VtabInSync(db) ((db)->nVTrans>0 && (db)->aVTrans==0) + #endif ++#ifndef SQLITE_OMIT_VIRTUALTABLE ++ int sqlite3IsShadowTableOf(sqlite3*,Table*,const char*); ++#else ++# define sqlite3IsShadowTableOf(A,B,C) 0 ++#endif + int sqlite3VtabEponymousTableInit(Parse*,Module*); + void sqlite3VtabEponymousTableClear(sqlite3*,Module*); + void sqlite3VtabMakeWritable(Parse*,Table*); +-- +2.24.1 + diff --git a/sqlite-3.26.0-CVE-2020-13632.patch b/sqlite-3.26.0-CVE-2020-13632.patch new file mode 100644 index 0000000..f72b8d9 --- /dev/null +++ b/sqlite-3.26.0-CVE-2020-13632.patch @@ -0,0 +1,67 @@ +Subject: [PATCH] Fix a null pointer deference that can occur on a strange + matchinfo() query. + +--- + ext/fts3/fts3_snippet.c | 2 +- + test/fts3matchinfo2.test | 35 +++++++++++++++++++++++++++++++++++ + 2 files changed, 36 insertions(+), 1 deletion(-) + create mode 100644 test/fts3matchinfo2.test + +diff --git a/ext/fts3/fts3_snippet.c b/ext/fts3/fts3_snippet.c +index a0771c0..5778620 100644 +--- a/ext/fts3/fts3_snippet.c ++++ b/ext/fts3/fts3_snippet.c +@@ -869,7 +869,7 @@ static void fts3ExprLHits( + iStart = pExpr->iPhrase * ((p->nCol + 31) / 32); + } + +- while( 1 ){ ++ if( pIter ) while( 1 ){ + int nHit = fts3ColumnlistCount(&pIter); + if( (pPhrase->iColumn>=pTab->nColumn || pPhrase->iColumn==iCol) ){ + if( p->flag==FTS3_MATCHINFO_LHITS ){ +diff --git a/test/fts3matchinfo2.test b/test/fts3matchinfo2.test +new file mode 100644 +index 0000000..d6b3ad0 +--- /dev/null ++++ b/test/fts3matchinfo2.test +@@ -0,0 +1,35 @@ ++# 2020-05-14 ++# ++# The author disclaims copyright to this source code. In place of ++# a legal notice, here is a blessing: ++# ++# May you do good and not evil. ++# May you find forgiveness for yourself and forgive others. ++# May you share freely, never taking more than you give. ++# ++#*********************************************************************** ++# This file implements regression tests for the FTS3 module. The focus ++# of this file is tables created with the "matchinfo=fts3" option. ++# ++ ++set testdir [file dirname $argv0] ++source $testdir/tester.tcl ++ ++# If SQLITE_ENABLE_FTS3 is not defined, omit this file. ++ifcapable !fts3 { finish_test ; return } ++ ++set sqlite_fts3_enable_parentheses 1 ++ ++# Crash case found by cyg0810 at gmail.com 2020-05-14. Reported to ++# chromium (which is not vulnerable) who kindly referred it to us. ++# ++do_execsql_test 1.0 { ++ CREATE TABLE t_content(col0 INTEGER); ++ CREATE VIRTUAL TABLE t0 USING fts3(col0 INTEGER PRIMARY KEY,col1 VARCHAR(8),col2 BINARY,col3 BINARY); ++ INSERT INTO t0 VALUES (1, '1234','aaaa','bbbb'); ++ SELECT hex(matchinfo(t0,'yxy')) FROM t0 WHERE t0 MATCH x'2b0a312b0a312a312a2a0b5d0a0b0b0a312a0a0b0b0a312a0b310a392a0b0a27312a2a0b5d0a312a0b310a31315d0b310a312a316d2a0b313b15bceaa50a312a0b0a27312a2a0b5d0a312a0b310a312b0b2a310a312a0b2a0b2a0b2e5d0a0bff313336e34a2a312a0b0a3c310b0a0b4b4b0b4b2a4bec40322b2a0b310a0a312a0a0a0a0a0a0a0a0a0b310a312a2a2a0b5d0a0b0b0a312a0b310a312a0b0a4e4541530b310a5df5ced70a0a0a0a0a4f520a0a0a0a0a0a0a312a0b0a4e4541520b310a5d616161610a0a0a0a4f520a0a0a0a0a0a312b0a312a312a0a0a0a0a0a0a004a0b0a310b220a0b0a310a4a22310a0b0a7e6fe0e0e030e0e0e0e0e01176e02000e0e0e0e0e01131320226310a0b0a310a4a22310a0b0a310a766f8b8b4ee0e0300ae0090909090909090909090909090909090909090909090909090909090909090947aaaa540b09090909090909090909090909090909090909090909090909090909090909fae0e0f2f22164e0e0f273e07fefefef7d6dfafafafa6d6d6d6d'; ++} {/000000.*0000000/} ++ ++ ++set sqlite_fts3_enable_parentheses 0 ++finish_test +\ No newline at end of file +-- +2.24.1 + diff --git a/sqlite-3.26.0-CVE-2020-15358.patch b/sqlite-3.26.0-CVE-2020-15358.patch new file mode 100644 index 0000000..2cff0ad --- /dev/null +++ b/sqlite-3.26.0-CVE-2020-15358.patch @@ -0,0 +1,88 @@ +Subject: [PATCH] Fix a defect in the query-flattener optimization + +--- + src/select.c | 8 ++++---- + src/sqliteInt.h | 1 + + test/selectA.test | 22 ++++++++++++++++++++++ + 3 files changed, 27 insertions(+), 4 deletions(-) + +diff --git a/src/select.c b/src/select.c +index 88a43df..a513d36 100644 +--- a/src/select.c ++++ b/src/select.c +@@ -2686,9 +2686,7 @@ static int multiSelect( + selectOpName(p->op))); + rc = sqlite3Select(pParse, p, &uniondest); + testcase( rc!=SQLITE_OK ); +- /* Query flattening in sqlite3Select() might refill p->pOrderBy. +- ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */ +- sqlite3ExprListDelete(db, p->pOrderBy); ++ assert( p->pOrderBy==0 ); + pDelete = p->pPrior; + p->pPrior = pPrior; + p->pOrderBy = 0; +@@ -4010,7 +4008,7 @@ static int flattenSubquery( + ** We look at every expression in the outer query and every place we see + ** "a" we substitute "x*3" and every place we see "b" we substitute "y+10". + */ +- if( pSub->pOrderBy ){ ++ if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){ + /* At this point, any non-zero iOrderByCol values indicate that the + ** ORDER BY column expression is identical to the iOrderByCol'th + ** expression returned by SELECT statement pSub. Since these values +@@ -5633,6 +5631,8 @@ int sqlite3Select( + sqlite3ExprListDelete(db, p->pOrderBy); + p->pOrderBy = 0; + p->selFlags &= ~SF_Distinct; ++ p->selFlags |= SF_NoopOrderBy; ++ + } + sqlite3SelectPrep(pParse, p, 0); + if( pParse->nErr || db->mallocFailed ){ +diff --git a/src/sqliteInt.h b/src/sqliteInt.h +index 76337f7..60b2ebd 100644 +--- a/src/sqliteInt.h ++++ b/src/sqliteInt.h +@@ -2874,6 +2874,7 @@ struct Select { + #define SF_Converted 0x10000 /* By convertCompoundSelectToSubquery() */ + #define SF_IncludeHidden 0x20000 /* Include hidden columns in output */ + #define SF_ComplexResult 0x40000 /* Result contains subquery or function */ ++#define SF_NoopOrderBy 0x0400000 /* ORDER BY is ignored for this query */ + + /* + ** The results of a SELECT can be distributed in several ways, as defined +diff --git a/test/selectA.test b/test/selectA.test +index 838e5f4..2626008 100644 +--- a/test/selectA.test ++++ b/test/selectA.test +@@ -1446,5 +1446,27 @@ do_execsql_test 6.1 { + SELECT * FROM (SELECT a FROM t1 UNION SELECT b FROM t2) WHERE a=a; + } {12345} + ++# 2020-06-15 ticket 8f157e8010b22af0 ++# ++reset_db ++do_execsql_test 7.1 { ++ CREATE TABLE t1(c1); INSERT INTO t1 VALUES(12),(123),(1234),(NULL),('abc'); ++ CREATE TABLE t2(c2); INSERT INTO t2 VALUES(44),(55),(123); ++ CREATE TABLE t3(c3,c4); INSERT INTO t3 VALUES(66,1),(123,2),(77,3); ++ CREATE VIEW t4 AS SELECT c3 FROM t3; ++ CREATE VIEW t5 AS SELECT c3 FROM t3 ORDER BY c4; ++} ++do_execsql_test 7.2 { ++ SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t4) AND c1=123; ++} {123 123} ++do_execsql_test 7.3 { ++ SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t5) AND c1=123; ++} {123 123} ++do_execsql_test 7.4 { ++ CREATE TABLE a(b); ++ CREATE VIEW c(d) AS SELECT b FROM a ORDER BY b; ++ SELECT sum(d) OVER( PARTITION BY(SELECT 0 FROM c JOIN a WHERE b =(SELECT b INTERSECT SELECT d FROM c) AND b = 123)) FROM c; ++} {} ++ + + finish_test +-- +2.24.1 + diff --git a/sqlite-3.26.0-CVE-2020-6405.patch b/sqlite-3.26.0-CVE-2020-6405.patch new file mode 100644 index 0000000..cf1fff5 --- /dev/null +++ b/sqlite-3.26.0-CVE-2020-6405.patch @@ -0,0 +1,27 @@ +From 1668926bc3c7da0b2870a60382b179a0e3edb5de Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Thu, 26 Mar 2020 08:14:29 +0100 +Subject: [PATCH] Do not allow the constant-propagation optimization to apple + to ON/USING clause terms as it does not help and it might cause downstream + problems. + +--- + src/select.