summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2020-01-14 16:05:52 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-01-16 22:33:09 +0000
commit8dd90ff82e781821b6f4c2ce2c353936c8e042d2 (patch)
tree1d7bb1c04c36c2b51224d454086d9e734947734c /meta/recipes-support
parent4b45e7419fc772d89ae71e6bd944382ce4595b36 (diff)
downloadpoky-8dd90ff82e781821b6f4c2ce2c353936c8e042d2.tar.gz
sqlite: fix numerous CVEs
Fix the following CVEs: - CVE-2019-19244 - CVE-2019-19880 - CVE-2019-19923 - CVE-2019-19924 - CVE-2019-19925 - CVE-2019-19926 - CVE-2019-19959 - CVE-2019-20218 (From OE-Core rev: f3ebf3f8dd0b4d144db451a8fcb352762f7fbd75) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support')
-rw-r--r--meta/recipes-support/sqlite/sqlite3/CVE-2019-19244.patch33
-rw-r--r--meta/recipes-support/sqlite/sqlite3/CVE-2019-19880.patch33
-rw-r--r--meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch50
-rw-r--r--meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch65
-rw-r--r--meta/recipes-support/sqlite/sqlite3/CVE-2019-19925.patch33
-rw-r--r--meta/recipes-support/sqlite/sqlite3/CVE-2019-19926.patch31
-rw-r--r--meta/recipes-support/sqlite/sqlite3/CVE-2019-19959.patch46
-rw-r--r--meta/recipes-support/sqlite/sqlite3/CVE-2019-20218.patch31
-rw-r--r--meta/recipes-support/sqlite/sqlite3_3.30.1.bb14
9 files changed, 335 insertions, 1 deletions
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19244.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19244.patch
new file mode 100644
index 0000000000..3f70979acc
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19244.patch
@@ -0,0 +1,33 @@
1CVE: CVE-2019-19244
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From 0f690d4ae5ffe656762fdbb7f36cc4c2dcbb2d9d Mon Sep 17 00:00:00 2001
6From: dan <dan@noemail.net>
7Date: Fri, 22 Nov 2019 10:14:01 +0000
8Subject: [PATCH] Fix a crash that could occur if a sub-select that uses both
9 DISTINCT and window functions also used an ORDER BY that is the same as its
10 select list.
11
12Amalgamation version of the patch:
13FossilOrigin-Name: bcdd66c1691955c697f3d756c2b035acfe98f6aad72e90b0021bab6e9023b3ba
14---
15 sqlite3.c | 5 +++--
16 sqlite3.h | 2 +-
17 2 files changed, 4 insertions(+), 3 deletions(-)
18
19diff --git a/sqlite3.c b/sqlite3.c
20index 8fd740b..db1c649 100644
21--- a/sqlite3.c
22+++ b/sqlite3.c
23@@ -131679,6 +131679,7 @@ SQLITE_PRIVATE int sqlite3Select(
24 */
25 if( (p->selFlags & (SF_Distinct|SF_Aggregate))==SF_Distinct
26 && sqlite3ExprListCompare(sSort.pOrderBy, pEList, -1)==0
27+ && p->pWin==0
28 ){
29 p->selFlags &= ~SF_Distinct;
30 pGroupBy = p->pGroupBy = sqlite3ExprListDup(db, pEList, 0);
31--
322.24.1
33
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19880.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19880.patch
new file mode 100644
index 0000000000..ca5c31c57b
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19880.patch
@@ -0,0 +1,33 @@
1CVE: CVE-2019-19880
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From 3622d20ad10dfac9586d4423547ed960cbc66fcf Mon Sep 17 00:00:00 2001
6From: "D. Richard Hipp" <drh@hwaci.com>
7Date: Wed, 18 Dec 2019 00:05:50 +0000
8Subject: [PATCH] When processing constant integer values in ORDER BY clauses
9 of window definitions (see check-in [7e4 ---
10
11---
12 sqlite3.c | 4 +++-
13 1 file changed, 3 insertions(+), 1 deletion(-)
