sqlite3: fix CVE-2020-13631

CVE: CVE-2020-13631 Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-13631 (From OE-Core rev: 582f253d6781a006841a436a49c3f7fdddc5bb7b) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Steve Sakoman <steve@sakoman.com> 2020-11-04 06:52:47 -1000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-11-12 13:07:52 +0000
commit: 1a057dcc739461ec34071167737207db650a5ca9 (patch)
tree: c0889304e11a54142334cfefa524d715d9fc4b40
parent: 0d86d5850545acca2482a47aabc78e87ea2160ad (diff)
download: poky-1a057dcc739461ec34071167737207db650a5ca9.tar.gz
2 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-support/sqlite/files/CVE-2020-13631.patch b/meta/recipes-support/sqlite/files/CVE-2020-13631.patch
new file mode 100644
index 0000000000..0277c0cf22
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2020-13631.patch
@@ -0,0 +1,99 @@
+From 3d863b5e4efb2305d64f87a2128289d1c3ce09b6 Mon Sep 17 00:00:00 2001
+From: drh <drh@noemail.net>
+Date: Thu, 14 May 2020 21:16:52 +0000
+Subject: [PATCH] Do not allow a virtual table to be renamed into the name of
+ one of its shadows.
+FossilOrigin-Name: eca0ba2cf4c0fdf757bae19c6397a48245adb99e8017ddc28f01804072a30b2c
+Upstream-Status: Backport
+CVE: CVE-2020-13631
+Reference to upstream patch:
+https://github.com/sqlite/sqlite/commit/3d863b5e4efb2305d64f87a2128289d1c3ce09b6
+Patch converted to amalgamation format
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ sqlite3.c | 39 ++++++++++++++++++++++++++++++---------
+ 1 file changed, 30 insertions(+), 9 deletions(-)
+diff --git a/sqlite3.c b/sqlite3.c
+index e72fabb..282e106 100644
+--- a/sqlite3.c
+++ b/sqlite3.c
+@@ -19948,8 +19948,10 @@ SQLITE_PRIVATE    Module *sqlite3VtabCreateModule(
+ SQLITE_PRIVATE int sqlite3ReadOnlyShadowTables(sqlite3 *db);
+ #ifndef SQLITE_OMIT_VIRTUALTABLE
+ SQLITE_PRIVATE   int sqlite3ShadowTableName(sqlite3 *db, const char *zName);
+SQLITE_PRIVATE   int sqlite3IsShadowTableOf(sqlite3*,Table*,const char*);
+ #else
+ # define sqlite3ShadowTableName(A,B) 0
+# define sqlite3IsShadowTableOf(A,B,C) 0
+ #endif
+ SQLITE_PRIVATE int sqlite3VtabEponymousTableInit(Parse*,Module*);
+ SQLITE_PRIVATE void sqlite3VtabEponymousTableClear(sqlite3*,Module*);
+@@ -104793,7 +104795,10 @@ SQLITE_PRIVATE void sqlite3AlterRenameTable(
+   /* Check that a table or index named 'zName' does not already exist
+   ** in database iDb. If so, this is an error.
+   */
+-  if( sqlite3FindTable(db, zName, zDb) || sqlite3FindIndex(db, zName, zDb) ){
+  if( sqlite3FindTable(db, zName, zDb)
+   || sqlite3FindIndex(db, zName, zDb)
+   || sqlite3IsShadowTableOf(db, pTab, zName)
+  ){
+     sqlite3ErrorMsg(pParse, 
+         "there is already another table or index with this name: %s", zName);
+     goto exit_rename_table;
+@@ -111303,6 +111308,28 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
+   recomputeColumnsNotIndexed(pPk);
+ }
+ 
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+/*
+** Return true if pTab is a virtual table and zName is a shadow table name
+** for that virtual table.