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/select.c b/src/select.c +index bbd13a4..88a43df 100644 +--- a/src/select.c ++++ b/src/select.c +@@ -4171,7 +4171,7 @@ static int propagateConstantExprRewrite(Walker *pWalker, Expr *pExpr){ + int i; + WhereConst *pConst; + if( pExpr->op!=TK_COLUMN ) return WRC_Continue; +- if( ExprHasProperty(pExpr, EP_FixedCol) ) return WRC_Continue; ++ if( ExprHasProperty(pExpr, EP_FixedCol|EP_FromJoin) ) return WRC_Continue; + pConst = pWalker->u.pConst; + for(i=0; inConst; i++){ + Expr *pColumn = pConst->apExpr[i*2]; +-- +2.24.1 + diff --git a/sqlite-3.26.0-CVE-2020-9327.patch b/sqlite-3.26.0-CVE-2020-9327.patch new file mode 100644 index 0000000..24b1eb9 --- /dev/null +++ b/sqlite-3.26.0-CVE-2020-9327.patch @@ -0,0 +1,106 @@ +From 2d788539b0018d34d3cabb328387ba6bec41ec42 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Thu, 26 Mar 2020 09:43:43 +0100 +Subject: [PATCH] NULL pointer dereference and segmentation fault because of + generated column optimizations + +Take care when checking the table of a TK_COLUMN expression node to +see if the table is a virtual table to first ensure that the +Expr.y.pTab pointer is not null due to generated column optimizations. +--- + src/expr.c | 13 ++++++++++--- + src/sqliteInt.h | 3 +++ + src/whereexpr.c | 12 ++++++++---- + 3 files changed, 21 insertions(+), 7 deletions(-) + +diff --git a/src/expr.c b/src/expr.c +index b081ca2..5f98f76 100644 +--- a/src/expr.c ++++ b/src/expr.c +@@ -4901,18 +4901,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){ + case TK_LT: + case TK_LE: + case TK_GT: +- case TK_GE: ++ case TK_GE: { ++ Expr *pLeft = pExpr->pLeft; ++ Expr *pRight = pExpr->pRight; + testcase( pExpr->op==TK_EQ ); + testcase( pExpr->op==TK_NE ); + testcase( pExpr->op==TK_LT ); + testcase( pExpr->op==TK_LE ); + testcase( pExpr->op==TK_GT ); + testcase( pExpr->op==TK_GE ); +- if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->y.pTab)) +- || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->y.pTab)) ++ /* The y.pTab=0 assignment in wherecode.c always happens after the ++ ** impliesNotNullRow() test */ ++ if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->y.pTab!=0) ++ && IsVirtual(pLeft->y.pTab)) ++ || (pRight->op==TK_COLUMN && ALWAYS(pRight->y.pTab!=0) ++ && IsVirtual(pRight->y.pTab)) + ){ + return WRC_Prune; + } ++ } + default: + return WRC_Continue; + } +diff --git a/src/sqliteInt.h b/src/sqliteInt.h +index 051aa40..5f5f3cc 100644 +--- a/src/sqliteInt.h ++++ b/src/sqliteInt.h +@@ -2014,8 +2014,11 @@ struct Table { + */ + #ifndef SQLITE_OMIT_VIRTUALTABLE + # define IsVirtual(X) ((X)->nModuleArg) ++# define ExprIsVtab(X) \ ++ ((X)->op==TK_COLUMN && (X)->y.pTab!=0 && (X)->y.pTab->nModuleArg) + #else + # define IsVirtual(X) 0 ++# define ExprIsVtab(X) 0 + #endif + + /* +diff --git a/src/whereexpr.c b/src/whereexpr.c +index dbb7f0d..9d2813a 100644 +--- a/src/whereexpr.c ++++ b/src/whereexpr.c +@@ -382,7 +382,8 @@ static int isAuxiliaryVtabOperator( + ** MATCH(expression,vtab_column) + */ + pCol = pList->a[1].pExpr; +- if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){ ++ testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 ); ++ if( ExprIsVtab(pCol) ){ + for(i=0; iu.zToken, aOp[i].zOp)==0 ){ + *peOp2 = aOp[i].eOp2; +@@ -404,7 +405,8 @@ static int isAuxiliaryVtabOperator( + ** with function names in an arbitrary case. + */ + pCol = pList->a[0].pExpr; +- if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){ ++ testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 ); ++ if( ExprIsVtab(pCol) ){ + sqlite3_vtab *pVtab; + sqlite3_module *pMod; + void (*xNotUsed)(sqlite3_context*,int,sqlite3_value**); +@@ -427,10 +429,12 @@ static int isAuxiliaryVtabOperator( + int res = 0; + Expr *pLeft = pExpr->pLeft; + Expr *pRight = pExpr->pRight; +- if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->y.pTab) ){ ++ testcase( pLeft->op==TK_COLUMN && pLeft->y.pTab==0 ); ++ if( ExprIsVtab(pLeft) ){ + res++; + } +- if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->y.pTab) ){ ++ testcase( pRight && pRight->op==TK_COLUMN && pRight->y.pTab==0 ); ++ if( pRight && ExprIsVtab(pRight) ){ + res++; + SWAP(Expr*, pLeft, pRight); + } +-- +2.24.1 + diff --git a/sqlite-3.26.0-out-of-bounds-read.patch b/sqlite-3.26.0-out-of-bounds-read.patch new file mode 100644 index 0000000..1edc762 --- /dev/null +++ b/sqlite-3.26.0-out-of-bounds-read.patch @@ -0,0 +1,89 @@ +From eca47c8481b0c2f09a7818ed2bce0ad27b1dae27 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Wed, 26 Jun 2019 12:25:10 +0200 +Subject: [PATCH] Fixed out of bounds heap read in function rtreenode() + + Enhance the rtreenode() function of rtree (used for + testing) so that it uses the newer sqlite3_str object + for better performance and improved error reporting. + Test cases added to TH3. + + Resolves: #1723338 + Version: 3.26.0-4 +--- + ext/rtree/rtree.c | 35 ++++++++++++++++------------------- + 1 file changed, 16 insertions(+), 19 deletions(-) + +diff --git a/ext/rtree/rtree.c b/ext/rtree/rtree.c +index 4b044cb..87d0de0 100644 +--- a/ext/rtree/rtree.c ++++ b/ext/rtree/rtree.c +@@ -3711,49 +3711,46 @@ rtreeInit_fail: + ** *2 coordinates. + */ + static void rtreenode(sqlite3_context *ctx, int nArg, sqlite3_value **apArg){ +- char *zText = 0; + RtreeNode node; + Rtree tree; + int ii; ++ int nData; ++ int errCode; ++ sqlite3_str *pOut; + + UNUSED_PARAMETER(nArg); + memset(&node, 0, sizeof(RtreeNode)); + memset(&tree, 0, sizeof(Rtree)); + tree.nDim = (u8)sqlite3_value_int(apArg[0]); ++ if( tree.nDim<1 || tree.nDim>5 ) return; + tree.nDim2 = tree.nDim*2; + tree.nBytesPerCell = 8 + 8 * tree.nDim; + node.zData = (u8 *)sqlite3_value_blob(apArg[1]); ++ nData = sqlite3_value_bytes(apArg[1]); ++ if( nData<4 ) return; ++ if( nData0 ) sqlite3_str_append(pOut, " ", 1); ++ sqlite3_str_appendf(pOut, "{%lld", cell.iRowid); + for(jj=0; jj +Date: Thu, 23 Jan 2020 15:08:13 +0100 +Subject: [PATCH] Fix buffer underflows in the zipfile extension associated + with zero-length or NULL filename in the ZIP archive. But report on the + mailing list by Yongheng and Rui. + +--- + ext/misc/zipfile.c | 14 +++++++++----- + test/zipfile.test | 13 +++++++++++++ + 2 files changed, 22 insertions(+), 5 deletions(-) + +diff --git a/ext/misc/zipfile.c b/ext/misc/zipfile.c +index e6141ef..7fd4074 100644 +--- a/ext/misc/zipfile.c ++++ b/ext/misc/zipfile.c +@@ -1433,8 +1433,8 @@ static int zipfileGetMode( + ** identical, ignoring any trailing '/' character in either path. */ + static int zipfileComparePath(const char *zA, const char *zB, int nB){ + int nA = (int)strlen(zA); +- if( zA[nA-1]=='/' ) nA--; +- if( zB[nB-1]=='/' ) nB--; ++ if( nA>0 && zA[nA-1]=='/' ) nA--; ++ if( nB>0 && zB[nB-1]=='/' ) nB--; + if( nA==nB && memcmp(zA, zB, nA)==0 ) return 0; + return 1; + } +@@ -1628,11 +1628,15 @@ static int zipfileUpdate( + ** '/'. This appears to be required for compatibility with info-zip + ** (the unzip command on unix). It does not create directories + ** otherwise. */ +- if( zPath[nPath-1]!