14
15diff --git a/sqlite3.c b/sqlite3.c
16index db1c649..a83b3d2 100644
17--- a/sqlite3.c
18+++ b/sqlite3.c
19@@ -147584,9 +147584,11 @@ static ExprList *exprListAppendList(
20 int nInit = pList ? pList->nExpr : 0;
21 for(i=0; i<pAppend->nExpr; i++){
22 Expr *pDup = sqlite3ExprDup(pParse->db, pAppend->a[i].pExpr, 0);
23+ assert( pDup==0 || !ExprHasProperty(pDup, EP_MemToken) );
24 if( bIntToNull && pDup && pDup->op==TK_INTEGER ){
25 pDup->op = TK_NULL;
26 pDup->flags &= ~(EP_IntValue|EP_IsTrue|EP_IsFalse);
27+ pDup->u.zToken = 0;
28 }
29 pList = sqlite3ExprListAppend(pParse, pList, pDup);
30 if( pList ) pList->a[nInit+i].sortFlags = pAppend->a[i].sortFlags;
31--
322.24.1
33
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch
new file mode 100644
index 0000000000..b1b866b250
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch
@@ -0,0 +1,50 @@
1CVE: CVE-2019-19923
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From b64463719dc53bde98b0ce3930b10a32560c3a02 Mon Sep 17 00:00:00 2001
6From: "D. Richard Hipp" <drh@hwaci.com>
7Date: Wed, 18 Dec 2019 20:51:58 +0000
8Subject: [PATCH] Continue to back away from the LEFT JOIN optimization of
9 check-in [41c27bc0ff1d3135] by disallowing query flattening if the outer
10 query is DISTINCT. Without this fix, if an index scan is run on the table
11 within the view on the right-hand side of the LEFT JOIN, stale result
12 registers might be accessed yielding incorrect results, and/or an
13 OP_IfNullRow opcode might be invoked on the un-opened table, resulting in a
14 NULL-pointer dereference. This problem was found by the Yongheng and Rui
15 fuzzer.
16
17FossilOrigin-Name: 862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e
18---
19 sqlite3.c | 10 +++++++---
20 1 file changed, 7 insertions(+), 3 deletions(-)
21
22diff --git a/sqlite3.c b/sqlite3.c
23index d29da07..5bc06c8 100644
24--- a/sqlite3.c
25+++ b/sqlite3.c
26@@ -129216,6 +129216,7 @@ static void substSelect(
27 ** (3b) the FROM clause of the subquery may not contain a virtual
28 ** table and
29 ** (3c) the outer query may not be an aggregate.
30+** (3d) the outer query may not be DISTINCT.
31 **
32 ** (4) The subquery can not be DISTINCT.
33 **
34@@ -129412,8 +129413,11 @@ static int flattenSubquery(
35 */
36 if( (pSubitem->fg.jointype & JT_OUTER)!=0 ){
37 isLeftJoin = 1;
38- if( pSubSrc->nSrc>1 || isAgg || IsVirtual(pSubSrc->a[0].pTab) ){
39- /* (3a) (3c) (3b) */
40+ if( pSubSrc->nSrc>1 /* (3a) */
41+ || isAgg /* (3b) */
42+ || IsVirtual(pSubSrc->a[0].pTab) /* (3c) */
43+ || (p->selFlags & SF_Distinct)!=0 /* (3d) */
44+ ){
45 return 0;
46 }
47 }
48--
492.24.1
50
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch
new file mode 100644
index 0000000000..80d5edbb0c
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch
@@ -0,0 +1,65 @@
1CVE: CVE-2019-19924
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From 854fe21e8a987f84da81f6bb9e90abc5355c6621 Mon Sep 17 00:00:00 2001
6From: "D. Richard Hipp" <drh@hwaci.com>
7Date: Thu, 19 Dec 2019 20:37:32 +0000
8Subject: [PATCH] When an error occurs while rewriting the parser tree for
9 window functions in the sqlite3WindowRewrite() routine, make sure that
10 pParse->nErr is set, and make sure that this shuts down any subsequent code
11 generation that might depend on the transformations that were implemented.
