sqlite3: Security fix for CVE-2020-15358

Source: sqlite.org MR: 104526 Type: Security Fix Disposition: Backport from https://www.sqlite.org/src/vinfo/10fa79d00f8091e5?diff=1 ChangeID: a1c012b8c8aecd4970f3ae16686bf25f2376f542 Description: Affects sqlite < 3.32.3 Fixes CVE CVE-2020-15358 (From OE-Core rev: 8eb5fad746b716cba350c6cd6a30766534a90a28) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2020-06-30 11:30:42 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-07-07 23:15:10 +0100
commit: 2a6fa8877d06119115b5d4d08b14f050c8a09ac2 (patch)
tree: 1d99201b14eae309d9b44fe1873a96a6de6214c0 /meta/recipes-support
parent: 9bb6919310a6ce812691dd555ce59e2c81ac557a (diff)
download: poky-2a6fa8877d06119115b5d4d08b14f050c8a09ac2.tar.gz
2 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-support/sqlite/files/CVE-2020-15358.patch b/meta/recipes-support/sqlite/files/CVE-2020-15358.patch
new file mode 100644
index 0000000000..086f6ef913
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2020-15358.patch
@@ -0,0 +1,47 @@
+Fix a defect in the query-flattener optimization identified by ticket [8f157e8010b22af0]. 
+Upstream-Status: Backport
+https://www.sqlite.org/src/info/10fa79d00f8091e5
+CVE: CVE-2020-15358
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: sqlite-autoconf-3310100/sqlite3.c
+===================================================================
+--- sqlite-autoconf-3310100.orig/sqlite3.c
+++ sqlite-autoconf-3310100/sqlite3.c
+@@ -18349,6 +18349,7 @@ struct Select {
+ #define SF_WhereBegin    0x0080000 /* Really a WhereBegin() call.  Debug Only */
+ #define SF_WinRewrite    0x0100000 /* Window function rewrite accomplished */
+ #define SF_View          0x0200000 /* SELECT statement is a view */
+#define SF_NoopOrderBy   0x0400000 /* ORDER BY is ignored for this query */
+ 
+ /*
+ ** The results of a SELECT can be distributed in several ways, as defined
+@@ -130607,9 +130608,7 @@ static int multiSelect(
+                           selectOpName(p->op)));
+         rc = sqlite3Select(pParse, p, &uniondest);
+         testcase( rc!=SQLITE_OK );
+-        /* Query flattening in sqlite3Select() might refill p->pOrderBy.
+-        ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */
+-        sqlite3ExprListDelete(db, p->pOrderBy);
+        assert( p->pOrderBy==0 );
+         pDelete = p->pPrior;
+         p->pPrior = pPrior;
+         p->pOrderBy = 0;
+@@ -131958,7 +131957,7 @@ static int flattenSubquery(
+     ** We look at every expression in the outer query and every place we see
+     ** "a" we substitute "x*3" and every place we see "b" we substitute "y+10".
+     */
+-    if( pSub->pOrderBy ){
+    if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){
+       /* At this point, any non-zero iOrderByCol values indicate that the
+       ** ORDER BY column expression is identical to the iOrderByCol'th
+       ** expression returned by SELECT statement pSub. Since these values
+@@ -133659,6 +133658,7 @@ SQLITE_PRIVATE int sqlite3Select(
+     sqlite3ExprListDelete(db, p->pOrderBy);
+     p->pOrderBy = 0;
+     p->selFlags &= ~SF_Distinct;
+    p->selFlags |= SF_NoopOrderBy;
+   }
+   sqlite3SelectPrep(pParse, p, 0);
+   if( pParse->nErr || db->mallocFailed ){
diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
index 57a791385c..e5071b48bb 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -7,6 +7,7 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \
           file://CVE-2020-9327.patch \
           file://CVE-2020-11656.patch \
           file://CVE-2020-11655.patch \
+           file://CVE-2020-15358.patch \
           "
 SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
 SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"
author	Armin Kuster <akuster@mvista.com>	2020-06-30 11:30:42 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-07-07 23:15:10 +0100
commit	2a6fa8877d06119115b5d4d08b14f050c8a09ac2 (patch)
tree	1d99201b14eae309d9b44fe1873a96a6de6214c0 /meta/recipes-support
parent	9bb6919310a6ce812691dd555ce59e2c81ac557a (diff)
download	poky-2a6fa8877d06119115b5d4d08b14f050c8a09ac2.tar.gz