+*/
+SQLITE_PRIVATE int sqlite3IsShadowTableOf(sqlite3 *db, Table *pTab, const char *zName){
+  int nName;                    /* Length of zName */
+  Module *pMod;                 /* Module for the virtual table */
+
+  if( !IsVirtual(pTab) ) return 0;
+  nName = sqlite3Strlen30(pTab->zName);
+  if( sqlite3_strnicmp(zName, pTab->zName, nName)!=0 ) return 0;
+  if( zName[nName]!='_' ) return 0;
+  pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
+  if( pMod==0 ) return 0;
+  if( pMod->pModule->iVersion<3 ) return 0;
+  if( pMod->pModule->xShadowName==0 ) return 0;
+  return pMod->pModule->xShadowName(zName+nName+1);
+}
+#endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */
+
+ #ifndef SQLITE_OMIT_VIRTUALTABLE
+ /*
+ ** Return true if zName is a shadow table name in the current database
+@@ -111314,8 +111341,6 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
+ SQLITE_PRIVATE int sqlite3ShadowTableName(sqlite3 *db, const char *zName){
+   char *zTail;                  /* Pointer to the last "_" in zName */
+   Table *pTab;                  /* Table that zName is a shadow of */
+-  Module *pMod;                 /* Module for the virtual table */
+-
+   zTail = strrchr(zName, '_');
+   if( zTail==0 ) return 0;
+   *zTail = 0;
+@@ -111323,11 +111348,7 @@ SQLITE_PRIVATE int sqlite3ShadowTableName(sqlite3 *db, const char *zName){
+   *zTail = '_';
+   if( pTab==0 ) return 0;
+   if( !IsVirtual(pTab) ) return 0;
+-  pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
+-  if( pMod==0 ) return 0;
+-  if( pMod->pModule->iVersion<3 ) return 0;
+-  if( pMod->pModule->xShadowName==0 ) return 0;
+-  return pMod->pModule->xShadowName(zTail+1);
+  return sqlite3IsShadowTableOf(db, pTab, zName);
+ }
+ #endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */
+ 
diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
index ace9423e8d..5d45d1f1ab 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -11,6 +11,7 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \
           file://CVE-2020-13434.patch \
           file://CVE-2020-13435.patch \
           file://CVE-2020-13630.patch \
+           file://CVE-2020-13631.patch \
           "
 SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
 SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"
author	Steve Sakoman <steve@sakoman.com>	2020-11-04 06:52:47 -1000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-11-12 13:07:52 +0000
commit	1a057dcc739461ec34071167737207db650a5ca9 (patch)
tree	c0889304e11a54142334cfefa524d715d9fc4b40
parent	0d86d5850545acca2482a47aabc78e87ea2160ad (diff)
download	poky-1a057dcc739461ec34071167737207db650a5ca9.tar.gz

diff --git a/meta/recipes-support/sqlite/files/CVE-2020-13631.patch b/meta/recipes-support/sqlite/files/CVE-2020-13631.patch new file mode 100644 index 0000000000..0277c0cf22 --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2020-13631.patch
@@ -0,0 +1,99 @@
		1	From 3d863b5e4efb2305d64f87a2128289d1c3ce09b6 Mon Sep 17 00:00:00 2001
		2	From: drh <drh@noemail.net>
		3	Date: Thu, 14 May 2020 21:16:52 +0000
		4	Subject: [PATCH] Do not allow a virtual table to be renamed into the name of
		5	one of its shadows.
		6
		7	FossilOrigin-Name: eca0ba2cf4c0fdf757bae19c6397a48245adb99e8017ddc28f01804072a30b2c
		8
		9	Upstream-Status: Backport
		10	CVE: CVE-2020-13631
		11
		12	Reference to upstream patch:
		13	https://github.com/sqlite/sqlite/commit/3d863b5e4efb2305d64f87a2128289d1c3ce09b6
		14
		15	Patch converted to amalgamation format
		16
		17	Signed-off-by: Steve Sakoman <steve@sakoman.com>
		18	---
		19	sqlite3.c \| 39 ++++++++++++++++++++++++++++++---------
		20	1 file changed, 30 insertions(+), 9 deletions(-)
		21
		22	diff --git a/sqlite3.c b/sqlite3.c
		23	index e72fabb..282e106 100644
		24	--- a/sqlite3.c
		25	+++ b/sqlite3.c
		26	@@ -19948,8 +19948,10 @@ SQLITE_PRIVATE Module *sqlite3VtabCreateModule(
		27	SQLITE_PRIVATE int sqlite3ReadOnlyShadowTables(sqlite3 *db);
		28	#ifndef SQLITE_OMIT_VIRTUALTABLE
		29	SQLITE_PRIVATE int sqlite3ShadowTableName(sqlite3 db, const char zName);
		30	+SQLITE_PRIVATE int sqlite3IsShadowTableOf(sqlite3,Table,const char*);
		31	#else
		32	# define sqlite3ShadowTableName(A,B) 0
		33	+# define sqlite3IsShadowTableOf(A,B,C) 0
		34	#endif
		35	SQLITE_PRIVATE int sqlite3VtabEponymousTableInit(Parse,Module);
		36	SQLITE_PRIVATE void sqlite3VtabEponymousTableClear(sqlite3,Module);
		37	@@ -104793,7 +104795,10 @@ SQLITE_PRIVATE void sqlite3AlterRenameTable(
		38	/* Check that a table or index named 'zName' does not already exist
		39	** in database iDb. If so, this is an error.
