sqlite3: Backport fix for CVE-2023-7104

Backport https://sqlite.org/src/info/0e4e7a05c4204b47 (From OE-Core rev: 2a418c0a55d0d4e9a70a41c9a7cfea97ec0edee9) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-01-19 07:55:24 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-01-31 03:51:10 -1000
commit: 9bf63ee197c34508abe9817730b542e66a4037a0 (patch)
tree: 94a64969d8a9850f7f87fe74b98c4beab5eea59d
parent: 3adc98348b16d8cde41e2dbe05a614039b82e7e7 (diff)
download: poky-9bf63ee197c34508abe9817730b542e66a4037a0.tar.gz
2 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-support/sqlite/files/CVE-2023-7104.patch b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch
new file mode 100644
index 0000000000..01ff29ff5e
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch
@@ -0,0 +1,46 @@
+From eab426c5fba69d2c77023939f72b4ad446834e3c Mon Sep 17 00:00:00 2001
+From: dan <Dan Kennedy>
+Date: Thu, 7 Sep 2023 13:53:09 +0000
+Subject: [PATCH] Fix a buffer overread in the sessions extension that could occur when processing a corrupt changeset.
+Upstream-Status: Backport [https://sqlite.org/src/info/0e4e7a05c4204b47]
+CVE: CVE-2023-7104
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ sqlite3.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+diff --git a/sqlite3.c b/sqlite3.c
+index 972ef18..c645ac8 100644
+--- a/sqlite3.c
+++ b/sqlite3.c
+@@ -203301,15 +203301,19 @@ static int sessionReadRecord(
+         }
+       }
+       if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
+-        sqlite3_int64 v = sessionGetI64(aVal);
+-        if( eType==SQLITE_INTEGER ){
+-          sqlite3VdbeMemSetInt64(apOut[i], v);
+       if( (pIn->nData-pIn->iNext)<8 ){
+         rc = SQLITE_CORRUPT_BKPT;
+         }else{
+-          double d;
+-          memcpy(&d, &v, 8);
+-          sqlite3VdbeMemSetDouble(apOut[i], d);
+         sqlite3_int64 v = sessionGetI64(aVal);
+         if( eType==SQLITE_INTEGER ){
+           sqlite3VdbeMemSetInt64(apOut[i], v);
+         }else{
+           double d;
+           memcpy(&d, &v, 8);
+           sqlite3VdbeMemSetDouble(apOut[i], d);
+         }
+         pIn->iNext += 8;
+         }
+-        pIn->iNext += 8;
+       }
+     }
+   }
+-- 
+2.25.1
diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
index ef12ef0db2..0e7bcfa5a7 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \
           file://CVE-2020-35525.patch \
           file://CVE-2020-35527.patch \
           file://CVE-2021-20223.patch \
+           file://CVE-2023-7104.patch \
           "
 SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
 SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"
author	Vijay Anusuri <vanusuri@mvista.com>	2024-01-19 07:55:24 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-01-31 03:51:10 -1000
commit	9bf63ee197c34508abe9817730b542e66a4037a0 (patch)
tree	94a64969d8a9850f7f87fe74b98c4beab5eea59d
parent	3adc98348b16d8cde41e2dbe05a614039b82e7e7 (diff)
download	poky-9bf63ee197c34508abe9817730b542e66a4037a0.tar.gz

diff --git a/meta/recipes-support/sqlite/files/CVE-2023-7104.patch b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch new file mode 100644 index 0000000000..01ff29ff5e --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch
@@ -0,0 +1,46 @@
		1	From eab426c5fba69d2c77023939f72b4ad446834e3c Mon Sep 17 00:00:00 2001
		2	From: dan <Dan Kennedy>
		3	Date: Thu, 7 Sep 2023 13:53:09 +0000
		4	Subject: [PATCH] Fix a buffer overread in the sessions extension that could occur when processing a corrupt changeset.
		5
		6	Upstream-Status: Backport [https://sqlite.org/src/info/0e4e7a05c4204b47]
		7	CVE: CVE-2023-7104
		8	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		9	---
		10	sqlite3.c \| 18 +++++++++++-------
		11	1 file changed, 11 insertions(+), 7 deletions(-)
		12
		13	diff --git a/sqlite3.c b/sqlite3.c
		14	index 972ef18..c645ac8 100644
		15	--- a/sqlite3.c
		16	+++ b/sqlite3.c
		17	@@ -203301,15 +203301,19 @@ static int sessionReadRecord(
		18	}
		19	}
		20	if( eType==SQLITE_INTEGER \|\| eType==SQLITE_FLOAT ){
		21	- sqlite3_int64 v = sessionGetI64(aVal);
		22	- if( eType==SQLITE_INTEGER ){
		23	- sqlite3VdbeMemSetInt64(apOut[i], v);
		24	+ if( (pIn->nData-pIn->iNext)<8 ){
		25	+ rc = SQLITE_CORRUPT_BKPT;
		26	}else{
		27	- double d;
		28	- memcpy(&d, &v, 8);
		29	- sqlite3VdbeMemSetDouble(apOut[i], d);
		30	+ sqlite3_int64 v = sessionGetI64(aVal);
		31	+ if( eType==SQLITE_INTEGER ){
		32	+ sqlite3VdbeMemSetInt64(apOut[i], v);
		33	+ }else{
		34	+ double d;
		35	+ memcpy(&d, &v, 8);
		36	+ sqlite3VdbeMemSetDouble(apOut[i], d);
		37	+ }
		38	+ pIn->iNext += 8;
		39	}
		40	- pIn->iNext += 8;
		41	}
		42	}
		43	}
		44	--
		45	2.25.1
		46


diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb index ef12ef0db2..0e7bcfa5a7 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \
17	file://CVE-2020-35525.patch \	17	file://CVE-2020-35525.patch \
18	file://CVE-2020-35527.patch \	18	file://CVE-2020-35527.patch \
19	file://CVE-2021-20223.patch \	19	file://CVE-2021-20223.patch \
		20	file://CVE-2023-7104.patch \
20	"	21	"
21	SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"	22	SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
22	SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"	23	SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"