diff --git a/meta/recipes-support/sqlite/files/CVE-2020-15358.patch b/meta/recipes-support/sqlite/files/CVE-2020-15358.patch new file mode 100644 index 0000000000..086f6ef913 --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2020-15358.patch
@@ -0,0 +1,47 @@
		1	Fix a defect in the query-flattener optimization identified by ticket [8f157e8010b22af0].
		2
		3	Upstream-Status: Backport
		4	https://www.sqlite.org/src/info/10fa79d00f8091e5
		5	CVE: CVE-2020-15358
		6	Signed-off-by: Armin Kuster <akuster@mvista.com>
		7
		8	Index: sqlite-autoconf-3310100/sqlite3.c
		9	===================================================================
		10	--- sqlite-autoconf-3310100.orig/sqlite3.c
		11	+++ sqlite-autoconf-3310100/sqlite3.c
		12	@@ -18349,6 +18349,7 @@ struct Select {
		13	#define SF_WhereBegin 0x0080000 /* Really a WhereBegin() call. Debug Only */
		14	#define SF_WinRewrite 0x0100000 /* Window function rewrite accomplished */
		15	#define SF_View 0x0200000 /* SELECT statement is a view */
		16	+#define SF_NoopOrderBy 0x0400000 /* ORDER BY is ignored for this query */
		17
		18	/*
		19	** The results of a SELECT can be distributed in several ways, as defined
		20	@@ -130607,9 +130608,7 @@ static int multiSelect(
		21	selectOpName(p->op)));
		22	rc = sqlite3Select(pParse, p, &uniondest);
		23	testcase( rc!=SQLITE_OK );
		24	- /* Query flattening in sqlite3Select() might refill p->pOrderBy.
		25	- ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */
		26	- sqlite3ExprListDelete(db, p->pOrderBy);
		27	+ assert( p->pOrderBy==0 );
		28	pDelete = p->pPrior;
		29	p->pPrior = pPrior;
		30	p->pOrderBy = 0;
		31	@@ -131958,7 +131957,7 @@ static int flattenSubquery(
		32	** We look at every expression in the outer query and every place we see
		33	** "a" we substitute "x*3" and every place we see "b" we substitute "y+10".
		34	*/
		35	- if( pSub->pOrderBy ){
		36	+ if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){
		37	/* At this point, any non-zero iOrderByCol values indicate that the
		38	** ORDER BY column expression is identical to the iOrderByCol'th
		39	** expression returned by SELECT statement pSub. Since these values
		40	@@ -133659,6 +133658,7 @@ SQLITE_PRIVATE int sqlite3Select(
		41	sqlite3ExprListDelete(db, p->pOrderBy);
		42	p->pOrderBy = 0;
		43	p->selFlags &= ~SF_Distinct;
		44	+ p->selFlags \|= SF_NoopOrderBy;
		45	}
		46	sqlite3SelectPrep(pParse, p, 0);
		47	if( pParse->nErr \|\| db->mallocFailed ){


diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb index 57a791385c..e5071b48bb 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -7,6 +7,7 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \
7	file://CVE-2020-9327.patch \	7	file://CVE-2020-9327.patch \
8	file://CVE-2020-11656.patch \	8	file://CVE-2020-11656.patch \
9	file://CVE-2020-11655.patch \	9	file://CVE-2020-11655.patch \
		10	file://CVE-2020-15358.patch \
10	"	11	"
11	SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"	12	SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
12	SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"	13	SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"