diff options
8 files changed, 298 insertions, 1 deletions
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19244.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19244.patch new file mode 100644 index 0000000000..3f70979acc --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19244.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | CVE: CVE-2019-19244 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 0f690d4ae5ffe656762fdbb7f36cc4c2dcbb2d9d Mon Sep 17 00:00:00 2001 | ||
6 | From: dan <dan@noemail.net> | ||
7 | Date: Fri, 22 Nov 2019 10:14:01 +0000 | ||
8 | Subject: [PATCH] Fix a crash that could occur if a sub-select that uses both | ||
9 | DISTINCT and window functions also used an ORDER BY that is the same as its | ||
10 | select list. | ||
11 | |||
12 | Amalgamation version of the patch: | ||
13 | FossilOrigin-Name: bcdd66c1691955c697f3d756c2b035acfe98f6aad72e90b0021bab6e9023b3ba | ||
14 | --- | ||
15 | sqlite3.c | 5 +++-- | ||
16 | sqlite3.h | 2 +- | ||
17 | 2 files changed, 4 insertions(+), 3 deletions(-) | ||
18 | |||
19 | diff --git a/sqlite3.c b/sqlite3.c | ||
20 | index 8fd740b..db1c649 100644 | ||
21 | --- a/sqlite3.c | ||
22 | +++ b/sqlite3.c | ||
23 | @@ -131679,6 +131679,7 @@ SQLITE_PRIVATE int sqlite3Select( | ||
24 | */ | ||
25 | if( (p->selFlags & (SF_Distinct|SF_Aggregate))==SF_Distinct | ||
26 | && sqlite3ExprListCompare(sSort.pOrderBy, pEList, -1)==0 | ||
27 | + && p->pWin==0 | ||
28 | ){ | ||
29 | p->selFlags &= ~SF_Distinct; | ||
30 | pGroupBy = p->pGroupBy = sqlite3ExprListDup(db, pEList, 0); | ||
31 | -- | ||
32 | 2.24.1 | ||
33 | |||
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch new file mode 100644 index 0000000000..b1b866b250 --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | CVE: CVE-2019-19923 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From b64463719dc53bde98b0ce3930b10a32560c3a02 Mon Sep 17 00:00:00 2001 | ||
6 | From: "D. Richard Hipp" <drh@hwaci.com> | ||
7 | Date: Wed, 18 Dec 2019 20:51:58 +0000 | ||
8 | Subject: [PATCH] Continue to back away from the LEFT JOIN optimization of | ||
9 | check-in [41c27bc0ff1d3135] by disallowing query flattening if the outer | ||
10 | query is DISTINCT. Without this fix, if an index scan is run on the table | ||
11 | within the view on the right-hand side of the LEFT JOIN, stale result | ||
12 | registers might be accessed yielding incorrect results, and/or an | ||
13 | OP_IfNullRow opcode might be invoked on the un-opened table, resulting in a | ||
14 | NULL-pointer dereference. This problem was found by the Yongheng and Rui | ||
15 | fuzzer. | ||
16 | |||
17 | FossilOrigin-Name: 862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e | ||
18 | --- | ||
19 | sqlite3.c | 10 +++++++--- | ||
20 | 1 file changed, 7 insertions(+), 3 deletions(-) | ||
21 | |||
22 | diff --git a/sqlite3.c b/sqlite3.c | ||
23 | index d29da07..5bc06c8 100644 | ||
24 | --- a/sqlite3.c | ||
25 | +++ b/sqlite3.c | ||
26 | @@ -129216,6 +129216,7 @@ static void substSelect( | ||
27 | ** (3b) the FROM clause of the subquery may not contain a virtual | ||
28 | ** table and | ||
29 | ** (3c) the outer query may not be an aggregate. | ||
30 | +** (3d) the outer query may not be DISTINCT. | ||
31 | ** | ||
32 | ** (4) The subquery can not be DISTINCT. | ||
33 | ** | ||
34 | @@ -129412,8 +129413,11 @@ static int flattenSubquery( | ||
35 | */ | ||
36 | if( (pSubitem->fg.jointype & JT_OUTER)!=0 ){ | ||
37 | isLeftJoin = 1; | ||
38 | - if( pSubSrc->nSrc>1 || isAgg || IsVirtual(pSubSrc->a[0].pTab) ){ | ||
