summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2019-05-30 14:10:11 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-07-27 18:05:18 +0100
commit015bfc5971120e3483572cb4eaf0cb7c15b64349 (patch)
treed629cfbbf4154e10d56346b0543ecc9fa4841ab4 /meta
parent14d23c29a2d6a9944233983d64109037077db49e (diff)
downloadpoky-015bfc5971120e3483572cb4eaf0cb7c15b64349.tar.gz
sqlite3: Security fixes for CVE-2018-20505 & 20506
Source: sqlite.org MR: 97484, 97490 Type: Security Fix Disposition: Backport from sqilte.org ChangeID: c6105b5d3ce4fb2c0f38c3cab745b769d2df38f5 Description: Affects < 3.26.0 fixes: CVE-2018-20505 CVE-2018-20506 (From OE-Core rev: e2f9efdc93068bce00b07021aa447f0b8786f69d) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-support/sqlite/files/CVE-2018-20505.patch31
-rw-r--r--meta/recipes-support/sqlite/files/CVE-2018-20506.patch103
-rw-r--r--meta/recipes-support/sqlite/sqlite3_3.23.1.bb2
3 files changed, 136 insertions, 0 deletions
diff --git a/meta/recipes-support/sqlite/files/CVE-2018-20505.patch b/meta/recipes-support/sqlite/files/CVE-2018-20505.patch
new file mode 100644
index 0000000000..d1119f3b31
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2018-20505.patch
@@ -0,0 +1,31 @@
1From: D. Richard Hipp <drh@hwaci.com>
2Date: Sat, 3 Nov 2018 13:11:24 +0000 (+0000)
3Subject: Fix a assert() in the query planner that can arise when doing row-value
4X-Git-Tag: version-3.26.0~59
5X-Git-Url: https://repo.or.cz/sqlite.git/commitdiff_plain/24298027a30cf7941f16a8cc878d0c1f9f14308f
6
7Fix a assert() in the query planner that can arise when doing row-value
8operations on a PRIMARY KEY that contains duplicate columns.
9Ticket [1a84668dcfdebaf12415d].
10
11https://sqlite.org/src/info/1a84668dcfdebaf12415d
12
13upstream-Status: Backport
14CVE: CVE-2018-20505
15affects <= 3.26.0
16
17Signed-off-by: Armin Kuster <akuster@mvista.com>
18
19Index: sqlite-autoconf-3230100/sqlite3.c
20===================================================================
21--- sqlite-autoconf-3230100.orig/sqlite3.c
22+++ sqlite-autoconf-3230100/sqlite3.c
23@@ -131231,7 +131231,7 @@ static Expr *removeUnindexableInClauseTe
24 for(i=iEq; i<pLoop->nLTerm; i++){
25 if( pLoop->aLTerm[i]->pExpr==pX ){
26 int iField = pLoop->aLTerm[i]->iField - 1;
27- assert( pOrigRhs->a[iField].pExpr!=0 );
28+ if( pOrigRhs->a[iField].pExpr==0 ) continue; /* Duplicate PK column */
29 pRhs = sqlite3ExprListAppend(pParse, pRhs, pOrigRhs->a[iField].pExpr);
30 pOrigRhs->a[iField].pExpr = 0;
31 assert( pOrigLhs->a[iField].pExpr!=0 );
diff --git a/meta/recipes-support/sqlite/files/CVE-2018-20506.patch b/meta/recipes-support/sqlite/files/CVE-2018-20506.patch
new file mode 100644
index 0000000000..7919f9b5ee
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2018-20506.patch
@@ -0,0 +1,103 @@
1From: Dan Kennedy <danielk1977@gmail.com>
2Date: Sat, 3 Nov 2018 16:51:30 +0000 (+0000)
3Subject: Add extra defenses against strategically corrupt databases to fts3/4.
4X-Git-Tag: version-3.26.0~58
5X-Git-Url: https://repo.or.cz/sqlite.git/commitdiff_plain/19816852d4e82e115338b1997540c26a1b794d18
6
7Add extra defenses against strategically corrupt databases to fts3/4.
