From 1a057dcc739461ec34071167737207db650a5ca9 Mon Sep 17 00:00:00 2001 From: Steve Sakoman Date: Wed, 4 Nov 2020 06:52:47 -1000 Subject: sqlite3: fix CVE-2020-13631 CVE: CVE-2020-13631 Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-13631 (From OE-Core rev: 582f253d6781a006841a436a49c3f7fdddc5bb7b) Signed-off-by: Steve Sakoman Signed-off-by: Richard Purdie --- .../sqlite/files/CVE-2020-13631.patch | 99 ++++++++++++++++++++++ meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 + 2 files changed, 100 insertions(+) create mode 100644 meta/recipes-support/sqlite/files/CVE-2020-13631.patch diff --git a/meta/recipes-support/sqlite/files/CVE-2020-13631.patch b/meta/recipes-support/sqlite/files/CVE-2020-13631.patch new file mode 100644 index 0000000000..0277c0cf22 --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2020-13631.patch @@ -0,0 +1,99 @@ +From 3d863b5e4efb2305d64f87a2128289d1c3ce09b6 Mon Sep 17 00:00:00 2001 +From: drh +Date: Thu, 14 May 2020 21:16:52 +0000 +Subject: [PATCH] Do not allow a virtual table to be renamed into the name of + one of its shadows. + +FossilOrigin-Name: eca0ba2cf4c0fdf757bae19c6397a48245adb99e8017ddc28f01804072a30b2c + +Upstream-Status: Backport +CVE: CVE-2020-13631 + +Reference to upstream patch: +https://github.com/sqlite/sqlite/commit/3d863b5e4efb2305d64f87a2128289d1c3ce09b6 + +Patch converted to amalgamation format + +Signed-off-by: Steve Sakoman +--- + sqlite3.c | 39 ++++++++++++++++++++++++++++++--------- + 1 file changed, 30 insertions(+), 9 deletions(-) + +diff --git a/sqlite3.c b/sqlite3.c +index e72fabb..282e106 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -19948,8 +19948,10 @@ SQLITE_PRIVATE Module *sqlite3VtabCreateModule( + SQLITE_PRIVATE int sqlite3ReadOnlyShadowTables(sqlite3 *db); + #ifndef SQLITE_OMIT_VIRTUALTABLE + SQLITE_PRIVATE int sqlite3ShadowTableName(sqlite3 *db, const char *zName); ++SQLITE_PRIVATE int sqlite3IsShadowTableOf(sqlite3*,Table*,const char*); + #else + # define sqlite3ShadowTableName(A,B) 0 ++# define sqlite3IsShadowTableOf(A,B,C) 0 + #endif + SQLITE_PRIVATE int sqlite3VtabEponymousTableInit(Parse*,Module*); + SQLITE_PRIVATE void sqlite3VtabEponymousTableClear(sqlite3*,Module*); +@@ -104793,7 +104795,10 @@ SQLITE_PRIVATE void sqlite3AlterRenameTable( + /* Check that a table or index named 'zName' does not already exist + ** in database iDb. If so, this is an error. + */ +- if( sqlite3FindTable(db, zName, zDb) || sqlite3FindIndex(db, zName, zDb) ){ ++ if( sqlite3FindTable(db, zName, zDb) ++ || sqlite3FindIndex(db, zName, zDb) ++ || sqlite3IsShadowTableOf(db, pTab, zName) ++ ){ + sqlite3ErrorMsg(pParse, + "there is already another table or index with this name: %s", zName); + goto exit_rename_table; +@@ -111303,6 +111308,28 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){ + recomputeColumnsNotIndexed(pPk); + } + ++ ++#ifndef SQLITE_OMIT_VIRTUALTABLE ++/* ++** Return true if pTab is a virtual table and zName is a shadow table name ++** for that virtual table. ++*/ ++SQLITE_PRIVATE int sqlite3IsShadowTableOf(sqlite3 *db, Table *pTab, const char *zName){ ++ int nName; /* Length of zName */ ++ Module *pMod; /* Module for the virtual table */ ++ ++ if( !IsVirtual(pTab) ) return 0; ++ nName = sqlite3Strlen30(pTab->zName); ++ if( sqlite3_strnicmp(zName, pTab->zName, nName)!=0 ) return 0; ++ if( zName[nName]!='_' ) return 0; ++ pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]); ++ if( pMod==0 ) return 0; ++ if( pMod->pModule->iVersion<3 ) return 0; ++ if( pMod->pModule->xShadowName==0 ) return 0; ++ return pMod->pModule->xShadowName(zName+nName+1); ++} ++#endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */ ++ + #ifndef SQLITE_OMIT_VIRTUALTABLE + /* + ** Return true if zName is a shadow table name in the current database +@@ -111314,8 +111341,6 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){ + SQLITE_PRIVATE int sqlite3ShadowTableName(sqlite3 *db, const char *zName){ + char *zTail; /* Pointer to the last "_" in zName */ + Table *pTab; /* Table that zName is a shadow of */ +- Module *pMod; /* Module for the virtual table */ +- + zTail = strrchr(zName, '_'); + if( zTail==0 ) return 0; + *zTail = 0; +@@ -111323,11 +111348,7 @@ SQLITE_PRIVATE int sqlite3ShadowTableName(sqlite3 *db, const char *zName){ + *zTail = '_'; + if( pTab==0 ) return 0; + if( !IsVirtual(pTab) ) return 0; +- pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]); +- if( pMod==0 ) return 0; +- if( pMod->pModule->iVersion<3 ) return 0; +- if( pMod->pModule->xShadowName==0 ) return 0; +- return pMod->pModule->xShadowName(zTail+1); ++ return sqlite3IsShadowTableOf(db, pTab, zName); + } + #endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */ + diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb index ace9423e8d..5d45d1f1ab 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb @@ -11,6 +11,7 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \ file://CVE-2020-13434.patch \ file://CVE-2020-13435.patch \ file://CVE-2020-13630.patch \ + file://CVE-2020-13631.patch \ " SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125" SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae" -- cgit v1.2.3-54-g00ecf