39 | - /* (3a) (3c) (3b) */ | ||
40 | + if( pSubSrc->nSrc>1 /* (3a) */ | ||
41 | + || isAgg /* (3b) */ | ||
42 | + || IsVirtual(pSubSrc->a[0].pTab) /* (3c) */ | ||
43 | + || (p->selFlags & SF_Distinct)!=0 /* (3d) */ | ||
44 | + ){ | ||
45 | return 0; | ||
46 | } | ||
47 | } | ||
48 | -- | ||
49 | 2.24.1 | ||
50 | |||
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch new file mode 100644 index 0000000000..80d5edbb0c --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | CVE: CVE-2019-19924 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 854fe21e8a987f84da81f6bb9e90abc5355c6621 Mon Sep 17 00:00:00 2001 | ||
6 | From: "D. Richard Hipp" <drh@hwaci.com> | ||
7 | Date: Thu, 19 Dec 2019 20:37:32 +0000 | ||
8 | Subject: [PATCH] When an error occurs while rewriting the parser tree for | ||
9 | window functions in the sqlite3WindowRewrite() routine, make sure that | ||
10 | pParse->nErr is set, and make sure that this shuts down any subsequent code | ||
11 | generation that might depend on the transformations that were implemented. | ||
12 | This fixes a problem discovered by the Yongheng and Rui fuzzer. | ||
13 | |||
14 | Amalgamation format of backported patch | ||
15 | FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f | ||
16 | --- | ||
17 | sqlite3.c | 16 +++++++++++----- | ||
18 | sqlite3.h | 2 +- | ||
19 | 2 files changed, 12 insertions(+), 6 deletions(-) | ||
20 | |||
21 | diff --git a/sqlite3.c b/sqlite3.c | ||
22 | index 408ec4c..857c28e 100644 | ||
23 | --- a/sqlite3.c | ||
24 | +++ b/sqlite3.c | ||
25 | @@ -77798,7 +77798,8 @@ SQLITE_PRIVATE void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){ | ||
26 | */ | ||
27 | static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){ | ||
28 | assert( p->nOp>0 || p->aOp==0 ); | ||
29 | - assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed ); | ||
30 | + assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed | ||
31 | + || p->pParse->nErr>0 ); | ||
32 | if( p->nOp ){ | ||
33 | assert( p->aOp ); | ||
34 | sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment); | ||
35 | @@ -97872,6 +97873,7 @@ static int codeCompare( | ||
36 | int addr; | ||
37 | CollSeq *p4; | ||
38 | |||
39 | + if( pParse->nErr ) return 0; | ||
40 | p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight); | ||
41 | p5 = binaryCompareP5(pLeft, pRight, jumpIfNull); | ||
42 | addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1, | ||
43 | @@ -147627,7 +147629,7 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse *pParse, Select *p){ | ||
44 | |||
45 | pTab = sqlite3DbMallocZero(db, sizeof(Table)); | ||
46 | if( pTab==0 ){ | ||
47 | - return SQLITE_NOMEM; | ||
48 | + return sqlite3ErrorToParser(db, SQLITE_NOMEM); | ||
49 | } | ||
50 | |||
51 | p->pSrc = 0; | ||
52 | @@ -147731,6 +147733,10 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse *pParse, Select *p){ | ||
53 | sqlite3DbFree(db, pTab); | ||
54 | } | ||
55 | |||
56 | + if( rc && pParse->nErr==0 ){ | ||
57 | + assert( pParse->db->mallocFailed ); | ||
58 | + return sqlite3ErrorToParser(pParse->db, SQLITE_NOMEM); | ||
59 | + } | ||
60 | return rc; | ||
61 | } | ||
62 | |||
63 | -- | ||
64 | 2.24.1 | ||
65 | |||
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19925.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19925.patch new file mode 100644 index 0000000000..ffc2c6afff --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19925.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | CVE: CVE-2019-19925 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From e92580434d2cdca228649d32f76167492de4f512 Mon Sep 17 00:00:00 2001 | ||