		40	*/
		41	- if( sqlite3FindTable(db, zName, zDb) \|\| sqlite3FindIndex(db, zName, zDb) ){
		42	+ if( sqlite3FindTable(db, zName, zDb)
		43	+ \|\| sqlite3FindIndex(db, zName, zDb)
		44	+ \|\| sqlite3IsShadowTableOf(db, pTab, zName)
		45	+ ){
		46	sqlite3ErrorMsg(pParse,
		47	"there is already another table or index with this name: %s", zName);
		48	goto exit_rename_table;
		49	@@ -111303,6 +111308,28 @@ static void convertToWithoutRowidTable(Parse pParse, Table pTab){
		50	recomputeColumnsNotIndexed(pPk);
		51	}
		52
		53	+
		54	+#ifndef SQLITE_OMIT_VIRTUALTABLE
		55	+/*
		56	+** Return true if pTab is a virtual table and zName is a shadow table name
		57	+** for that virtual table.
		58	+*/
		59	+SQLITE_PRIVATE int sqlite3IsShadowTableOf(sqlite3 db, Table pTab, const char *zName){
		60	+ int nName; /* Length of zName */
		61	+ Module pMod; / Module for the virtual table */
		62	+
		63	+ if( !IsVirtual(pTab) ) return 0;
		64	+ nName = sqlite3Strlen30(pTab->zName);
		65	+ if( sqlite3_strnicmp(zName, pTab->zName, nName)!=0 ) return 0;
		66	+ if( zName[nName]!='_' ) return 0;
		67	+ pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
		68	+ if( pMod==0 ) return 0;
		69	+ if( pMod->pModule->iVersion<3 ) return 0;
		70	+ if( pMod->pModule->xShadowName==0 ) return 0;
		71	+ return pMod->pModule->xShadowName(zName+nName+1);
		72	+}
		73	+#endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */
		74	+
		75	#ifndef SQLITE_OMIT_VIRTUALTABLE
		76	/*
		77	** Return true if zName is a shadow table name in the current database
		78	@@ -111314,8 +111341,6 @@ static void convertToWithoutRowidTable(Parse pParse, Table pTab){
		79	SQLITE_PRIVATE int sqlite3ShadowTableName(sqlite3 db, const char zName){
		80	char zTail; / Pointer to the last "_" in zName */
		81	Table pTab; / Table that zName is a shadow of */
		82	- Module pMod; / Module for the virtual table */
		83	-
		84	zTail = strrchr(zName, '_');
		85	if( zTail==0 ) return 0;
		86	*zTail = 0;
		87	@@ -111323,11 +111348,7 @@ SQLITE_PRIVATE int sqlite3ShadowTableName(sqlite3 db, const char zName){
		88	*zTail = '_';
		89	if( pTab==0 ) return 0;
		90	if( !IsVirtual(pTab) ) return 0;
		91	- pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
		92	- if( pMod==0 ) return 0;
		93	- if( pMod->pModule->iVersion<3 ) return 0;
		94	- if( pMod->pModule->xShadowName==0 ) return 0;
		95	- return pMod->pModule->xShadowName(zTail+1);
		96	+ return sqlite3IsShadowTableOf(db, pTab, zName);
		97	}
		98	#endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */
		99


diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb index ace9423e8d..5d45d1f1ab 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -11,6 +11,7 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \
11	file://CVE-2020-13434.patch \	11	file://CVE-2020-13434.patch \
12	file://CVE-2020-13435.patch \	12	file://CVE-2020-13435.patch \
13	file://CVE-2020-13630.patch \	13	file://CVE-2020-13630.patch \
		14	file://CVE-2020-13631.patch \
14	"	15	"
15	SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"	16	SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
16	SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"	17	SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"