='/' ){ ++ if( nPath<=0 || zPath[nPath-1]!='/' ){ + zFree = sqlite3_mprintf("%s/", zPath); +- if( zFree==0 ){ rc = SQLITE_NOMEM; } + zPath = (const char*)zFree; +- nPath = (int)strlen(zPath); ++ if( zFree==0 ){ ++ rc = SQLITE_NOMEM; ++ nPath = 0; ++ }else{ ++ nPath = (int)strlen(zPath); ++ } + } + } + +diff --git a/test/zipfile.test b/test/zipfile.test +index e4b8088..9f07c0a 100644 +--- a/test/zipfile.test ++++ b/test/zipfile.test +@@ -821,4 +821,17 @@ do_execsql_test 14.10 { + PRAGMA integrity_check; + } {3 ok} + ++# 2019-12-26 More problems in zipfile from the Yongheng and Rui fuzzer ++# ++do_execsql_test 15.10 { ++ DROP TABLE IF EXISTS t1; ++ CREATE VIRTUAL TABLE t1 USING zipfile(null); ++ REPLACE INTO t1 VALUES(null,null,0,null,null,null,null); ++} {} ++do_execsql_test 15.20 { ++ DROP TABLE IF EXISTS t2; ++ CREATE VIRTUAL TABLE t2 USING zipfile(null); ++ REPLACE INTO t2 values(null,null,null,null,null,10,null); ++} {} ++ + finish_test +-- +2.19.1 + diff --git a/sqlite-3.6.23-lemon-system-template.patch b/sqlite-3.6.23-lemon-system-template.patch new file mode 100644 index 0000000..3d3b0aa --- /dev/null +++ b/sqlite-3.6.23-lemon-system-template.patch @@ -0,0 +1,21 @@ +diff -up sqlite-3.6.23/tool/lemon.c.system-template sqlite-3.6.23/tool/lemon.c +--- sqlite-3.6.23/tool/lemon.c.system-template 2010-03-10 16:40:35.000000000 +0200 ++++ sqlite-3.6.23/tool/lemon.c 2010-03-10 16:40:39.000000000 +0200 +@@ -3363,6 +3363,8 @@ PRIVATE FILE *tplt_open(struct lemon *le + tpltname = buf; + }else if( access(templatename,004)==0 ){ + tpltname = templatename; ++ }else if( access("/usr/share/lemon/lempar.c", R_OK)==0){ ++ tpltname = "/usr/share/lemon/lempar.c"; + }else{ + tpltname = pathsearch(lemp->argv0,templatename,0); + } +@@ -3374,7 +3376,7 @@ PRIVATE FILE *tplt_open(struct lemon *le + } + in = fopen(tpltname,"rb"); + if( in==0 ){ +- fprintf(stderr,"Can't open the template file \"%s\".\n",templatename); ++ fprintf(stderr,"Can't open the template file \"%s\".\n",tpltname); + lemp->errorcnt++; + return 0; + } diff --git a/sqlite-3.7.7.1-stupid-openfiles-test.patch b/sqlite-3.7.7.1-stupid-openfiles-test.patch new file mode 100644 index 0000000..101f0d4 --- /dev/null +++ b/sqlite-3.7.7.1-stupid-openfiles-test.patch @@ -0,0 +1,37 @@ +--- sqlite-src-3240000/test/oserror.test.old 2018-06-05 08:40:35.656122573 +0200 ++++ sqlite-src-3240000/test/oserror.test 2018-06-05 08:40:45.614935197 +0200 +@@ -51,20 +51,20 @@ + # a call to getcwd() may fail if there are no free file descriptors. So + # an error may be reported for either open() or getcwd() here. + # +-if {![clang_sanitize_address]} { +- do_test 1.1.1 { +- set ::log [list] +- list [catch { +- for {set i 0} {$i < 20000} {incr i} { sqlite3 dbh_$i test.db -readonly 1 } +- } msg] $msg +- } {1 {unable to open database file}} +- do_test 1.1.2 { +- catch { for {set i 0} {$i < 20000} {incr i} { dbh_$i close } } +- } {1} +- do_re_test 1.1.3 { +- lindex $::log 0 +- } {^os_unix.c:\d+: \(\d+\) (open|getcwd)\(.*test.db\) - } +-} ++#if {![clang_sanitize_address]} { ++# do_test 1.1.1 { ++# set ::log [list] ++# list [catch { ++# for {set i 0} {$i < 20000} {incr i} { sqlite3 dbh_$i test.db -readonly 1 } ++# } msg] $msg ++# } {1 {unable to open database file}} ++# do_test 1.1.2 { ++# catch { for {set i 0} {$i < 20000} {incr i} { dbh_$i close } } ++# } {1} ++# do_re_test 1.1.3 { ++# lindex $::log 0 ++# } {^os_unix.c:\d+: \(\d+\) (open|getcwd)\(.*test.db\) - } ++#} + + + # Test a failure in open() due to the path being a directory. diff --git a/sqlite-3.8.0-percentile-test.patch b/sqlite-3.8.0-percentile-test.patch new file mode 100644 index 0000000..f828fa5 --- /dev/null +++ b/sqlite-3.8.0-percentile-test.patch @@ -0,0 +1,15 @@ +# On i686 arch the removed test fails with result 2749999.50004681 instead of expected +# 2749999.5. This patch is temporary workaround and should be dropped as soon as a valid +# fix is found. + +diff -up sqlite-src-3080002/test/percentile.test.broken sqlite-src-3080002/test/percentile.test +--- sqlite-src-3080002/test/percentile.test.broken 2013-09-16 13:19:53.406004041 +0200 ++++ sqlite-src-3080002/test/percentile.test 2013-09-16 13:20:00.079024945 +0200 +@@ -195,7 +195,6 @@ ifcapable vtab { + foreach {in out} { + 0 0.0 + 100 9999990.0 +- 50 2749999.5 + 10 99999.9 + } { + do_test percentile-2.1.$in { diff --git a/sqlite-3.8.10.1-tcl-regress-tests.patch b/sqlite-3.8.10.1-tcl-regress-tests.patch new file mode 100644 index 0000000..bdeb6da --- /dev/null +++ b/sqlite-3.8.10.1-tcl-regress-tests.patch @@ -0,0 +1,137 @@ +This patch disables a test which caused failed assertion in tcl 8.6.3. +According to sqlite upstream[1], this should be fixed in tcl 8.6.5. + +[1] http://mailinglists.sqlite.org/cgi-bin/mailman/private/sqlite-users/2015-May/059518.html + +diff -up sqlite-src-3130000/test/shell1.test.orig sqlite-src-3130000/test/shell1.test +--- sqlite-src-3140100/test/shell1.test.orig 2016-08-12 02:17:02.000000000 +0200 ++++ sqlite-src-3140100/test/shell1.test 2016-08-15 15:00:59.869664051 +0200 +@@ -855,67 +855,67 @@ do_test shell1-4.6 { + + # Test using arbitrary byte data with the shell via standard input/output. + # +-do_test shell1-5.0 { +- # +- # NOTE: Skip NUL byte because it appears to be incompatible with command +- # shell argument parsing. +- # +- for {set i 1} {$i < 256} {incr i} { +- # +- # NOTE: Due to how the Tcl [exec] command works (i.e. where it treats +- # command channels opened for it as textual ones), the carriage +- # return character (and on Windows, the end-of-file character) +- # cannot be used here. +- # +- if {$i==0x0D || ($tcl_platform(platform)=="windows" && $i==0x1A)} { +- continue +- } +- if {$i>=0xE0 && $tcl_platform(os)=="OpenBSD"} continue +- if {$i>=0xE0 && $i<=0xEF && $tcl_platform(os)=="Linux"} continue +- set hex [format %02X $i] +- set char [subst \\x$hex]; set oldChar $char +- set escapes [list] +- if {$tcl_platform(platform)=="windows"} { +- # +- # NOTE: On Windows, we need to escape all the whitespace characters, +- # the alarm (\a) character, and those with special meaning to +- # the SQLite shell itself. +- # +- set escapes [list \ +- \a \\a \b \\b \t \\t \n \\n \v \\v \f \\f \r \\r \ +- " " "\" \"" \" \\\" ' \"'\" \\ \\\\] +- } else { +- # +- # NOTE: On Unix, we need to escape most of the whitespace characters +- # and those with special meaning to the SQLite shell itself. +- # The alarm (\a), backspace (\b), and carriage-return (\r) +- # characters do not appear to require escaping on Unix. For +- # the alarm and backspace characters, this is probably due to +- # differences in the command shell. For the carriage-return, +- # it is probably due to differences in how Tcl handles command +- # channel end-of-line translations. +- # +- set escapes [list \ +- \t \\t \n \\n \v \\v \f \\f \ +- " " "\" \"" \" \\\" ' \"'\" \\ \\\\] +- } +- set char [string map $escapes $char] +- set x [catchcmdex test.db ".print $char\n"] +- set code [lindex $x 0] +- set res [lindex $x 1] +- if {$code ne "0"} { +- error "failed with error: $res" +- } +- if {$res ne "$oldChar\n"} { +- if {[llength $res] > 0} { +- set got [format %02X [scan $res %c]] +- } else { +- set got +- } +- error "failed with byte $hex mismatch, got $got" +- } +- } +-} {} ++#do_test shell1-5.0 { ++# # ++# # NOTE: Skip NUL byte because it appears to be incompatible with command ++# # shell argument parsing. ++# # ++# for {set i 1} {$i < 256} {incr i} { ++# # ++# # NOTE: Due to how the Tcl [exec] command works (i.e. where it treats ++# # command channels opened for it as textual ones), the carriage ++# # return character (and on Windows, the end-of-file character) ++# # cannot be used here. ++# # ++# if {$i==0x0D || ($tcl_platform(platform)=="windows" && $i==0x1A)} { ++# continue ++# } ++# if {$i>=0xE0 && $tcl_platform(os)=="OpenBSD"} continue ++# if {$i>=0xE0 && $i<=0xEF && $tcl_platform(os)=="Linux"} continue ++# set hex [format %02X $i] ++# set char [subst \\x$hex]; set oldChar $char ++# set escapes [list] ++# if {$tcl_platform(platform)=="windows"} { ++# # ++# # NOTE: On Windows, we need to escape all the whitespace characters, ++# # the alarm (\a) character, and those with special meaning to ++# # the SQLite shell itself. ++# # ++# set escapes [list \ ++# \a \\a \b \\b \t \\t \n \\n \v \\v \f \\f \r \\r \ ++# " " "\" \"" \" \\\" ' \"'\" \\ \\\\] ++# } else { ++# # ++# # NOTE: On Unix, we need to escape most of the whitespace characters ++# # and those with special meaning to the SQLite shell itself. ++# # The alarm (\a), backspace (\b), and carriage-return (\r) ++# # characters do not appear to require escaping on Unix. For ++# # the alarm and backspace characters, this is probably due to ++# # differences in the command shell. For the carriage-return, ++# # it is probably due to differences in how Tcl handles command ++# # channel end-of-line translations. ++# # ++# set escapes [list \ ++# \t \\t \n \\n \v \\v \f \\f \ ++# " " "\" \"" \" \\\" ' \"'\" \\ \\\\] ++# } ++# set char [string map $escapes $char] ++# set x [catchcmdex test.db ".print $char\n"] ++# set code [lindex $x 0] ++# set res [lindex $x 1] ++# if {$code ne "0"} { ++# error "failed with error: $res" ++# } ++# if {$res ne "$oldChar\n"} { ++# if {[llength $res] > 0} { ++# set got [format %02X [scan $res %c]] ++# } else { ++# set got ++# } ++# error "failed with byte $hex mismatch, got $got" ++# } ++# } ++#} {} + + # These test cases do not work on MinGW + if 0 { diff --git a/sqlite.spec b/sqlite.spec new file mode 100644 index 0000000..a5d61eb --- /dev/null +++ b/sqlite.spec @@ -0,0 +1,960 @@ +# bcond default logic is nicely backwards... +%bcond_without tcl +%bcond_with static +%bcond_without check + +%define realver 3260000 +%define docver 3260000 +%define rpmver 3.26.0 + +Summary: Library that implements an embeddable SQL database engine +Name: sqlite +Version: %{rpmver} +Release: 15%{?dist} +License: Public Domain +Group: Applications/Databases +URL: http://www.sqlite.org/ + +Source0: http://www.sqlite.org/2017/sqlite-src-%{realver}.zip +Source1: http://www.sqlite.org/2017/sqlite-doc-%{docver}.zip +Source2: http://www.sqlite.org/2017/sqlite-autoconf-%{realver}.tar.gz +# Support a system-wide lemon template +Patch1: sqlite-3.6.23-lemon-system-template.patch +# Shut up stupid tests depending on system settings of allowed open fd's +Patch2: sqlite-3.7.7.1-stupid-openfiles-test.patch +# sqlite >= 3.7.10 is buggy if malloc_usable_size() is detected, disable it: +# https://bugzilla.redhat.com/show_bug.cgi?id=801981 +# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665363 +Patch3: sqlite-3.12.2-no-malloc-usable-size.patch +# Temporary workaround for failed percentile test, see patch for details +Patch4: sqlite-3.8.0-percentile-test.patch +# Disable test failing due to tcl regression. Details in patch file. +Patch6: sqlite-3.8.10.1-tcl-regress-tests.patch +# Disable test date-2.2c on i686 +Patch7: sqlite-3.16-datetest-2.2c.patch +# Modify sync2.test to pass with DIRSYNC turned off +Patch8: sqlite-3.18.0-sync2-dirsync.patch +# Fix for CVE-2019-8457 (rhbz#1723338) +# https://www.sqlite.org/src/info/90acdbfce9c08858 +Patch9: sqlite-3.26.0-out-of-bounds-read.patch +# Fix for CVE-2019-13752 +Patch10: sqlite-3.26-CVE-2019-13752.patch +# Fix for CVE-2019-13753 +Patch11: sqlite-3.26-CVE-2019-13753.patch +# Fix for CVE-2019-13734 +Patch12: sqlite-3.26.0-CVE-2019-13734.patch +# Fix for CVE-2019-19924 +Patch13: sqlite-3.26.0-CVE-2019-19924.patch +# Fix for CVE-2019-19923 +Patch14: sqlite-3.26.0-CVE-2019-19923.patch +# Fix for CVE-2019-19925 +Patch15: sqlite-3.26.0-CVE-2019-19925.patch +# Fix for CVE-2019-19959 +Patch16: sqlite-3.26.0-CVE-2019-19959.patch +# Fix for issues found by covscan +Patch17: sqlite-3.26.0-zPath-covscan.patch +# Fix for CVE-2019-20218 +Patch18: sqlite-3.26.0-CVE-2019-20218.patch +# Fix for CVE-2020-6405 +Patch19: sqlite-3.26.0-CVE-2020-6405.patch +# Fix for CVE-2020-9327 +Patch20: sqlite-3.26.0-CVE-2020-9327.patch +# Fix for CVE-2019-16168 +Patch21: sqlite-3.26.0-CVE-2019-16168.patch +# Fix for CVE-2019-5018 +Patch22: sqlite-3.26.0-CVE-2019-5018.patch +# Fix for CVE-2020-13632 +Patch23: sqlite-3.26.0-CVE-2020-13632.patch +# Fix for CVE-2020-13631 +Patch24: sqlite-3.26.0-CVE-2020-13631.patch +# Fix for CVE-2020-13630 +Patch25: sqlite-3.26.0-CVE-2020-13630.patch +# Fix for CVE-2020-13434 +# upstream commit: https://www.sqlite.org/src/info/d08d3405878d394e +Patch26: sqlite-3.26.0-CVE-2020-13434.patch +# Fix for CVE-2020-15358 +# upstream commit: https://www.sqlite.org/src/info/10fa79d00f8091e5 +Patch27: sqlite-3.26.0-CVE-2020-15358.patch +# Fix for CVE-2019-5827 +# https://www.sqlite.org/src/info/0b6ae032c28e7fe3 +# https://www.sqlite.org/src/info/07ee06fd390bfebe +Patch28: sqlite-3.26.0-CVE-2019-5827.patch +# Fix for CVE-2019-13750 +# https://github.com/sqlite/sqlite/commit/397a78d4a1864111f488a51d296810e7ef037893 +# https://www.sqlite.org/src/info/70390bbca49e7066 +Patch29: sqlite-3.26.0-CVE-2019-13750.patch +# Fix for CVE-2019-13751 +# https://github.com/sqlite/sqlite/commit/70d1a1a3ed64d7bd82fd90268e4c9cf208ca1be0 +Patch30: sqlite-3.26.0-CVE-2019-13751.patch +# Fix for CVE-2019-19603 +# https://github.com/sqlite/sqlite/commit/527cbd4a104cb93bf3994b3dd3619a6299a78b13 +Patch31: sqlite-3.26.0-CVE-2019-19603.patch +# Fix for CVE-2020-13435 +# https://www.sqlite.org/src/info/ad7bb70af9bb68d1 +Patch34: sqlite-3.26.0-CVE-2020-13435.patch + +BuildRequires: ncurses-devel readline-devel glibc-devel +BuildRequires: autoconf +%if %{with tcl} +BuildRequires: /usr/bin/tclsh +BuildRequires: tcl-devel +%{!?tcl_version: %global tcl_version 8.6} +%{!?tcl_sitearch: %global tcl_sitearch %{_libdir}/tcl%{tcl_version}} +%endif + +Requires: %{name}-libs = %{version}-%{release} + +# Ensure updates from pre-split work on multi-lib systems +Obsoletes: %{name} < 3.11.0-1 +Conflicts: %{name} < 3.11.0-1 + +%description +SQLite is a C library that implements an SQL database engine. A large +subset of SQL92 is supported. A complete database is stored in a +single disk file. The API is designed for convenience and ease of use. +Applications that link against SQLite can enjoy the power and +flexibility of an SQL database without the administrative hassles of +supporting a separate database server. Version 2 and version 3 binaries +are named to permit each to be installed on a single host + +%package devel +Summary: Development tools for the sqlite3 embeddable SQL database engine +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}-libs = %{version}-%{release} +Requires: pkgconfig + +%description devel +This package contains the header files and development documentation +for %{name}. If you like to develop programs using %{name}, you will need +to install %{name}-devel. + +%package libs +Summary: Shared library for the sqlite3 embeddable SQL database engine. +Group: Development/Libraries + +# Ensure updates from pre-split work on multi-lib systems +Obsoletes: %{name} < 3.11.0-1 +Conflicts: %{name} < 3.11.0-1 + +%description libs +This package contains the shared library for %{name}. + +%package doc +Summary: Documentation for sqlite +Group: Documentation +BuildArch: noarch + +%description doc +This package contains most of the static HTML files that comprise the +www.sqlite.org website, including all of the SQL Syntax and the +C/C++ interface specs and other miscellaneous documentation. + +%package -n lemon +Summary: A parser generator +Group: Development/Tools + +%description -n lemon +Lemon is an LALR(1) parser generator for C or C++. It does the same +job as bison and yacc. But lemon is not another bison or yacc +clone. It uses a different grammar syntax which is designed to reduce +the number of coding errors. Lemon also uses a more sophisticated +parsing engine that is faster than yacc and bison and which is both +reentrant and thread-safe. Furthermore, Lemon implements features +that can be used to eliminate resource leaks, making is suitable for +use in long-running programs such as graphical user interfaces or +embedded controllers. + +%if %{with tcl} +%package tcl +Summary: Tcl module for the sqlite3 embeddable SQL database engine +Group: Development/Languages +Requires: %{name} = %{version}-%{release} +Requires: %{name}-libs = %{version}-%{release} +Requires: tcl(abi) = %{tcl_version} + +%description tcl +This package contains the tcl modules for %{name}. + +%package analyzer +Summary: An analysis program for sqlite3 database files +Group: Development/Tools +Requires: %{name} = %{version}-%{release} +Requires: tcl(abi) = %{tcl_version} + +%description analyzer +This package contains the analysis program for %{name}. +%endif + +%prep +%setup -q -a1 -n %{name}-src-%{realver} +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch6 -p1 +%ifarch %{ix86} +%patch7 -p1 +%endif +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 +%patch34 -p1 + + +# Remove backup-file +rm -f %{name}-doc-%{docver}/sqlite.css~ || : + +autoconf # Rerun with new autoconf to add support for aarm64 + +%build +export CFLAGS="$RPM_OPT_FLAGS $RPM_LD_FLAGS -DSQLITE_ENABLE_COLUMN_METADATA=1 \ + -DSQLITE_DISABLE_DIRSYNC=1 -DSQLITE_ENABLE_FTS3=3 \ + -DSQLITE_ENABLE_RTREE=1 -DSQLITE_SECURE_DELETE=1 \ + -DSQLITE_ENABLE_UNLOCK_NOTIFY=1 -DSQLITE_ENABLE_DBSTAT_VTAB=1 \ + -DSQLITE_ENABLE_FTS3_PARENTHESIS=1 -DSQLITE_ENABLE_JSON1=1 \ + -Wall -fno-strict-aliasing" +%configure %{!?with_tcl:--disable-tcl} \ + --enable-fts5 \ + --enable-threadsafe \ + --enable-threads-override-locks \ + --enable-load-extension \ + %{?with_tcl:TCLLIBDIR=%{tcl_sitearch}/sqlite3} + +# rpath removal +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool + +make %{?_smp_mflags} + +# Build sqlite3_analyzer +# depends on tcl +%if %{with tcl} +make %{?_smp_mflags} sqlite3_analyzer +%endif + +%install +make DESTDIR=${RPM_BUILD_ROOT} install + +install -D -m0644 sqlite3.1 $RPM_BUILD_ROOT/%{_mandir}/man1/sqlite3.1 +install -D -m0755 lemon $RPM_BUILD_ROOT/%{_bindir}/lemon +install -D -m0644 tool/lempar.c $RPM_BUILD_ROOT/%{_datadir}/lemon/lempar.c + +%if %{with tcl} +# fix up permissions to enable dep extraction +chmod 0755 ${RPM_BUILD_ROOT}/%{tcl_sitearch}/sqlite3/*.so +# Install sqlite3_analyzer +install -D -m0755 sqlite3_analyzer $RPM_BUILD_ROOT/%{_bindir}/sqlite3_analyzer +%endif + +%if ! %{with static} +rm -f $RPM_BUILD_ROOT/%{_libdir}/*.{la,a} +%endif + +%if %{with check} +%check +# XXX shell tests are broken due to loading system libsqlite3, work around... +export LD_LIBRARY_PATH=`pwd`/.libs +export MALLOC_CHECK_=3 + +# csv01 hangs on all non-intel archs i've tried +%ifarch x86_64 %{ix86} +%else +rm test/csv01.test +%endif + +make test +%endif # with check + +%ldconfig_scriptlets libs + +%files +%{_bindir}/sqlite3 +%{_mandir}/man?/* + +%files libs +%doc README.md +%{_libdir}/*.so.* + +%files devel +%{_includedir}/*.h +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc +%if %{with static} +%{_libdir}/*.a +%exclude %{_libdir}/*.la +%endif + +%files doc +%doc %{name}-doc-%{docver}/* + +%files -n lemon +%{_bindir}/lemon +%{_datadir}/lemon + +%if %{with tcl} +%files tcl +%{tcl_sitearch}/sqlite3 + +%files analyzer +%{_bindir}/sqlite3_analyzer +%endif + +%changelog +* Tue May 18 2021 Petr Kubat - 3.26.0-15 +- Removing fix for CVE-2019-19645 (unaffected) +- Removing fix for CVE-2019-19880 (unaffected) + +* Thu Apr 15 2021 Ondrej Dubaj - 3.26.0-14 +- Fixed CVE-2019-5827 (#1710184) +- Fixed CVE-2019-13750 (#1786510) +- Fixed CVE-2019-13751 (#1786522) +- Fixed CVE-2019-19603 (#1792013) +- Fixed CVE-2020-13435 (#1841233) + +* Tue Dec 01 2020 Ondrej Dubaj - 3.26.0-13 +- enabled fts3conf.test on s390x and ppc64 architectures + +* Mon Aug 17 2020 Ondrej Dubaj - 3.26.0-12 +- Fixed CVE-2020-13434 (#1845843) +- Fixed CVE-2020-15358 (#1855208) + +* Fri Aug 07 2020 Ondrej Dubaj - 3.26.0-11 +- Fixed bug in CVE-2019-20218 (#1791592) + +* Wed Jun 10 2020 Ondrej Dubaj - 3.26.0-10 +- Fixed CVE-2020-13632 (#1845572) +- Fixed CVE-2020-13631 (#1845474) +- Fixed CVE-2020-13630 (#1845153) + +* Tue Jun 02 2020 Ondrej Dubaj - 3.26.0-9 +- Fixed CVE-2019-5018 (#1721509) + +* Thu Apr 23 