packages/sqlite
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix cves

Browse Source
This commit is contained in:
eulerstorage 2020-03-10 17:39:01 +08:00
parent b0e8f6af75
commit 5909c3024d
3 changed files with 149 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
6055-Fix-CVE-2018-20505.patch Normal file
View File

@ -0,0 +1,41 @@
Index: src/wherecode.c
==================================================================
--- a/src/wherecode.c
+++ b/src/wherecode.c
@@ -424,11 +424,11 @@
Select *pSelect; /* Pointer to the SELECT on the RHS */
for(i=iEq; i<pLoop->nLTerm; i++){
if( pLoop->aLTerm[i]->pExpr==pX ){
int iField = pLoop->aLTerm[i]->iField - 1;
- assert( pOrigRhs->a[iField].pExpr!=0 );
+ if( pOrigRhs->a[iField].pExpr==0 ) continue; /* Duplicate PK column */
pRhs = sqlite3ExprListAppend(pParse, pRhs, pOrigRhs->a[iField].pExpr);
pOrigRhs->a[iField].pExpr = 0;
assert( pOrigLhs->a[iField].pExpr!=0 );
pLhs = sqlite3ExprListAppend(pParse, pLhs, pOrigLhs->a[iField].pExpr);
pOrigLhs->a[iField].pExpr = 0;
Index: test/rowvalue.test
==================================================================
--- a/test/rowvalue.test
+++ b/test/rowvalue.test
@@ -543,7 +543,18 @@
# 2018-02-18: Memory leak nexted row-value. Detected by OSSFuzz.
#
do_catchsql_test 20.1 {
SELECT 1 WHERE (2,(2,0)) IS (2,(2,0));
} {0 1}
+
+# 2018-11-03: Ticket https://www.sqlite.org/src/info/1a84668dcfdebaf1
+# Assertion fault when doing row-value operations on a primary key
+# containing duplicate columns.
+#
+do_execsql_test 21.0 {
+ DROP TABLE IF EXISTS t1;
+ CREATE TABLE t1(a,b,PRIMARY KEY(b,b));
+ INSERT INTO t1 VALUES(1,2),(3,4),(5,6);
+ SELECT * FROM t1 WHERE (a,b) IN (VALUES(1,2));
+} {1 2}
finish_test

97
6056-Fix-CVE-2020-9327.patch Normal file
View File

@ -0,0 +1,97 @@
From 6db07ba0e6e7e7ea4a8c3de9734437a87c2fd8c0 Mon Sep 17 00:00:00 2001
From: guiyao <guiyao@huawei.com>
Date: Thu, 8 Apr 2021 14:19:51 -0400
Subject: [PATCH] fix CVE-2020-9327
Description: this patch is used to fix CVE-2020-9327, and it was rewritten base on
commit 78d1d225d87af40f5bdca57fa72f00b6ffaffa21 and bf48ce49f7c25e5d4524de9fdc5c0d505218d06d
to fit the current version.
---
src/expr.c | 15 +++++++++++----
src/sqliteInt.h | 3 +++
src/whereexpr.c | 9 ++++++---
3 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/src/expr.c b/src/expr.c
index 8fd8af9..73a8187 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -5055,18 +5055,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){
case TK_LT:
case TK_LE:
case TK_GT:
- case TK_GE:
+ case TK_GE: {
+ Expr *pLeft = pExpr->pLeft;
+ Expr *pRight = pExpr->pRight;
testcase( pExpr->op==TK_EQ );
testcase( pExpr->op==TK_NE );
testcase( pExpr->op==TK_LT );
testcase( pExpr->op==TK_LE );
testcase( pExpr->op==TK_GT );
testcase( pExpr->op==TK_GE );
- if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->pTab))
- || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->pTab))
+ /* The pTab=0 assignment in wherecode.c always happens after the
+ ** impliesNotNullRow() test */
+ if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->pTab!=0)
+ && IsVirtual(pLeft->pTab))
+ || (pRight->op==TK_COLUMN && ALWAYS(pRight->pTab!=0)
+ && IsVirtual(pRight->pTab))
){
- return WRC_Prune;
+ return WRC_Prune;
}
+ }
default:
return WRC_Continue;
}
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
index 91fde72..d79ab28 100644
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -1955,8 +1955,11 @@ struct Table {
*/
#ifndef SQLITE_OMIT_VIRTUALTABLE
# define IsVirtual(X) ((X)->nModuleArg)
+# define ExprIsVtab(X) \
+ ((X)->op==TK_COLUMN && (X)->pTab!=0 && (X)->pTab->nModuleArg)
#else
# define IsVirtual(X) 0
+# define ExprIsVtab(X) 0
#endif
/*
diff --git a/src/whereexpr.c b/src/whereexpr.c
index 2975008..e61dfff 100644
--- a/src/whereexpr.c
+++ b/src/whereexpr.c
@@ -362,7 +362,8 @@ static int isAuxiliaryVtabOperator(
return 0;
}
pCol = pList->a[1].pExpr;
- if( pCol->op!=TK_COLUMN || !IsVirtual(pCol->pTab) ){
+ testcase( pCol->op==TK_COLUMN && pCol->pTab==0 );
+ if( !ExprIsVtab(pCol) ){
return 0;
}
for(i=0; i<ArraySize(aOp); i++){
@@ -377,10 +378,12 @@ static int isAuxiliaryVtabOperator(
int res = 0;
Expr *pLeft = pExpr->pLeft;
Expr *pRight = pExpr->pRight;
- if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->pTab) ){
+ testcase( pLeft->op==TK_COLUMN && pLeft->pTab==0 );
+ if( ExprIsVtab(pLeft) ){
res++;
}
- if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->pTab) ){
+ testcase( pRight && pRight->op==TK_COLUMN && pRight->pTab==0 );
+ if( pRight && ExprIsVtab(pRight) ){
res++;
SWAP(Expr*, pLeft, pRight);
}
--
1.8.3.1

12
sqlite.spec
View File

@ -6,7 +6,7 @@
Name: sqlite
Version: 3.24.0
Release: 8
Release: 9
Summary: Embeded SQL database
License: Public Domain
URL: http://www.sqlite.org/
@ -74,6 +74,8 @@ Patch6051: 6051-Fix-CVE-2019-19925-Fix-the-zipfile-extension-so-that-INSERT-work
Patch6052: 6052-Fix-CVE-2019-19926-Continuation-of-e2bddcd4c55ba3cb-Add-another-spot-wh.patch
Patch6053: 6053-Fix-CVE-2019-20218-Do-not-attempt-to-unwind-the-WITH-stack-in-the-Parse.patch
Patch6054: 6054-Fix-the-zipfile-function-in-the-zipfile-extension-so.patch
Patch6055: 6055-Fix-CVE-2018-20505.patch
Patch6056: 6056-Fix-CVE-2020-9327.patch
BuildRequires: gcc autoconf tcl tcl-devel
BuildRequires: ncurses-devel readline-devel glibc-devel
@ -174,6 +176,8 @@ This contains man files and HTML files for the using of sqlite.
%patch6052 -p1
%patch6053 -p1
%patch6054 -p1
%patch6055 -p1
%patch6056 -p1
rm -f %{name}-doc-%{extver}/sqlite.css~ || :
@ -244,6 +248,12 @@ make test
%{_mandir}/man*/*
%changelog
* Tue Mar 10 2020 steven <steven_ygui@163.com> - 3.24.0-9
- Type:enhancement
- ID:NA
- SUG:NA
- DESC:CVE-2018-20505, CVE-2020-9327 fixed
* Wed Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.24.0-8
- Type:enhancement
- ID:NA