From 2a6fa8877d06119115b5d4d08b14f050c8a09ac2 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Tue, 30 Jun 2020 11:30:42 -0700 Subject: sqlite3: Security fix for CVE-2020-15358 Source: sqlite.org MR: 104526 Type: Security Fix Disposition: Backport from https://www.sqlite.org/src/vinfo/10fa79d00f8091e5?diff=1 ChangeID: a1c012b8c8aecd4970f3ae16686bf25f2376f542 Description: Affects sqlite < 3.32.3 Fixes CVE CVE-2020-15358 (From OE-Core rev: 8eb5fad746b716cba350c6cd6a30766534a90a28) Signed-off-by: Armin Kuster Signed-off-by: Steve Sakoman Signed-off-by: Richard Purdie --- .../sqlite/files/CVE-2020-15358.patch | 47 ++++++++++++++++++++++ meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-support/sqlite/files/CVE-2020-15358.patch (limited to 'meta/recipes-support') diff --git a/meta/recipes-support/sqlite/files/CVE-2020-15358.patch b/meta/recipes-support/sqlite/files/CVE-2020-15358.patch new file mode 100644 index 0000000000..086f6ef913 --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2020-15358.patch @@ -0,0 +1,47 @@ +Fix a defect in the query-flattener optimization identified by ticket [8f157e8010b22af0]. + +Upstream-Status: Backport +https://www.sqlite.org/src/info/10fa79d00f8091e5 +CVE: CVE-2020-15358 +Signed-off-by: Armin Kuster + +Index: sqlite-autoconf-3310100/sqlite3.c +=================================================================== +--- sqlite-autoconf-3310100.orig/sqlite3.c ++++ sqlite-autoconf-3310100/sqlite3.c +@@ -18349,6 +18349,7 @@ struct Select { + #define SF_WhereBegin 0x0080000 /* Really a WhereBegin() call. Debug Only */ + #define SF_WinRewrite 0x0100000 /* Window function rewrite accomplished */ + #define SF_View 0x0200000 /* SELECT statement is a view */ ++#define SF_NoopOrderBy 0x0400000 /* ORDER BY is ignored for this query */ + + /* + ** The results of a SELECT can be distributed in several ways, as defined +@@ -130607,9 +130608,7 @@ static int multiSelect( + selectOpName(p->op))); + rc = sqlite3Select(pParse, p, &uniondest); + testcase( rc!=SQLITE_OK ); +- /* Query flattening in sqlite3Select() might refill p->pOrderBy. +- ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */ +- sqlite3ExprListDelete(db, p->pOrderBy); ++ assert( p->pOrderBy==0 ); + pDelete = p->pPrior; + p->pPrior = pPrior; + p->pOrderBy = 0; +@@ -131958,7 +131957,7 @@ static int flattenSubquery( + ** We look at every expression in the outer query and every place we see + ** "a" we substitute "x*3" and every place we see "b" we substitute "y+10". + */ +- if( pSub->pOrderBy ){ ++ if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){ + /* At this point, any non-zero iOrderByCol values indicate that the + ** ORDER BY column expression is identical to the iOrderByCol'th + ** expression returned by SELECT statement pSub. Since these values +@@ -133659,6 +133658,7 @@ SQLITE_PRIVATE int sqlite3Select( + sqlite3ExprListDelete(db, p->pOrderBy); + p->pOrderBy = 0; + p->selFlags &= ~SF_Distinct; ++ p->selFlags |= SF_NoopOrderBy; + } + sqlite3SelectPrep(pParse, p, 0); + if( pParse->nErr || db->mallocFailed ){ diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb index 57a791385c..e5071b48bb 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb @@ -7,6 +7,7 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \ file://CVE-2020-9327.patch \ file://CVE-2020-11656.patch \ file://CVE-2020-11655.patch \ + file://CVE-2020-15358.patch \ " SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125" SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae" -- cgit v1.2.3-54-g00ecf