sqlite: backport CVE fixes

Fixes CVE-2020-11655 and CVE-2020-11656 (From OE-Core rev: e63a38ca6ea95c0dbc79d5024c0cec31062d2e39) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sakib Sajal <sakib.sajal@windriver.com> 2020-04-30 11:42:16 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-05-14 16:45:42 +0100
commit: e328ec317ed2a09a4304f7325ea1bf2fec826f47 (patch)
tree: 555b65faf7b43eed702722dd46a3eba831144be1 /meta/recipes-support
parent: 16d76aa6360e96b3bbeb84d5a98078d88d6a6edf (diff)
download: poky-e328ec317ed2a09a4304f7325ea1bf2fec826f47.tar.gz
3 files changed, 104 insertions, 0 deletions
diff --git a/meta/recipes-support/sqlite/files/CVE-2020-11655.patch b/meta/recipes-support/sqlite/files/CVE-2020-11655.patch
new file mode 100644
index 0000000000..e30c482bbb
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2020-11655.patch
@@ -0,0 +1,32 @@
+From a4601326d61bf1a11151ac6b78b50804bfd03b4d Mon Sep 17 00:00:00 2001
+From: Sakib Sajal <sakib.sajal@windriver.com>
+Date: Thu, 30 Apr 2020 10:46:16 -0700
+Subject: [PATCH 2/2] In the event of a semantic error in an aggregate query,
+ early-out the resetAccumulator() function to prevent problems due to
+ incomplete or incorrect initialization of the AggInfo object. Fix for ticket
+ [af4556bb5c285c08].
+FossilOrigin-Name: 4a302b42c7bf5e11ddb5522ca999f74aba397d3a7eb91b1844bb02852f772441
+Upstream Status: Backport [c415d91007e1680e4eb17def583b202c3c83c718]
+CVE: CVE-2020-11655
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ sqlite3.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/sqlite3.c b/sqlite3.c
+index 1df6633..726adf7 100644
+--- a/sqlite3.c
+++ b/sqlite3.c
+@@ -133242,6 +133242,7 @@ static void resetAccumulator(Parse *pParse, AggInfo *pAggInfo){
+   struct AggInfo_func *pFunc;
+   int nReg = pAggInfo->nFunc + pAggInfo->nColumn;
+   if( nReg==0 ) return;
+  if( pParse->nErr ) return;
+ #ifdef SQLITE_DEBUG
+   /* Verify that all AggInfo registers are within the range specified by
+   ** AggInfo.mnReg..AggInfo.mxReg */
+-- 
+2.17.1
diff --git a/meta/recipes-support/sqlite/files/CVE-2020-11656.patch b/meta/recipes-support/sqlite/files/CVE-2020-11656.patch
new file mode 100644
index 0000000000..b88a724e8c
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2020-11656.patch
@@ -0,0 +1,70 @@
+From 2d69a520d027eb73eb6da9f2653d23e33b10e8bb Mon Sep 17 00:00:00 2001
+From: Sakib Sajal <sakib.sajal@windriver.com>
+Date: Thu, 30 Apr 2020 10:14:36 -0700
+Subject: [PATCH 1/2] Fix a case when a pointer might be used after
+ being freed in  the ALTER TABLE code. Fix for [4722bdab08cb1].
+FossilOrigin-Name: d09f8c3621d5f7f8c6d99d7d82bcaa8421855b3f470bea2b26c858106382b906
+Upstream Status: Backport [fb99e388ec7f30fe43e4878236e3695ff24ae58d]
+[PATCH 2/2] Do not suppress errors when resolving references in an ORDER
+ BY clause belonging to a compound SELECT within a view or trigger within
+ ALTER TABLE. Fix for ticket [a10a14e9b4ba2].
+FossilOrigin-Name: 684293882c302600e112cf52553c19d84fdb31663d96e5dd7f8ac17dda00a026
+Upstream Status: Backport [4db7ab53f9c30e2e22731ace93ab6b18eef6c4ae]
+The two patches were converted to amalgamation format.