6 | From: "D. Richard Hipp" <drh@hwaci.com> | ||
7 | Date: Thu, 19 Dec 2019 15:15:40 +0000 | ||
8 | Subject: [PATCH] Fix the zipfile extension so that INSERT works even if the | ||
9 | pathname of the file being inserted is a NULL. Bug discovered by the | ||
10 | Yongheng and Rui fuzzer. | ||
11 | |||
12 | FossilOrigin-Name: a80f84b511231204658304226de3e075a55afc2e3f39ac063716f7a57f585c06 | ||
13 | --- | ||
14 | shell.c | 1 + | ||
15 | sqlite3.c | 4 ++-- | ||
16 | sqlite3.h | 2 +- | ||
17 | 3 files changed, 4 insertions(+), 3 deletions(-) | ||
18 | |||
19 | diff --git a/shell.c b/shell.c | ||
20 | index 053180c..404a8d4 100644 | ||
21 | --- a/shell.c | ||
22 | +++ b/shell.c | ||
23 | @@ -5827,6 +5827,7 @@ static int zipfileUpdate( | ||
24 | |||
25 | if( rc==SQLITE_OK ){ | ||
26 | zPath = (const char*)sqlite3_value_text(apVal[2]); | ||
27 | + if( zPath==0 ) zPath = ""; | ||
28 | nPath = (int)strlen(zPath); | ||
29 | mTime = zipfileGetTime(apVal[4]); | ||
30 | } | ||
31 | -- | ||
32 | 2.24.1 | ||
33 | |||
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19926.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19926.patch new file mode 100644 index 0000000000..92bc7908bc --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19926.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | CVE: CVE-2019-19926 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 4165b1e1e0001165ace9051a70f938099505eadc Mon Sep 17 00:00:00 2001 | ||
6 | From: "D. Richard Hipp" <drh@hwaci.com> | ||
7 | Date: Thu, 19 Dec 2019 22:08:19 +0000 | ||
8 | Subject: [PATCH] Continuation of [e2bddcd4c55ba3cb]: Add another spot where it | ||
9 | is necessary to abort early due to prior errors in sqlite3WindowRewrite(). | ||
10 | |||
11 | FossilOrigin-Name: cba2a2a44cdf138a629109bb0ad088ed4ef67fc66bed3e0373554681a39615d2 | ||
12 | --- | ||
13 | sqlite3.c | 7 ++++--- | ||
14 | sqlite3.h | 2 +- | ||
15 | 2 files changed, 5 insertions(+), 4 deletions(-) | ||
16 | |||
17 | diff --git a/sqlite3.c b/sqlite3.c | ||
18 | index 857c28e..19a474d 100644 | ||
19 | --- a/sqlite3.c | ||
20 | +++ b/sqlite3.c | ||
21 | @@ -128427,6 +128427,7 @@ static int multiSelect( | ||
22 | } | ||
23 | #endif | ||
24 | } | ||
25 | + if( pParse->nErr ) goto multi_select_end; | ||
26 | |||
27 | /* Compute collating sequences used by | ||
28 | ** temporary tables needed to implement the compound select. | ||
29 | -- | ||
30 | 2.24.1 | ||
31 | |||
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19959.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19959.patch new file mode 100644 index 0000000000..cba8ec9d30 --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19959.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | CVE: CVE-2019-19959 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From f83f7e8141ee7cbbf7f2dc8985279a7372b259b6 Mon Sep 17 00:00:00 2001 | ||
6 | From: "D. Richard Hipp" <drh@hwaci.com> | ||
7 | Date: Mon, 23 Dec 2019 21:04:33 +0000 | ||
8 | Subject: [PATCH] Fix the zipfile() function in the zipfile extension so that | ||
9 | it is able to deal with goofy filenames that contain embedded zeros. | ||
10 | |||
11 | FossilOrigin-Name: cc0fb00a128fd0773db5ff7891f7aa577a3671d570166d2cbb30df922344adcf | ||
12 | --- | ||
13 | shell.c | 4 ++-- | ||
14 | sqlite3.c | 4 ++-- | ||
15 | sqlite3.h | 2 +- | ||
16 | 3 files changed, 5 insertions(+), 5 deletions(-) | ||
17 | |||
18 | diff --git a/shell.c b/shell.c | ||
19 | index 404a8d4..48065e9 100644 | ||
