import sqlite-3.26.0-13.el8

2021-05-18 02:33:48 -04:00 · 2021-05-18 02:33:48 -04:00 · f4feac10db
commit f4feac10db
parent 65da0f44ad
4 changed files with 186 additions and 12 deletions
--- a/SOURCES/sqlite-3.26.0-CVE-2020-13434.patch
+++ b/SOURCES/sqlite-3.26.0-CVE-2020-13434.patch
@ -0,0 +1,73 @@
+Subject: [PATCH] Limit the "precision" of floating-point to text conversions
+ in the printf() function to 100,000,000.
+
+---
+ src/printf.c     | 12 ++++++++++++
+ test/printf.test | 16 +++++++++++++---
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/src/printf.c b/src/printf.c
+index 7bce83f..260bf79 100644
+--- a/src/printf.c
+++ b/src/printf.c
+@@ -165,6 +165,13 @@ static char *getTextArg(PrintfArguments *p){
+ #endif
+ #define etBUFSIZE SQLITE_PRINT_BUF_SIZE  /* Size of the output buffer */
+ 
+/*
+** Hard limit on the precision of floating-point conversions.
+*/
+#ifndef SQLITE_PRINTF_PRECISION_LIMIT
+# define SQLITE_FP_PRECISION_LIMIT 100000000
+#endif
+
+ /*
+ ** Render a string given by "fmt" into the StrAccum object.
+ */
+@@ -471,6 +478,11 @@ void sqlite3_str_vappendf(
+         length = 0;
+ #else
+         if( precision<0 ) precision = 6;         /* Set default precision */
+#ifdef SQLITE_FP_PRECISION_LIMIT
+        if( precision>SQLITE_FP_PRECISION_LIMIT ){
+          precision = SQLITE_FP_PRECISION_LIMIT;
+        }
+#endif
+         if( realvalue<0.0 ){
+           realvalue = -realvalue;
+           prefix = '-';
+diff --git a/test/printf.test b/test/printf.test
+index d768898..a2b5e2a 100644
+--- a/test/printf.test
+++ b/test/printf.test
+@@ -538,9 +538,11 @@ do_test printf-2.1.2.8 {
+ do_test printf-2.1.2.9 {
+   sqlite3_mprintf_double {abc: %d %d (%1.1g) :xyz} 1 1 1.0e-20
+ } {abc: 1 1 (1e-20) :xyz}
+-do_test printf-2.1.2.10 {
+-  sqlite3_mprintf_double {abc: %*.*f}  2000000000 1000000000 1.0e-20
+-} {abc: }
+if {$SQLITE_MAX_LENGTH<=[expr 1000*1000*1000]} {
+  do_test printf-2.1.2.10 {
+    sqlite3_mprintf_double {abc: %*.*f}  2000000000 1000000000 1.0e-20
+  } {}
+}
+ do_test printf-2.1.3.1 {
+   sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0
+ } {abc: (1.0) :xyz}
+@@ -3777,4 +3779,12 @@ foreach ::iRepeat {0 1} {
+   }
+ }
+ 
+# 2020-05-23
+# ticket 23439ea582241138
+#
+do_execsql_test printf-16.1 {
+  SELECT printf('%.*g',2147483647,0.01);
+} {0.01}
+
+
+ finish_test
+-- 
+2.24.1
+
--- a/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch
+++ b/SOURCES/sqlite-3.26.0-CVE-2020-13631.patch
@ -3,9 +3,9 @@ Subject: [PATCH] Do not allow a virtual table to be renamed into the name of

 ---
 src/alter.c     |  5 ++++-
- src/build.c     | 28 ++++++++++++++++++++++------
+ src/build.c     | 29 +++++++++++++++++++++++------
 src/sqliteInt.h |  5 +++++
- 3 files changed, 31 insertions(+), 7 deletions(-)
+ 3 files changed, 32 insertions(+), 7 deletions(-)

 diff --git a/src/alter.c b/src/alter.c
 index 1280e90..0fa24c0 100644
@ -24,10 +24,10 @@ index 1280e90..0fa24c0 100644
         "there is already another table or index with this name: %s", zName);
     goto exit_rename_table;
 diff --git a/src/build.c b/src/build.c
-index e0fed8a..426428b 100644
+index e0fed8a..afe4171 100644
 --- a/src/build.c
 +++ b/src/build.c
-@@ -1899,6 +1899,27 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
+@@ -1899,6 +1899,28 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
   recomputeColumnsNotIndexed(pPk);
 }
 