+CVE: CVE-2020-11656
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ sqlite3.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+diff --git a/sqlite3.c b/sqlite3.c
+index 64fae04..1df6633 100644
+--- a/sqlite3.c
+++ b/sqlite3.c
+@@ -97945,7 +97945,7 @@ static int resolveOrderByTermToExprList(
+   nc.nErr = 0;
+   db = pParse->db;
+   savedSuppErr = db->suppressErr;
+-  db->suppressErr = 1;
+  if( IN_RENAME_OBJECT==0 ) db->suppressErr = 1;
+   rc = sqlite3ResolveExprNames(&nc, pE);
+   db->suppressErr = savedSuppErr;
+   if( rc ) return 0;
+@@ -105383,6 +105383,21 @@ static void renameWalkWith(Walker *pWalker, Select *pSelect){
+   }
+ }
+ 
+/*
+** Unmap all tokens in the IdList object passed as the second argument.
+*/
+static void unmapColumnIdlistNames(
+  Parse *pParse,
+  IdList *pIdList
+){
+  if( pIdList ){
+    int ii;
+    for(ii=0; ii<pIdList->nId; ii++){
+      sqlite3RenameTokenRemap(pParse, 0, (void*)pIdList->a[ii].zName);
+    }
+  }
+}
+
+ /*
+ ** Walker callback used by sqlite3RenameExprUnmap().
+ */
+@@ -105404,6 +105419,7 @@ static int renameUnmapSelectCb(Walker *pWalker, Select *p){
+     for(i=0; i<pSrc->nSrc; i++){
+       sqlite3RenameTokenRemap(pParse, 0, (void*)pSrc->a[i].zName);
+       if( sqlite3WalkExpr(pWalker, pSrc->a[i].pOn) ) return WRC_Abort;
+      unmapColumnIdlistNames(pParse, pSrc->a[i].pUsing);
+     }
+   }
+ 
+-- 
+2.17.1
diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
index de564e2698..57a791385c 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -5,6 +5,8 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
 SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \
           file://CVE-2020-9327.patch \
+           file://CVE-2020-11656.patch \
+           file://CVE-2020-11655.patch \
           "
 SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
 SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"
author	Sakib Sajal <sakib.sajal@windriver.com>	2020-04-30 11:42:16 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-05-14 16:45:42 +0100
commit	e328ec317ed2a09a4304f7325ea1bf2fec826f47 (patch)
tree	555b65faf7b43eed702722dd46a3eba831144be1 /meta/recipes-support
parent	16d76aa6360e96b3bbeb84d5a98078d88d6a6edf (diff)
download	poky-e328ec317ed2a09a4304f7325ea1bf2fec826f47.tar.gz

diff --git a/meta/recipes-support/sqlite/files/CVE-2020-11655.patch b/meta/recipes-support/sqlite/files/CVE-2020-11655.patch new file mode 100644 index 0000000000..e30c482bbb --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2020-11655.patch
@@ -0,0 +1,32 @@
		1	From a4601326d61bf1a11151ac6b78b50804bfd03b4d Mon Sep 17 00:00:00 2001
		2	From: Sakib Sajal <sakib.sajal@windriver.com>
		3	Date: Thu, 30 Apr 2020 10:46:16 -0700
		4	Subject: [PATCH 2/2] In the event of a semantic error in an aggregate query,
		5	early-out the resetAccumulator() function to prevent problems due to
		6	incomplete or incorrect initialization of the AggInfo object. Fix for ticket
		7	[af4556bb5c285c08].
		8
		9	FossilOrigin-Name: 4a302b42c7bf5e11ddb5522ca999f74aba397d3a7eb91b1844bb02852f772441
		10	Upstream Status: Backport [c415d91007e1680e4eb17def583b202c3c83c718]
		11
		12	CVE: CVE-2020-11655
		13	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		14	---
		15	sqlite3.c \| 1 +
		16	1 file changed, 1 insertion(+)
		17
		18	diff --git a/sqlite3.c b/sqlite3.c
		19	index 1df6633..726adf7 100644
		20	--- a/sqlite3.c
		21	+++ b/sqlite3.c
		22	@@ -133242,6 +133242,7 @@ static void resetAccumulator(Parse pParse, AggInfo pAggInfo){
		23	struct AggInfo_func *pFunc;
		24	int nReg = pAggInfo->nFunc + pAggInfo->nColumn;
		25	if( nReg==0 ) return;
		26	+ if( pParse->nErr ) return;
		27	#ifdef SQLITE_DEBUG
		28	/* Verify that all AggInfo registers are within the range specified by
		29	** AggInfo.mnReg..AggInfo.mxReg */
		30	--
		31	2.17.1
		32


diff --git a/meta/recipes-support/sqlite/files/CVE-2020-11656.patch b/meta/recipes-support/sqlite/files/CVE-2020-11656.patch new file mode 100644 index 0000000000..b88a724e8c --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2020-11656.patch
@@ -0,0 +1,70 @@
		1	From 2d69a520d027eb73eb6da9f2653d23e33b10e8bb Mon Sep 17 00:00:00 2001
		2	From: Sakib Sajal <sakib.sajal@windriver.com>
		3	Date: Thu, 30 Apr 2020 10:14:36 -0700
		4	Subject: [PATCH 1/2] Fix a case when a pointer might be used after
		5	being freed in the ALTER TABLE code. Fix for [4722bdab08cb1].