12 This fixes a problem discovered by the Yongheng and Rui fuzzer.
13
14Amalgamation format of backported patch
15FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f
16---
17 sqlite3.c | 16 +++++++++++-----
18 sqlite3.h | 2 +-
19 2 files changed, 12 insertions(+), 6 deletions(-)
20
21diff --git a/sqlite3.c b/sqlite3.c
22index 408ec4c..857c28e 100644
23--- a/sqlite3.c
24+++ b/sqlite3.c
25@@ -77798,7 +77798,8 @@ SQLITE_PRIVATE void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){
26 */
27 static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){
28 assert( p->nOp>0 || p->aOp==0 );
29- assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed );
30+ assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed
31+ || p->pParse->nErr>0 );
32 if( p->nOp ){
33 assert( p->aOp );
34 sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment);
35@@ -97872,6 +97873,7 @@ static int codeCompare(
36 int addr;
37 CollSeq *p4;
38
39+ if( pParse->nErr ) return 0;
40 p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight);
41 p5 = binaryCompareP5(pLeft, pRight, jumpIfNull);
42 addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1,
43@@ -147627,7 +147629,7 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse *pParse, Select *p){
44
45 pTab = sqlite3DbMallocZero(db, sizeof(Table));
46 if( pTab==0 ){
47- return SQLITE_NOMEM;
48+ return sqlite3ErrorToParser(db, SQLITE_NOMEM);
49 }
50
51 p->pSrc = 0;
52@@ -147731,6 +147733,10 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse *pParse, Select *p){
53 sqlite3DbFree(db, pTab);
54 }
55
56+ if( rc && pParse->nErr==0 ){
57+ assert( pParse->db->mallocFailed );
58+ return sqlite3ErrorToParser(pParse->db, SQLITE_NOMEM);
59+ }
60 return rc;
61 }
62
63--
642.24.1
65
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19925.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19925.patch
new file mode 100644
index 0000000000..ffc2c6afff
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19925.patch
@@ -0,0 +1,33 @@
1CVE: CVE-2019-19925
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From e92580434d2cdca228649d32f76167492de4f512 Mon Sep 17 00:00:00 2001
6From: "D. Richard Hipp" <drh@hwaci.com>
7Date: Thu, 19 Dec 2019 15:15:40 +0000
8Subject: [PATCH] Fix the zipfile extension so that INSERT works even if the
9 pathname of the file being inserted is a NULL. Bug discovered by the
10 Yongheng and Rui fuzzer.
11
12FossilOrigin-Name: a80f84b511231204658304226de3e075a55afc2e3f39ac063716f7a57f585c06
13---
14 shell.c | 1 +
15 sqlite3.c | 4 ++--
16 sqlite3.h | 2 +-
17 3 files changed, 4 insertions(+), 3 deletions(-)
18
19diff --git a/shell.c b/shell.c
20index 053180c..404a8d4 100644
21--- a/shell.c
22+++ b/shell.c
23@@ -5827,6 +5827,7 @@ static int zipfileUpdate(
24
25 if( rc==SQLITE_OK ){
26 zPath = (const char*)sqlite3_value_text(apVal[2]);
27+ if( zPath==0 ) zPath = "";
28 nPath = (int)strlen(zPath);
29 mTime = zipfileGetTime(apVal[4]);
30 }
31--
322.24.1
33
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19926.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19926.patch
new file mode 100644
index 0000000000..92bc7908bc
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19926.patch
@@ -0,0 +1,31 @@
1CVE: CVE-2019-19926
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From 4165b1e1e0001165ace9051a70f938099505eadc Mon Sep 17 00:00:00 2001
6From: "D. Richard Hipp" <drh@hwaci.com>
7Date: Thu, 19 Dec 2019 22:08:19 +0000
8Subject: [PATCH] Continuation of [e2bddcd4c55ba3cb]: Add another spot where it
9 is necessary to abort early due to prior errors in sqlite3WindowRewrite().
10
11FossilOrigin-Name: cba2a2a44cdf138a629109bb0ad088ed4ef67fc66bed3e0373554681a39615d2
12---
13 sqlite3.c | 7 ++++---
14 sqlite3.h | 2 +-
15 2 files changed, 5 insertions(+), 4 deletions(-)
16
17diff --git a/sqlite3.c b/sqlite3.c
18index 857c28e..19a474d 100644
19--- a/sqlite3.c
20+++ b/sqlite3.c
21@@ -128427,6 +128427,7 @@ static int multiSelect(
22 }
23 #endif
24 }
25+ if( pParse->nErr ) goto multi_select_end;
26
27 /* Compute collating sequences used by
28 ** temporary tables needed to implement the compound select.
29--
302.24.1
31
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19959.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19959.patch
new file mode 100644
index 0000000000..cba8ec9d30
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19959.patch
@@ -0,0 +1,46 @@
1CVE: CVE-2019-19959
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From f83f7e8141ee7cbbf7f2dc8985279a7372b259b6 Mon Sep 17 00:00:00 2001
6From: "D. Richard Hipp" <drh@hwaci.com>
7Date: Mon, 23 Dec 2019 21:04:33 +0000
8Subject: [PATCH] Fix the zipfile() function in the zipfile extension so that
9 it is able to deal with goofy filenames that contain embedded zeros.
