Fixed CVE-2018-8740

Resolves: #1558809
2018-03-21 15:11:04 +01:00 · 2018-03-21 15:11:04 +01:00 · f2d6883ed2
commit f2d6883ed2
parent 28cc179ee2
2 changed files with 58 additions and 1 deletions
--- a/sqlite-3.22.0-corrupt-schema.patch
+++ b/sqlite-3.22.0-corrupt-schema.patch
@ -0,0 +1,51 @@
+Index: src/build.c
+==================================================================
+--- src/build.c
+++ src/build.c
+@@ -1868,12 +1868,10 @@
+   }
+   assert( !db->mallocFailed );
+   p = pParse->pNewTable;
+   if( p==0 ) return;
+ 
+-  assert( !db->init.busy || !pSelect );
+-
+   /* If the db->init.busy is 1 it means we are reading the SQL off the
+   ** "sqlite_master" or "sqlite_temp_master" table on the disk.
+   ** So do not write to the disk again.  Extract the root page number
+   ** for the table from the db->init.newTnum field.  (The page number
+   ** should have been put there by the sqliteOpenCb routine.)
+@@ -1880,10 +1878,14 @@
+   **
+   ** If the root page number is 1, that means this is the sqlite_master
+   ** table itself.  So mark it read-only.
+   */
+   if( db->init.busy ){
+    if( pSelect ){
+      sqlite3ErrorMsg(pParse, "");
+      return;
+    }
+     p->tnum = db->init.newTnum;
+     if( p->tnum==1 ) p->tabFlags |= TF_Readonly;
+   }
+ 
+   /* Special processing for WITHOUT ROWID Tables */
+
+Index: src/prepare.c
+==================================================================
+--- src/prepare.c
+++ src/prepare.c
+@@ -27,11 +27,11 @@
+   sqlite3 *db = pData->db;
+   if( !db->mallocFailed && (db->flags & SQLITE_WriteSchema)==0 ){
+     char *z;
+     if( zObj==0 ) zObj = "?";
+     z = sqlite3MPrintf(db, "malformed database schema (%s)", zObj);
+-    if( zExtra ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra);
+    if( zExtra && zExtra[0] ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra);
+     sqlite3DbFree(db, *pData->pzErrMsg);
+     *pData->pzErrMsg = z;
+   }
+   pData->rc = db->mallocFailed ? SQLITE_NOMEM_BKPT : SQLITE_CORRUPT_BKPT;
+ }
+
--- a/sqlite.spec
+++ b/sqlite.spec
@ -10,7 +10,7 @@
 Summary: Library that implements an embeddable SQL database engine
 Name: sqlite
 Version: %{rpmver}
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: Public Domain
 Group: Applications/Databases
 URL: http://www.sqlite.org/
@ -41,6 +41,8 @@ Patch10: sqlite-3.22.0-fts3rank-big-endian.patch
 # Upstream pt1: https://www.sqlite.org/src/info/d9e59cfb8476e1ec
 # Upstream pt2: https://www.sqlite.org/src/info/ba0631de60ca38bf
 Patch11: sqlite-3.22.0-walro2-filesize.patch
+# Upstream: https://www.sqlite.org/cgi/src/timeline?r=corrupt-schema
+Patch12: sqlite-3.22.0-corrupt-schema.patch

 BuildRequires: ncurses-devel readline-devel glibc-devel
 BuildRequires: autoconf
@ -147,6 +149,7 @@ This package contains the analysis program for %{name}.
 %patch9 -p0
 %patch10 -p0
 %patch11 -p0
+%patch12 -p0

 autoconf # Rerun with new autoconf to add support for aarm64

@ -248,6 +251,9 @@ make test
 %endif

 %changelog
+* Wed Mar 21 2018 Petr Kubat <pkubat@redhat.com> - 3.22.0-4
+- Fixed CVE-2018-8740 (#1558809)
+
 * Fri Feb  9 2018 Florian Weimer <fweimer@redhat.com> - 3.22.0-3
 - Use LDFLAGS from redhat-rpm-config for building lemon, too