		6
		7	FossilOrigin-Name: d09f8c3621d5f7f8c6d99d7d82bcaa8421855b3f470bea2b26c858106382b906
		8	Upstream Status: Backport [fb99e388ec7f30fe43e4878236e3695ff24ae58d]
		9
		10	[PATCH 2/2] Do not suppress errors when resolving references in an ORDER
		11	BY clause belonging to a compound SELECT within a view or trigger within
		12	ALTER TABLE. Fix for ticket [a10a14e9b4ba2].
		13
		14	FossilOrigin-Name: 684293882c302600e112cf52553c19d84fdb31663d96e5dd7f8ac17dda00a026
		15	Upstream Status: Backport [4db7ab53f9c30e2e22731ace93ab6b18eef6c4ae]
		16
		17	The two patches were converted to amalgamation format.
		18
		19	CVE: CVE-2020-11656
		20	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		21	---
		22	sqlite3.c \| 18 +++++++++++++++++-
		23	1 file changed, 17 insertions(+), 1 deletion(-)
		24
		25	diff --git a/sqlite3.c b/sqlite3.c
		26	index 64fae04..1df6633 100644
		27	--- a/sqlite3.c
		28	+++ b/sqlite3.c
		29	@@ -97945,7 +97945,7 @@ static int resolveOrderByTermToExprList(
		30	nc.nErr = 0;
		31	db = pParse->db;
		32	savedSuppErr = db->suppressErr;
		33	- db->suppressErr = 1;
		34	+ if( IN_RENAME_OBJECT==0 ) db->suppressErr = 1;
		35	rc = sqlite3ResolveExprNames(&nc, pE);
		36	db->suppressErr = savedSuppErr;
		37	if( rc ) return 0;
		38	@@ -105383,6 +105383,21 @@ static void renameWalkWith(Walker pWalker, Select pSelect){
		39	}
		40	}
		41
		42	+/*
		43	+** Unmap all tokens in the IdList object passed as the second argument.
		44	+*/
		45	+static void unmapColumnIdlistNames(
		46	+ Parse *pParse,
		47	+ IdList *pIdList
		48	+){
		49	+ if( pIdList ){
		50	+ int ii;
		51	+ for(ii=0; ii<pIdList->nId; ii++){
		52	+ sqlite3RenameTokenRemap(pParse, 0, (void*)pIdList->a[ii].zName);
		53	+ }
		54	+ }
		55	+}
		56	+
		57	/*
		58	** Walker callback used by sqlite3RenameExprUnmap().
		59	*/
		60	@@ -105404,6 +105419,7 @@ static int renameUnmapSelectCb(Walker pWalker, Select p){
		61	for(i=0; i<pSrc->nSrc; i++){
		62	sqlite3RenameTokenRemap(pParse, 0, (void*)pSrc->a[i].zName);
		63	if( sqlite3WalkExpr(pWalker, pSrc->a[i].pOn) ) return WRC_Abort;
		64	+ unmapColumnIdlistNames(pParse, pSrc->a[i].pUsing);
		65	}
		66	}
		67
		68	--
		69	2.17.1
		70


diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb index de564e2698..57a791385c 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -5,6 +5,8 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
5		5
6	SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \	6	SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \
7	file://CVE-2020-9327.patch \	7	file://CVE-2020-9327.patch \
		8	file://CVE-2020-11656.patch \
		9	file://CVE-2020-11655.patch \
8	"	10	"
9	SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"	11	SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
10	SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"	12	SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"