20 | --- a/shell.c | ||
21 | +++ b/shell.c | ||
22 | @@ -5841,7 +5841,7 @@ static int zipfileUpdate( | ||
23 | zFree = sqlite3_mprintf("%s/", zPath); | ||
24 | if( zFree==0 ){ rc = SQLITE_NOMEM; } | ||
25 | zPath = (const char*)zFree; | ||
26 | - nPath++; | ||
27 | + nPath = (int)strlen(zPath); | ||
28 | } | ||
29 | } | ||
30 | |||
31 | @@ -6242,11 +6242,11 @@ void zipfileStep(sqlite3_context *pCtx, int nVal, sqlite3_value **apVal){ | ||
32 | }else{ | ||
33 | if( zName[nName-1]!='/' ){ | ||
34 | zName = zFree = sqlite3_mprintf("%s/", zName); | ||
35 | - nName++; | ||
36 | if( zName==0 ){ | ||
37 | rc = SQLITE_NOMEM; | ||
38 | goto zipfile_step_out; | ||
39 | } | ||
40 | + nName = (int)strlen(zName); | ||
41 | }else{ | ||
42 | while( nName>1 && zName[nName-2]=='/' ) nName--; | ||
43 | } | ||
44 | -- | ||
45 | 2.24.1 | ||
46 | |||
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-20218.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-20218.patch new file mode 100644 index 0000000000..fb6cd6df2d --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-20218.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | CVE: CVE-2019-20218 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 6bbd76d34f29f61483791231f2ce579dcadab8a5 Mon Sep 17 00:00:00 2001 | ||
6 | From: Dan Kennedy <danielk1977@gmail.com> | ||
7 | Date: Fri, 27 Dec 2019 20:54:42 +0000 | ||
8 | Subject: [PATCH] Do not attempt to unwind the WITH stack in the Parse object | ||
9 | following an error. This fixes a separate case to [de6e6d68]. | ||
10 | |||
11 | FossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92 | ||
12 | --- | ||
13 | sqlite3.c | 2 +- | ||
14 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/sqlite3.c b/sqlite3.c | ||
17 | index 5bc06c8..408ec4c 100644 | ||
18 | --- a/sqlite3.c | ||
19 | +++ b/sqlite3.c | ||
20 | @@ -130570,7 +130570,7 @@ static int selectExpander(Walker *pWalker, Select *p){ | ||
21 | |||
22 | /* Process NATURAL keywords, and ON and USING clauses of joins. | ||
23 | */ | ||
24 | - if( db->mallocFailed || sqliteProcessJoin(pParse, p) ){ | ||
25 | + if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){ | ||
26 | return WRC_Abort; | ||
27 | } | ||
28 | |||
29 | -- | ||
30 | 2.24.1 | ||
31 | |||
diff --git a/meta/recipes-support/sqlite/sqlite3_3.29.0.bb b/meta/recipes-support/sqlite/sqlite3_3.29.0.bb index 34066fbe89..cf3b179845 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.29.0.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.29.0.bb | |||
@@ -4,6 +4,14 @@ LICENSE = "PD" | |||
4 | LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66" | 4 | LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66" |
5 | 5 | ||
6 | SRC_URI = "http://www.sqlite.org/2019/sqlite-autoconf-${SQLITE_PV}.tar.gz \ | 6 | SRC_URI = "http://www.sqlite.org/2019/sqlite-autoconf-${SQLITE_PV}.tar.gz \ |
7 | file://0001-Fix-CVE-2019-16168.patch" | 7 | file://0001-Fix-CVE-2019-16168.patch \ |
8 | file://CVE-2019-19244.patch \ | ||
9 | file://CVE-2019-19923.patch \ | ||
10 | file://CVE-2019-19924.patch \ | ||
11 | file://CVE-2019-19925.patch \ | ||
12 | file://CVE-2019-19926.patch \ | ||
13 | file://CVE-2019-19959.patch \ | ||
14 | file://CVE-2019-20218.patch \ | ||
15 | " | ||
8 | SRC_URI[md5sum] = "8f3dfe83387e62ecb91c7c5c09c688dc" | 16 | SRC_URI[md5sum] = "8f3dfe83387e62ecb91c7c5c09c688dc" |
9 | SRC_URI[sha256sum] = "8e7c1e2950b5b04c5944a981cb31fffbf9d2ddda939d536838ebc854481afd5b" | 17 | SRC_URI[sha256sum] = "8e7c1e2950b5b04c5944a981cb31fffbf9d2ddda939d536838ebc854481afd5b" |