2020 Ondrej Dubaj - 3.26.0-8 +- Fixed CVE-2019-16168 (#1826897) + +* Tue Mar 24 2020 Ondrej Dubaj - 3.26.0-7 +- Fixed CVE-2019-20218 (#1791592) +- Fixed CVE-2020-6405 (#1804823) +- Fixed CVE-2020-0327 (#1816572) + +* Thu Jan 23 2020 Ondrej Dubaj - 3.26.0-6 +- Fixed issues found by covscan + +* Thu Jan 02 2020 Ondrej Dubaj - 3.26.0-5 +- Fixed CVE-2019-13752 (#1786529) +- Fixed CVE-2019-13753 (#1786535) +- Fixed CVE-2019-13734 (#1786509) +- Fixed CVE-2019-19924 (#1789776) +- Fixed CVE-2019-19923 (#1789812) +- Fixed CVE-2019-19925 (#1789808) +- Fixed CVE-2019-19959 (#1789823) + +* Wed Jun 26 2019 Ondrej Dubaj - 3.26.0-4 +- Fixed CVE-2019-8457 (#1723338) + +* Thu Jan 03 2019 Petr Kubat - 3.26.0-3 +- Rebuild to pick up latest test sources by the CI + +* Thu Jan 03 2019 Petr Kubat - 3.26.0-2 +- Add explicit sqlite-libs requires to tcl and devel subpackages + +* Mon Dec 17 2018 Petr Kubat - 3.26.0-1 +- Updated to version 3.26.0 (https://sqlite.org/releaselog/3_26_0.html) + Fixes fts3/4 corrupt database exploit (#1659684) + +* Tue Jun 05 2018 Petr Kubat - 3.24.0-1 +- Updated to version 3.24.0 (https://sqlite.org/releaselog/3_24_0.html) + +* Wed Apr 11 2018 Petr Kubat - 3.23.1-1 +- Updated to version 3.23.1 (https://sqlite.org/releaselog/3_23_1.html) + +* Tue Apr 03 2018 Petr Kubat - 3.23.0-1 +- Updated to version 3.23.0 (https://sqlite.org/releaselog/3_23_0.html) + +* Wed Mar 21 2018 Petr Kubat - 3.22.0-4 +- Fixed CVE-2018-8740 (#1558809) + +* Fri Feb 9 2018 Florian Weimer - 3.22.0-3 +- Use LDFLAGS from redhat-rpm-config for building lemon, too + +* Mon Feb 05 2018 Petr Kubat - 3.22.0-2 +- Fixed issue with some walro2 tests failing on ppc64 + +* Sat Feb 03 2018 Igor Gnatenko - 3.22.0-2 +- Switch to %%ldconfig_scriptlets + +* Thu Jan 25 2018 Petr Kubat - 3.22.0-1 +- Fixed issue with some e_expr tests failing i686 +- Fixed issue with a fts3rank test failing on big-endian systems + +* Tue Jan 23 2018 Petr Kubat - 3.22.0-1 +- Updated to version 3.22.0 (https://sqlite.org/releaselog/3_22_0.html) + +* Wed Nov 01 2017 Petr Kubat - 3.21.0-1 +- Updated to version 3.21.0 (https://sqlite.org/releaselog/3_21_0.html) + +* Mon Aug 28 2017 Petr Kubat - 3.20.1-1 +- Updated to version 3.20.1 (https://sqlite.org/releaselog/3_20_1.html) + +* Tue Aug 22 2017 Kalev Lember - 3.20.0-2 +- Build with --enable-fts5 + +* Wed Aug 02 2017 Petr Kubat - 3.20.0-1 +- Updated to version 3.20.0 (https://sqlite.org/releaselog/3_20_0.html) + +* Thu Jul 27 2017 Fedora Release Engineering - 3.19.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Jul 12 2017 Petr Kubat - 3.19.3-1 +- Updated to version 3.19.3 (https://sqlite.org/releaselog/3_19_3.html) +- Better detection of CVE-2017-10989 (#1469673) + +* Thu May 25 2017 Petr Kubat - 3.19.1-1 +- Updated to version 3.19.1 (https://sqlite.org/releaselog/3_19_1.html) + +* Mon Apr 03 2017 Petr Kubat - 3.18.0-1 +- Updated to version 3.18.0 (https://sqlite.org/releaselog/3_18_0.html) +- Modify sync2.test to pass with DIRSYNC turned off + +* Thu Mar 02 2017 Petr Kubat - 3.17.0-2 +- Rebuild using newest gcc (#1428286) + +* Tue Feb 21 2017 Petr Kubat - 3.17.0-1 +- Updated to version 3.17.0 (https://sqlite.org/releaselog/3_17_0.html) + +* Sat Feb 11 2017 Fedora Release Engineering - 3.16.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Jan 12 2017 Igor Gnatenko - 3.16.2-2 +- Rebuild for readline 7.x + +* Sat Jan 7 2017 Jakub Dorňák - 3.16.2-1 +- Updated to version 3.16.2 (https://sqlite.org/releaselog/3_16_2.html) + +* Wed Jan 4 2017 Jakub Dorňák - 3.16.1-1 +- Updated to version 3.16.1 (https://sqlite.org/releaselog/3_16_1.html) + +* Tue Jan 3 2017 Jakub Dorňák - 3.16.0-1 +- Updated to version 3.16.0 (https://sqlite.org/releaselog/3_16_0.html) + +* Wed Sep 21 2016 Jakub Dorňák - 3.14.2-1 +- Updated to version 3.14.2 (https://sqlite.org/releaselog/3_14_2.html) + +* Mon Aug 15 2016 Jakub Dorňák - 3.14.1-1 +- Updated to version 3.14.1 (https://sqlite.org/releaselog/3_14_1.html) + +* Tue May 24 2016 Jakub Dorňák - 3.13.0-1 +- Updated to version 3.13.0 (https://sqlite.org/releaselog/3_13_0.html) + +* Mon Apr 25 2016 Jakub Dorňák - 3.12.2-1 +- Updated to version 3.12.2 (https://sqlite.org/releaselog/3_12_2.html) + +* Wed Mar 02 2016 Jan Stanek - 3.11.0-3 +- Release bump for #1312506 + +* Tue Feb 23 2016 Nils Philippsen - 3.11.0-2 +- add obsoletes/conflicts to make updates on multi-lib systems work (#1310441) +- make -devel package depend on arch-specific -libs (not main) package + +* Wed Feb 17 2016 Jan Stanek - 3.11.0-1 +- Updated to version 3.11.0 (https://sqlite.org/releaselog/3_11_0.html) + +* Mon Feb 08 2016 Jan Stanek - 3.10.2-3 +- Split the shared libraries to standalone subpackage + +* Fri Feb 05 2016 Fedora Release Engineering - 3.10.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jan 22 2016 Jan Stanek - 3.10.2-1 +- Updated to version 3.10.2 (http://sqlite.org/releaselog/3_10_2.html) +- Enabled JSON1 Extension (rhbz#1277387) +- Made test failure nonfatal on MIPS (rhbz#1294888) + +* Wed Jan 13 2016 Jan Stanek - 3.10.0-1 +- Updated to version 3.10.0 (http://sqlite.org/releaselog/3_10_0.html) + +* Mon Dec 21 2015 Jan Stanek - 3.9.2-1 +- Updated to version 3.9.2 (http://sqlite.org/releaselog/3_9_2.html) + +* Thu Dec 10 2015 Jan Stanek - 3.9.0-2 +- Add autoconf amalgamation for stage2 builds. + +* Thu Oct 15 2015 Jan Stanek - 3.9.0-1 +- Updated to version 3.9.0 (https://sqlite.org/releaselog/3_9_0.html) + +* Tue Sep 22 2015 Jan Stanek - 3.8.11.1-1 +- Updated to version 3.8.11.1 + +* Tue Jul 28 2015 Jan Stanek - 3.8.11-1 +- Updated to version 3.8.11 (https://sqlite.org/releaselog/3_8_11.html) + +* Fri Jun 19 2015 Jan Stanek - 3.8.10.2-3 +- Enabled SQLITE_ENABLE_FTS3_PARENTHESIS extension (rhbz#1232301) + +* Fri Jun 19 2015 Fedora Release Engineering - 3.8.10.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Fri May 29 2015 Jan Stanek - 3.8.10.2-1 +- Updated to version 3.8.10.2 (https://sqlite.org/releaselog/3_8_10_2.html) + +* Mon May 18 2015 Jan Stanek - 3.8.10.1-1 +- Updated to version 3.8.10.1 (https://www.sqlite.org/releaselog/3_8_10_1.html) + +* Tue Apr 14 2015 Jan Stanek - 3.8.9-1 +- Updated to version 3.8.9 (https://www.sqlite.org/releaselog/3_8_9.html) + +* Thu Feb 26 2015 Jan Stanek - 3.8.8.3-1 +- Updated to version 3.8.8.3 (https://sqlite.org/releaselog/3_8_8_3.html) + +* Sat Feb 21 2015 Till Maas - 3.8.8-3 +- Rebuilt for Fedora 23 Change + https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code + +* Tue Feb 03 2015 Jan Stanek - 3.8.8-2 +- Fixed out-of-date source URLs (rhbz#1188092) + +* Tue Jan 20 2015 Jan Stanek - 3.8.8-1 +- Updated to version 3.8.8 (https://sqlite.org/releaselog/3_8_8.html) +- Recreated patches to work on current version. + +* Fri Dec 12 2014 Jan Stanek - 3.8.7.4-1 +- Updated to version 3.8.7.4 (http://www.sqlite.org/releaselog/3_8_7_4.html) + +* Tue Nov 25 2014 Jan Stanek - 3.8.7.2-1 +- Updated to version 3.8.7.2 (http://sqlite.org/releaselog/3_8_7_2.html) + +* Tue Oct 21 2014 Jan Stanek - 3.8.7-1 +- Updated to version 3.8.7 (http://sqlite.org/releaselog/3_8_7.html) +- Dropped patch for problem fixed upstream + +* Tue Aug 19 2014 Jan Stanek - 3.8.6-2 +- Added auto-selection of Tcl version based on Fedora version + +* Tue Aug 19 2014 Jan Stanek - 3.8.6-1 +- Updated to version 3.8.6 (http://www.sqlite.org/releaselog/3_8_6.html) + +* Mon Aug 18 2014 Fedora Release Engineering - 3.8.