10
11FossilOrigin-Name: cc0fb00a128fd0773db5ff7891f7aa577a3671d570166d2cbb30df922344adcf
12---
13 shell.c | 4 ++--
14 sqlite3.c | 4 ++--
15 sqlite3.h | 2 +-
16 3 files changed, 5 insertions(+), 5 deletions(-)
17
18diff --git a/shell.c b/shell.c
19index 404a8d4..48065e9 100644
20--- a/shell.c
21+++ b/shell.c
22@@ -5841,7 +5841,7 @@ static int zipfileUpdate(
23 zFree = sqlite3_mprintf("%s/", zPath);
24 if( zFree==0 ){ rc = SQLITE_NOMEM; }
25 zPath = (const char*)zFree;
26- nPath++;
27+ nPath = (int)strlen(zPath);
28 }
29 }
30
31@@ -6242,11 +6242,11 @@ void zipfileStep(sqlite3_context *pCtx, int nVal, sqlite3_value **apVal){
32 }else{
33 if( zName[nName-1]!='/' ){
34 zName = zFree = sqlite3_mprintf("%s/", zName);
35- nName++;
36 if( zName==0 ){
37 rc = SQLITE_NOMEM;
38 goto zipfile_step_out;
39 }
40+ nName = (int)strlen(zName);
41 }else{
42 while( nName>1 && zName[nName-2]=='/' ) nName--;
43 }
44--
452.24.1
46
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-20218.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-20218.patch
new file mode 100644
index 0000000000..fb6cd6df2d
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-20218.patch
@@ -0,0 +1,31 @@
1CVE: CVE-2019-20218
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From 6bbd76d34f29f61483791231f2ce579dcadab8a5 Mon Sep 17 00:00:00 2001
6From: Dan Kennedy <danielk1977@gmail.com>
7Date: Fri, 27 Dec 2019 20:54:42 +0000
8Subject: [PATCH] Do not attempt to unwind the WITH stack in the Parse object
9 following an error. This fixes a separate case to [de6e6d68].
10
11FossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92
12---
13 sqlite3.c | 2 +-
14 1 file changed, 1 insertion(+), 1 deletion(-)
15
16diff --git a/sqlite3.c b/sqlite3.c
17index 5bc06c8..408ec4c 100644
18--- a/sqlite3.c
19+++ b/sqlite3.c
20@@ -130570,7 +130570,7 @@ static int selectExpander(Walker *pWalker, Select *p){
21
22 /* Process NATURAL keywords, and ON and USING clauses of joins.
23 */
24- if( db->mallocFailed || sqliteProcessJoin(pParse, p) ){
25+ if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){
26 return WRC_Abort;
27 }
28
29--
302.24.1
31
diff --git a/meta/recipes-support/sqlite/sqlite3_3.30.1.bb b/meta/recipes-support/sqlite/sqlite3_3.30.1.bb
index f18eeb19ed..e055aca205 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.30.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.30.1.bb
@@ -3,6 +3,18 @@ require sqlite3.inc
3LICENSE = "PD" 3LICENSE = "PD"
4LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66" 4LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66"
5 5
6SRC_URI = "http://www.sqlite.org/2019/sqlite-autoconf-${SQLITE_PV}.tar.gz" 6SRC_URI = "http://www.sqlite.org/2019/sqlite-autoconf-${SQLITE_PV}.tar.gz \
7 file://CVE-2019-19244.patch \
8 file://CVE-2019-19880.patch \
9 file://CVE-2019-19923.patch \
10 file://CVE-2019-19924.patch \
11 file://CVE-2019-19925.patch \
12 file://CVE-2019-19926.patch \
13 file://CVE-2019-19959.patch \
14 file://CVE-2019-20218.patch \
15 "
7SRC_URI[md5sum] = "51252dc6bc9094ba11ab151ba650ff3c" 16SRC_URI[md5sum] = "51252dc6bc9094ba11ab151ba650ff3c"
8SRC_URI[sha256sum] = "8c5a50db089bd2a1b08dbc5b00d2027602ca7ff238ba7658fabca454d4298e60" 17SRC_URI[sha256sum] = "8c5a50db089bd2a1b08dbc5b00d2027602ca7ff238ba7658fabca454d4298e60"
18
19# -19242 is only an issue in specific development branch commits
20CVE_CHECK_WHITELIST += "CVE-2019-19242"