From f2d6883ed23cd3f8a9b6d6b42e93c7b16a0bbd10 Mon Sep 17 00:00:00 2001 From: Petr Kubat Date: Wed, 21 Mar 2018 15:11:04 +0100 Subject: [PATCH] Fixed CVE-2018-8740 Resolves: #1558809 --- sqlite-3.22.0-corrupt-schema.patch | 51 ++++++++++++++++++++++++++++++ sqlite.spec | 8 ++++- 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 sqlite-3.22.0-corrupt-schema.patch diff --git a/sqlite-3.22.0-corrupt-schema.patch b/sqlite-3.22.0-corrupt-schema.patch new file mode 100644 index 0000000..b418eb5 --- /dev/null +++ b/sqlite-3.22.0-corrupt-schema.patch @@ -0,0 +1,51 @@ +Index: src/build.c +================================================================== +--- src/build.c ++++ src/build.c +@@ -1868,12 +1868,10 @@ + } + assert( !db->mallocFailed ); + p = pParse->pNewTable; + if( p==0 ) return; + +- assert( !db->init.busy || !pSelect ); +- + /* If the db->init.busy is 1 it means we are reading the SQL off the + ** "sqlite_master" or "sqlite_temp_master" table on the disk. + ** So do not write to the disk again. Extract the root page number + ** for the table from the db->init.newTnum field. (The page number + ** should have been put there by the sqliteOpenCb routine.) +@@ -1880,10 +1878,14 @@ + ** + ** If the root page number is 1, that means this is the sqlite_master + ** table itself. So mark it read-only. + */ + if( db->init.busy ){ ++ if( pSelect ){ ++ sqlite3ErrorMsg(pParse, ""); ++ return; ++ } + p->tnum = db->init.newTnum; + if( p->tnum==1 ) p->tabFlags |= TF_Readonly; + } + + /* Special processing for WITHOUT ROWID Tables */ + +Index: src/prepare.c +================================================================== +--- src/prepare.c ++++ src/prepare.c +@@ -27,11 +27,11 @@ + sqlite3 *db = pData->db; + if( !db->mallocFailed && (db->flags & SQLITE_WriteSchema)==0 ){ + char *z; + if( zObj==0 ) zObj = "?"; + z = sqlite3MPrintf(db, "malformed database schema (%s)", zObj); +- if( zExtra ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra); ++ if( zExtra && zExtra[0] ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra); + sqlite3DbFree(db, *pData->pzErrMsg); + *pData->pzErrMsg = z; + } + pData->rc = db->mallocFailed ? SQLITE_NOMEM_BKPT : SQLITE_CORRUPT_BKPT; + } + diff --git a/sqlite.spec b/sqlite.spec index f2f46dd..93fc9d6 100644 --- a/sqlite.spec +++ b/sqlite.spec @@ -10,7 +10,7 @@ Summary: Library that implements an embeddable SQL database engine Name: sqlite Version: %{rpmver} -Release: 3%{?dist} +Release: 4%{?dist} License: Public Domain Group: Applications/Databases URL: http://www.sqlite.org/ @@ -41,6 +41,8 @@ Patch10: sqlite-3.22.0-fts3rank-big-endian.patch # Upstream pt1: https://www.sqlite.org/src/info/d9e59cfb8476e1ec # Upstream pt2: https://www.sqlite.org/src/info/ba0631de60ca38bf Patch11: sqlite-3.22.0-walro2-filesize.patch +# Upstream: https://www.sqlite.org/cgi/src/timeline?r=corrupt-schema +Patch12: sqlite-3.22.0-corrupt-schema.patch BuildRequires: ncurses-devel readline-devel glibc-devel BuildRequires: autoconf @@ -147,6 +149,7 @@ This package contains the analysis program for %{name}. %patch9 -p0 %patch10 -p0 %patch11 -p0 +%patch12 -p0 autoconf # Rerun with new autoconf to add support for aarm64 @@ -248,6 +251,9 @@ make test %endif %changelog +* Wed Mar 21 2018 Petr Kubat - 3.22.0-4 +- Fixed CVE-2018-8740 (#1558809) + * Fri Feb 9 2018 Florian Weimer - 3.22.0-3 - Use LDFLAGS from redhat-rpm-config for building lemon, too