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Jun 11 2014 Peter Robinson 3.8.5-2 +- Re-enable tests on aarch64 now they pass again + +* Tue Jun 10 2014 Jan Stanek - 3.8.5-1 +- Update to version 3.8.5 (http://www.sqlite.org/releaselog/3_8_5.html) +- Dropped patch already included upstream + +* Sun Jun 08 2014 Fedora Release Engineering - 3.8.4.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Jun 5 2014 Peter Robinson 3.8.4.3-4 +- Don't make tests fail the build on aarch64 like some of the other arches + +* Wed May 28 2014 Jan Stanek - 3.8.4.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Changes/f21tcl86 with correct tcl_version + +* Wed May 21 2014 Jaroslav Škarvada - 3.8.4.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Changes/f21tcl86 + +* Tue Apr 29 2014 Jan Stanek - 3.8.4.3-1 +- Update to version 3.8.4.3 (http://www.sqlite.org/releaselog/3_8_4_3.html) +- Changed patch for rhbz#1075889 to upstream version + Related: #1075889 + +* Fri Apr 25 2014 Honza Horak - 3.8.4.2-3 +- Revert part of the upstream commit dca1945aeb3fb005, since it causes + nautilus to crash + Related: #1075889 + +* Wed Apr 02 2014 Jan Stanek 3.8.4.2-2 +- Added building and shipping of sqlite3_analyzer (#1007159) + +* Fri Mar 28 2014 Jan Stanek 3.8.4.2-1 +- Update to 3.8.4 (http://www.sqlite.org/releaselog/3_8_4_2.html) + +* Tue Mar 11 2014 Jan Stanek 3.8.4-1 +- Update to 3.8.4 (http://www.sqlite.org/releaselog/3_8_4.html) + +* Sun Feb 23 2014 Peter Robinson 3.8.3-2 +- Re-enable check on ARM/aarch64 as failing test fixed upstream for non x86 arches +- Modernise spec + +* Tue Feb 11 2014 Jan Stanek 3.8.3-1 +- Update to 3.8.3 (http://www.sqlite.org/releaselog/3_8_3.html) +- Dropped man-page patch - included upstream + +* Mon Jan 6 2014 Peter Robinson 3.8.2-2 +- Add aarch64 to all the other arch excludes for tests + +* Tue Dec 10 2013 Jan Stanek - 3.8.2-1 +- Update to 3.8.2 (http://www.sqlite.org/releaselog/3_8_2.html) + +* Tue Nov 26 2013 Debarshi Ray - 3.8.1-2 +- Do not use transitive WHERE-clause constraints on LEFT JOINs (#1034714) + +* Tue Oct 22 2013 Jan Stanek - 3.8.1-1 +- Update to 3.8.1 (http://www.sqlite.org/releaselog/3_8_1.html) + +* Thu Sep 26 2013 Jan Stanek - 3.8.0.2-4 +- Removed fullversioned provides and start using full version for rpm version + +* Mon Sep 23 2013 Jan Stanek - 3.8.0-3 +- Added fullversioned Provides to fix broken dependency + +* Mon Sep 16 2013 Jan Stanek - 3.8.0-2 +- Dropped problematic percentile-2.1.50 test + +* Thu Sep 05 2013 Jan Stanek - 3.8.0-1 +- Update to 3.8.0.2 (http://sqlite.org/releaselog/3_8_0_2.html) + +* Sun Aug 04 2013 Fedora Release Engineering - 3.7.17-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed May 22 2013 Jan Stanek - 3.7.17-1 +- Update to 3.7.17 (http://www.sqlite.org/releaselog/3_7_17.html) + +* Thu May 16 2013 Jan Stanek - 3.7.16.2-2 +- Added missing options to man page (#948862) + +* Mon Apr 29 2013 Jan Stanek - 3.7.16.2-1 +- update to 3.7.16.2 (http://www.sqlite.org/releaselog/3_7_16_2.html) +- add support for aarch64 (rerunning autoconf) (#926568) + +* Sun Mar 31 2013 Panu Matilainen - 3.7.16.1-1 +- update to 3.7.16.1 (https://www.sqlite.org/releaselog/3_7_16_1.html) + +* Wed Mar 20 2013 Panu Matilainen - 3.7.16-1 +- update to 3.7.16 (http://www.sqlite.org/releaselog/3_7_16.html) + +* Fri Feb 15 2013 Fedora Release Engineering - 3.7.15.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Jan 10 2013 Panu Matilainen - 3.7.15.2-1 +- update to 3.7.15.2 (http://www.sqlite.org/releaselog/3_7_15_2.html) + +* Thu Dec 13 2012 Panu Matilainen - 3.7.15-1 +- update to 3.7.15 (http://www.sqlite.org/releaselog/3_7_15.html) +- fix an old incorrect date in spec changelog + +* Tue Nov 06 2012 Panu Matilainen - 3.7.14.1-1 +- update to 3.7.14.1 (http://www.sqlite.org/releaselog/3_7_14_1.html) + +* Wed Oct 03 2012 Panu Matilainen - 3.7.14-1 +- update to 3.7.14 (http://www.sqlite.org/releaselog/3_7_14.html) + +* Sat Jul 21 2012 Fedora Release Engineering - 3.7.13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jun 25 2012 Panu Matilainen - 3.7.13-1 +- update to 3.7.13 (http://www.sqlite.org/releaselog/3_7_13.html) +- drop no longer needed savepoint relase patch + +* Fri Jun 01 2012 Panu Matilainen - 3.7.11-3 +- don't abort pending queries on release of nested savepoint (#821642) + +* Wed Apr 25 2012 Panu Matilainen - 3.7.11-2 +- run test-suite with MALLOC_CHECK_=3 +- disable buggy malloc_usable_size code (#801981) + +* Mon Mar 26 2012 Panu Matilainen - 3.7.11-1 +- update to 3.7.11 (http://www.sqlite.org/releaselog/3_7_11.html) + +* Wed Mar 07 2012 Panu Matilainen - 3.7.10-1 +- update to 3.7.10 (http://www.sqlite.org/releaselog/3_7_10.html) + +* Sat Jan 14 2012 Fedora Release Engineering - 3.7.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Nov 22 2011 Panu Matilainen - 3.7.9-1 +- update to 3.7.9 (http://www.sqlite.org/releaselog/3_7_9.html) + +* Fri Oct 28 2011 Panu Matilainen - 3.7.8-1 +- update to 3.7.8 (http://www.sqlite.org/releaselog/3_7_8.html) + +* Wed Jul 13 2011 Panu Matilainen - 3.7.7.1-1 +- update to 3.7.7.1 (http://www.sqlite.org/releaselog/3_7_7_1.html) +- autoconf no longer needed for build, libdl check finally upstreamed + +* Wed May 25 2011 Panu Matilainen - 3.7.6.3-1 +- update to 3.7.6.3 (http://www.sqlite.org/releaselog/3_7_6_3.html) + +* Sat May 21 2011 Peter Robinson - 3.7.6.2-3 +- add arm to the exclude from tests list + +* Fri Apr 29 2011 Panu Matilainen - 3.7.6.2-2 +- comment out stupid tests causing very bogus build failure on koji + +* Thu Apr 21 2011 Panu Matilainen - 3.7.6.2-1 +- update to 3.7.6.2 (http://www.sqlite.org/releaselog/3_7_6_2.html) + +* Fri Feb 25 2011 Dennis Gilmore - 3.7.5-4 +- build tests on sparc expecting failures same as the other big endian arches + +* Wed Feb 09 2011 Fedora Release Engineering - 3.7.