@ -39,12 +39,13 @@ index e0fed8a..426428b 100644
 +*/
 +int sqlite3IsShadowTableOf(sqlite3 *db, Table *pTab, const char *zName){
 +  int nName;                    /* Length of zName */
+  Module *pMod;                 /* Module for the virtual table */
 +
 +  if( !IsVirtual(pTab) ) return 0;
 +  nName = sqlite3Strlen30(pTab->zName);
 +  if( sqlite3_strnicmp(zName, pTab->zName, nName)!=0 ) return 0;
 +  if( zName[nName]!='_' ) return 0;
-+  Module *pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
+  pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
 +  if( pMod==0 ) return 0;
 +  if( pMod->pModule->iVersion<3 ) return 0;
 +  if( pMod->pModule->xShadowName==0 ) return 0;
@ -55,7 +56,7 @@ index e0fed8a..426428b 100644
 #ifndef SQLITE_OMIT_VIRTUALTABLE
 /*
 ** Return true if zName is a shadow table name in the current database
-@@ -1910,7 +1931,6 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
+@@ -1910,7 +1932,6 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
 static int isShadowTableName(sqlite3 *db, char *zName){
   char *zTail;                  /* Pointer to the last "_" in zName */
   Table *pTab;                  /* Table that zName is a shadow of */
@ -63,7 +64,7 @@ index e0fed8a..426428b 100644
 