8
9https://sqlite.org/src/info/940f2adc8541a838
10
11Upstream-Status: Backport
12CVE: CVE-2018-20506
13Affects <= 3.26.0
14
15Signed-off-by: Armin Kuster <akuster@mvista.com>
16
17Index: sqlite-autoconf-3230100/sqlite3.c
18===================================================================
19--- sqlite-autoconf-3230100.orig/sqlite3.c
20+++ sqlite-autoconf-3230100/sqlite3.c
21@@ -152368,7 +152368,7 @@ static int fts3ScanInteriorNode(
22 const char *zCsr = zNode; /* Cursor to iterate through node */
23 const char *zEnd = &zCsr[nNode];/* End of interior node buffer */
24 char *zBuffer = 0; /* Buffer to load terms into */
25- int nAlloc = 0; /* Size of allocated buffer */
26+ i64 nAlloc = 0; /* Size of allocated buffer */
27 int isFirstTerm = 1; /* True when processing first term on page */
28 sqlite3_int64 iChild; /* Block id of child node to descend to */
29
30@@ -152406,14 +152406,14 @@ static int fts3ScanInteriorNode(
31 zCsr += fts3GetVarint32(zCsr, &nSuffix);
32
33 assert( nPrefix>=0 && nSuffix>=0 );
34- if( &zCsr[nSuffix]>zEnd ){
35+ if( nPrefix>zCsr-zNode || nSuffix>zEnd-zCsr ){
36 rc = FTS_CORRUPT_VTAB;
37 goto finish_scan;
38 }
39- if( nPrefix+nSuffix>nAlloc ){
40+ if( (i64)nPrefix+nSuffix>nAlloc ){
41 char *zNew;
42- nAlloc = (nPrefix+nSuffix) * 2;
43- zNew = (char *)sqlite3_realloc(zBuffer, nAlloc);
44+ nAlloc = ((i64)nPrefix+nSuffix) * 2;
45+ zNew = (char *)sqlite3_realloc64(zBuffer, nAlloc);
46 if( !zNew ){
47 rc = SQLITE_NOMEM;
48 goto finish_scan;
49@@ -162012,15 +162012,19 @@ static int fts3SegReaderNext(
50 ** safe (no risk of overread) even if the node data is corrupted. */
51 pNext += fts3GetVarint32(pNext, &nPrefix);
52 pNext += fts3GetVarint32(pNext, &nSuffix);
53- if( nPrefix<0 || nSuffix<=0
54- || &pNext[nSuffix]>&pReader->aNode[pReader->nNode]
55+ if( nSuffix<=0
56+ || (&pReader->aNode[pReader->nNode] - pNext)<nSuffix
57+ || nPrefix>pReader->nTermAlloc
58 ){
59 return FTS_CORRUPT_VTAB;
60 }
61
62- if( nPrefix+nSuffix>pReader->nTermAlloc ){
63- int nNew = (nPrefix+nSuffix)*2;
64- char *zNew = sqlite3_realloc(pReader->zTerm, nNew);
65+ /* Both nPrefix and nSuffix were read by fts3GetVarint32() and so are
66+ ** between 0 and 0x7FFFFFFF. But the sum of the two may cause integer
67+ ** overflow - hence the (i64) casts. */
68+ if( (i64)nPrefix+nSuffix>(i64)pReader->nTermAlloc ){
69+ i64 nNew = ((i64)nPrefix+nSuffix)*2;
70+ char *zNew = sqlite3_realloc64(pReader->zTerm, nNew);
71 if( !zNew ){
72 return SQLITE_NOMEM;
73 }
74@@ -162042,7 +162046,7 @@ static int fts3SegReaderNext(
75 ** b-tree node. And that the final byte of the doclist is 0x00. If either
76 ** of these statements is untrue, then the data structure is corrupt.
77 */
78- if( &pReader->aDoclist[pReader->nDoclist]>&pReader->aNode[pReader->nNode]
79+ if( (&pReader->aNode[pReader->nNode] - pReader->aDoclist)<pReader->nDoclist
80 || (pReader->nPopulate==0 && pReader->aDoclist[pReader->nDoclist-1])
81 ){
82 return FTS_CORRUPT_VTAB;
83@@ -164367,7 +164371,9 @@ static int nodeReaderNext(NodeReader *p)
84 p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nPrefix);
85 }
86 p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nSuffix);
87-
88+ if( nPrefix>p->iOff || nSuffix>p->nNode-p->iOff ){
89+ return SQLITE_CORRUPT_VTAB;
90+ }
91 blobGrowBuffer(&p->term, nPrefix+nSuffix, &rc);
92 if( rc==SQLITE_OK ){
93 memcpy(&p->term.a[nPrefix], &p->aNode[p->iOff], nSuffix);
94@@ -164375,6 +164381,9 @@ static int nodeReaderNext(NodeReader *p)
95 p->iOff += nSuffix;
96 if( p->iChild==0 ){
97 p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &p->nDoclist);
98+ if( (p->nNode-p->iOff)<p->nDoclist ){
99+ return SQLITE_CORRUPT_VTAB;
100+ }
101 p->aDoclist = &p->aNode[p->iOff];
102 p->iOff += p->nDoclist;
103 }
diff --git a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
index 3755761d76..d214ea1528 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
@@ -5,6 +5,8 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
5 5
6SRC_URI = "\ 6SRC_URI = "\
7 http://www.sqlite.org/2018/sqlite-autoconf-${SQLITE_PV}.tar.gz \ 7 http://www.sqlite.org/2018/sqlite-autoconf-${SQLITE_PV}.tar.gz \
8 file://CVE-2018-20505.patch \
9 file://CVE-2018-20506.patch \
8 " 10 "
9SRC_URI[md5sum] = "99a51b40a66872872a91c92f6d0134fa" 11SRC_URI[md5sum] = "99a51b40a66872872a91c92f6d0134fa"
10SRC_URI[sha256sum] = "92842b283e5e744eff5da29ed3c69391de7368fccc4d0ee6bf62490ce555ef25" 12SRC_URI[sha256sum] = "92842b283e5e744eff5da29ed3c69391de7368fccc4d0ee6bf62490ce555ef25"