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Feb 2 2011 Panu Matilainen - 3.7.5-2 +- unwanted cgi-script in docs creating broken dependencies, remove it +- make doc sub-package noarch + +* Tue Feb 1 2011 Panu Matilainen - 3.7.5-1 +- update to 3.7.5 (http://www.sqlite.org/releaselog/3_7_5.html) + +* Thu Dec 9 2010 Panu Matilainen - 3.7.4-1 +- update to 3.7.4 (http://www.sqlite.org/releaselog/3_7_4.html) +- deal with upstream source naming, versioning and format changing +- fixup wal2-test expections wrt SQLITE_DISABLE_DIRSYNC use + +* Fri Nov 5 2010 Dan Horák - 3.7.3-2 +- expect test failures also on s390x + +* Mon Nov 1 2010 Panu Matilainen - 3.7.3-1 +- update to 3.7.3 (http://www.sqlite.org/releaselog/3_7_3.html) + +* Thu Sep 2 2010 Tom "spot" Callaway - 3.7.0.1-2 +- enable SQLITE_SECURE_DELETE, SQLITE_ENABLE_UNLOCK_NOTIFY for firefox 4 + +* Fri Aug 13 2010 Panu Matilainen - 3.7.0.1-1 +- update to 3.7.0.1 (http://www.sqlite.org/releaselog/3_7_0_1.html) + +* Sat Jul 3 2010 Dan Horák - 3.6.23.1-2 +- some tests are failing on s390 and ppc/ppc64 so don't fail the whole build there + +* Mon Apr 19 2010 Panu Matilainen - 3.6.23.1-1 +- update to 3.6.23.1 (http://www.sqlite.org/releaselog/3_6_23_1.html) + +* Wed Mar 10 2010 Panu Matilainen - 3.6.23-1 +- update to 3.6.23 (http://www.sqlite.org/releaselog/3_6_23.html) +- drop the lemon sprintf patch, upstream doesn't want it +- make test-suite errors fail build finally + +* Mon Jan 18 2010 Panu Matilainen - 3.6.22-1 +- update to 3.6.22 (http://www.sqlite.org/releaselog/3_6_22.html) + +* Tue Dec 08 2009 Panu Matilainen - 3.6.21-1 +- update to 3.6.21 (http://www.sqlite.org/releaselog/3_6_21.html) + +* Tue Nov 17 2009 Panu Matilainen - 3.6.20-1 +- update to 3.6.20 (http://www.sqlite.org/releaselog/3_6_20.html) + +* Tue Oct 06 2009 Panu Matilainen - 3.6.18-1 +- update to 3.6.18 (http://www.sqlite.org/releaselog/3_6_18.html) +- drop no longer needed test-disabler patches + +* Fri Aug 21 2009 Panu Matilainen - 3.6.17-1 +- update to 3.6.17 (http://www.sqlite.org/releaselog/3_6_17.html) +- disable to failing tests until upstream fixes + +* Sun Jul 26 2009 Fedora Release Engineering - 3.6.14.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Fri Jun 12 2009 Panu Matilainen - 3.6.14.2-1 +- update to 3.6.14.2 (#505229) + +* Mon May 18 2009 Panu Matilainen - 3.6.14-2 +- disable rpath +- add -doc subpackage instead of patching out reference to it + +* Thu May 14 2009 Panu Matilainen - 3.6.14-1 +- update to 3.6.14 (http://www.sqlite.org/releaselog/3_6_14.html) +- merge-review cosmetics (#226429) + - drop ancient sqlite3 obsoletes + - fix tab vs space whitespace issues + - remove commas from summaries +- fixup io-test fsync expectations wrt SQLITE_DISABLE_DIRSYNC + +* Wed Apr 15 2009 Panu Matilainen - 3.6.13-1 +- update to 3.6.13 + +* Thu Apr 09 2009 Dennis Gilmore - 3.6.12-3 +- apply upstream patch for memory alignment issue (#494906) + +* Tue Apr 07 2009 Panu Matilainen - 3.6.12-2 +- disable strict aliasing to work around brokenness on 3.6.12 (#494266) +- run test-suite on build but let it fail for now + +* Fri Apr 03 2009 Panu Matilainen - 3.6.12-1 +- update to 3.6.12 (#492662) +- remove reference to non-existent sqlite-doc from manual (#488883) + +* Wed Feb 25 2009 Fedora Release Engineering - 3.6.10-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Wed Feb 04 2009 Panu Matilainen - 3.6.10-3 +- enable RTREE and FTS3 extensions (#481417) + +* Thu Jan 22 2009 Panu Matilainen - 3.6.10-2 +- upstream fix yum breakage caused by new keywords (#481189) + +* Thu Jan 22 2009 Panu Matilainen - 3.6.10-1 +- update to 3.6.10 + +* Wed Dec 31 2008 Panu Matilainen - 3.6.7-1 +- update to 3.6.7 +- avoid lemon ending up in main sqlite package too + +* Fri Dec 05 2008 Panu Matilainen - 3.6.6.2-4 +- add lemon subpackage + +* Thu Dec 4 2008 Matthias Clasen - 3.6.6.2-3 +- Rebuild for pkg-config provides + +* Tue Dec 02 2008 Panu Matilainen - 3.6.6.2-2 +- require tcl(abi) in sqlite-tcl subpackage (#474034) +- move tcl extensions to arch-specific location +- enable dependency extraction on the tcl dso +- require pkgconfig in sqlite-devel + +* Sat Nov 29 2008 Panu Matilainen - 3.6.6.2-1 +- update to 3.6.6.2 + +* Sat Nov 08 2008 Panu Matilainen - 3.6.4-1 +- update to 3.6.4 +- drop patches already upstream + +* Mon Sep 22 2008 Panu Matilainen - 3.5.9-2 +- Remove references to temporary registers from cache on release (#463061) +- Enable loading of external extensions (#457433) + +* Tue Jun 17 2008 Stepan Kasal - 3.5.9-1 +- update to 3.5.9 + +* Wed Apr 23 2008 Panu Matilainen - 3.5.8-1 +- update to 3.5.8 +- provide full version in pkg-config (#443692) + +* Mon Mar 31 2008 Panu Matilainen - 3.5.6-2 +- remove reference to static libs from -devel description (#439376) + +* Tue Feb 12 2008 Panu Matilainen - 3.5.6-1 +- update to 3.5.6 +- also fixes #432447 + +* Fri Jan 25 2008 Panu Matilainen - 3.5.4-3 +- enable column metadata API (#430258) + +* Tue Jan 08 2008 Panu Matilainen - 3.5.4-2 +- avoid packaging CVS directory as documentation (#427755) + +* Fri Dec 21 2007 Panu Matilainen - 3.5.4-1 +- Update to 3.5.4 (#413801) + +* Fri Sep 28 2007 Panu Matilainen - 3.4.2-3 +- Add another build conditional for enabling %%check + +* Fri Sep 28 2007 Panu Matilainen - 3.4.2-2 +- Use bconds for the spec build conditionals +- Enable -tcl subpackage again (#309041) + +* Wed Aug 15 2007 Paul Nasrat - 3.4.2-1 +- Update to 3.4.2 + +* Sat Jul 21 2007 Paul Nasrat - 3.4.1-1 +- Update to 3.4.1 + +* Sun Jun 24 2007 Paul Nasrat - 3.4.0-2 +- Disable load for now (#245486) + +* Tue Jun 19 2007 Paul Nasrat - 3.4.0-1 +- Update to 3.4.0 + +* Fri Jun 01 2007 Paul Nasrat - 3.3.17-2 +- Enable load +- Build fts1 and fts2 +- Don't sync on dirs (#237427) + +* Tue May 29 2007 Paul Nasrat - 3.3.17-1 +- Update to 3.3.17 + +* Mon Mar 19 2007 Paul Nasrat - 3.3.13-1 +- Update to 3.3.13 + +* Fri Aug 11 2006 Paul Nasrat - 3.3.6-2 +- Fix conditional typo (patch from Gareth Armstrong) + +* Wed Jul 12 2006 Jesse Keating - 3.3.6-1.1 +- rebuild + +* Mon Jun 26 2006 Paul Nasrat - 3.3.6-1 +- Update to 3.3.6 +- Fix typo (#189647) +- Enable threading fixes (#181298) +- Conditionalize static library + +* Mon Apr 17 2006 Paul Nasrat - 3.3.5-1 +- Update to 3.3.5 + +* Fri Feb 10 2006 Jesse Keating - 3.3.3-1.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 3.3.3-1.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Tue Jan 31 2006 Christopher Aillon - 3.3.3-1 +- Update to 3.3.3 + +* Tue Jan 31 2006 Christopher Aillon - 3.3.2-1 +- Update to 3.3.2 + +* Tue Jan 24 2006 Paul Nasrat - 3.2.8-1 +- Add --enable-threadsafe (Nicholas Miell) +- Update to 3.2.8 + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Tue Oct 4 2005 Jeremy Katz - 3.2.7-2 +- no more static file or libtool archive (#169874) + +* Wed Sep 28 2005 Florian La Roche +- Upgrade to 3.2.7 release. + +* Thu Sep 22 2005 Florian La Roche +- Upgrade to 3.2.6 release. + +* Sun Sep 11 2005 Florian La Roche +- Upgrade to 3.2.5 release. + +* Fri Jul 8 2005 Roland McGrath - 3.2.2-1 +- Upgrade to 3.2.2 release. + +* Sat Apr 9 2005 Warren Togami - 3.1.2-3 +- fix buildreqs (#154298) + +* Mon Apr 4 2005 Jeremy Katz - 3.1.2-2 +- disable tcl subpackage + +* Wed Mar 9 2005 Jeff Johnson 3.1.2-1 +- rename to "sqlite" from "sqlite3" (#149719, #150012). + +* Wed Feb 16 2005 Jeff Johnson 3.1.2-1 +- upgrade to 3.1.2. +- add sqlite3-tcl sub-package. + +* Sat Feb 5 2005 Jeff Johnson 3.0.8-3 +- repackage for fc4. + +* Mon Jan 17 2005 R P Herrold 3.0.8-2orc +- fix a man page nameing conflict when co-installed with sqlite-2, as + is permissible