   zTail = strrchr(zName, '_');
   if( zTail==0 ) return 0;
-@@ -1919,11 +1939,7 @@ static int isShadowTableName(sqlite3 *db, char *zName){
+@@ -1919,11 +1940,7 @@ static int isShadowTableName(sqlite3 *db, char *zName){
   *zTail = '_';
   if( pTab==0 ) return 0;
   if( !IsVirtual(pTab) ) return 0;
--- a/SOURCES/sqlite-3.26.0-CVE-2020-15358.patch
+++ b/SOURCES/sqlite-3.26.0-CVE-2020-15358.patch
@ -0,0 +1,88 @@
+Subject: [PATCH] Fix a defect in the query-flattener optimization
+
+---
+ src/select.c      |  8 ++++----
+ src/sqliteInt.h   |  1 +
+ test/selectA.test | 22 ++++++++++++++++++++++
+ 3 files changed, 27 insertions(+), 4 deletions(-)
+
+diff --git a/src/select.c b/src/select.c
+index 88a43df..a513d36 100644
+--- a/src/select.c
+++ b/src/select.c
+@@ -2686,9 +2686,7 @@ static int multiSelect(
+                           selectOpName(p->op)));
+         rc = sqlite3Select(pParse, p, &uniondest);
+         testcase( rc!=SQLITE_OK );
+-        /* Query flattening in sqlite3Select() might refill p->pOrderBy.
+-        ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */
+-        sqlite3ExprListDelete(db, p->pOrderBy);
+        assert( p->pOrderBy==0 );
+         pDelete = p->pPrior;
+         p->pPrior = pPrior;
+         p->pOrderBy = 0;
+@@ -4010,7 +4008,7 @@ static int flattenSubquery(
+     ** We look at every expression in the outer query and every place we see
+     ** "a" we substitute "x*3" and every place we see "b" we substitute "y+10".
+     */
+-    if( pSub->pOrderBy ){
+    if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){
+       /* At this point, any non-zero iOrderByCol values indicate that the
+       ** ORDER BY column expression is identical to the iOrderByCol'th
+       ** expression returned by SELECT statement pSub. Since these values
+@@ -5633,6 +5631,8 @@ int sqlite3Select(
+     sqlite3ExprListDelete(db, p->pOrderBy);
+     p->pOrderBy = 0;
+     p->selFlags &= ~SF_Distinct;
+    p->selFlags |= SF_NoopOrderBy;
+
+   }
+   sqlite3SelectPrep(pParse, p, 0);
+   if( pParse->nErr || db->mallocFailed ){
+diff --git a/src/sqliteInt.h b/src/sqliteInt.h
+index 76337f7..60b2ebd 100644
+--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
+@@ -2874,6 +2874,7 @@ struct Select {
+ #define SF_Converted      0x10000  /* By convertCompoundSelectToSubquery() */
+ #define SF_IncludeHidden  0x20000  /* Include hidden columns in output */
+ #define SF_ComplexResult  0x40000  /* Result contains subquery or function */
+#define SF_NoopOrderBy   0x0400000 /* ORDER BY is ignored for this query */
+ 
+ /*
+ ** The results of a SELECT can be distributed in several ways, as defined
+diff --git a/test/selectA.test b/test/selectA.test
+index 838e5f4..2626008 100644
+--- a/test/selectA.test
+++ b/test/selectA.test
+@@ -1446,5 +1446,27 @@ do_execsql_test 6.1 {
+   SELECT * FROM (SELECT a FROM t1 UNION SELECT b FROM t2) WHERE a=a;
+ } {12345}
+ 
+# 2020-06-15 ticket 8f157e8010b22af0
+#
+reset_db
+do_execsql_test 7.1 {
+  CREATE TABLE t1(c1);     INSERT INTO t1 VALUES(12),(123),(1234),(NULL),('abc');
+  CREATE TABLE t2(c2);     INSERT INTO t2 VALUES(44),(55),(123);
+  CREATE TABLE t3(c3,c4);  INSERT INTO t3 VALUES(66,1),(123,2),(77,3);
+  CREATE VIEW t4 AS SELECT c3 FROM t3;
+  CREATE VIEW t5 AS SELECT c3 FROM t3 ORDER BY c4;
+}
+do_execsql_test 7.2 {
+  SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t4) AND c1=123;
+} {123 123}
+do_execsql_test 7.3 {
+  SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t5) AND c1=123;
+} {123 123}
+do_execsql_test 7.4 {
+  CREATE TABLE a(b);
+  CREATE VIEW c(d) AS SELECT b FROM a ORDER BY b;
+  SELECT sum(d) OVER( PARTITION BY(SELECT 0 FROM c JOIN a WHERE b =(SELECT b INTERSECT SELECT d FROM c) AND b = 123)) FROM c;
+} {}
+
+ 
+ finish_test
+-- 
+2.24.1
+
--- a/SPECS/sqlite.spec
+++ b/SPECS/sqlite.spec
@ -10,7 +10,7 @@
 Summary: Library that implements an embeddable SQL database engine
 Name: sqlite
 Version: %{rpmver}
-Release: 11%{?dist}
+Release: 13%{?dist}
 License: Public Domain
 Group: Applications/Databases
 URL: http://www.sqlite.org/
@ -69,6 +69,12 @@ Patch23: sqlite-3.26.0-CVE-2020-13632.patch
 Patch24: sqlite-3.26.0-CVE-2020-13631.patch
 # Fix for CVE-2020-13630
 Patch25: sqlite-3.26.0-CVE-2020-13630.patch
+# Fix for CVE-2020-13434
+# upstream commit: https://www.sqlite.org/src/info/d08d3405878d394e
+Patch26: sqlite-3.26.0-CVE-2020-13434.patch
+# Fix for CVE-2020-15358
+# upstream commit: https://www.sqlite.org/src/info/10fa79d00f8091e5
+Patch27: sqlite-3.26.0-CVE-2020-15358.patch

 BuildRequires: ncurses-devel readline-devel glibc-devel
 BuildRequires: autoconf
@ -191,6 +197,9 @@ This package contains the analysis program for %{name}.
 %patch23 -p1
 %patch24 -p1
 %patch25 -p1
+%patch26 -p1
+%patch27 -p1
+

 # Remove backup-file
 rm -f %{name}-doc-%{docver}/sqlite.css~ || :
@ -253,10 +262,6 @@ export MALLOC_CHECK_=3
 rm test/csv01.test
 %endif

-%ifarch s390x ppc64
-rm test/fts3conf.test
-%endif
-
 make test
 %endif # with check

@ -295,6 +300,13 @@ make test
 %endif

 %changelog
+* Tue Dec 01 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-13
+- enabled fts3conf.test on s390x and ppc64 architectures
+
+* Mon Aug 17 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-12
+- Fixed CVE-2020-13434 (#1845843)
+- Fixed CVE-2020-15358 (#1855208)
+
 * Fri Aug 07 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.26.0-11
 - Fixed bug in CVE-2019-20218 (#1791592)