1

6058-Fix-CVE-2020-13434.patch

@@ -0,0 +1,65 @@
+From 4f0a1ae44243b92d7e20ff1b263f39ef8e183b50 Mon Sep 17 00:00:00 2001
+From: Peibao Liu <peibao.liu@windriver.com>
+Date: Fri, 29 May 2020 01:34:28 -0400
+Subject: [PATCH] Limit the "precision" of floating-point to text conversions
+ in the printf() function to 100,000,000.
+
+port from:
+https://www.sqlite.org/src/info/d08d3405878d394e
+
+1. The printf() func was introduced in sqlite v3.8(6db7052eeefafdbf)
+and in the current version this func is still not introduced, which
+caused the test case printf-16.1 could not execute. So remove the test
+case part of the upstream patch.
+2. The modification of sqlite3VXPrintf() in this patch could cause the
+printf-2.1.2.10 test case failure as this test case has already modified
+in e7144ffd21294d7a commit. Just modify this test case to latest but do
+not port the relevant patch.
+
+Signed-off-by: Peibao Liu <peibao.liu@windriver.com>
+---
+ src/printf.c     | 12 ++++++++++++
+ test/printf.test | 2  +-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff -Naur a/src/printf.c b/src/printf.c
+--- a/src/printf.c	2020-06-23 03:01:16.783000000 +0000
++++ b/src/printf.c	2020-06-23 03:51:18.644000000 +0000
+@@ -166,6 +166,13 @@
+ #define etBUFSIZE SQLITE_PRINT_BUF_SIZE  /* Size of the output buffer */
+ 
+ /*
++ * ** Hard limit on the precision of floating-point conversions.
++ * */
++#ifndef SQLITE_PRINTF_PRECISION_LIMIT
++# define SQLITE_FP_PRECISION_LIMIT 100000000
++#endif
++
++/*
+ ** Render a string given by "fmt" into the StrAccum object.
+ */
+ void sqlite3_str_vappendf(
+@@ -471,6 +478,11 @@
+         length = 0;
+ #else
+         if( precision<0 ) precision = 6;         /* Set default precision */
++#ifdef SQLITE_FP_PRECISION_LIMIT
++        if( precision>SQLITE_FP_PRECISION_LIMIT ){
++          precision = SQLITE_FP_PRECISION_LIMIT;
++        }
++#endif
+         if( realvalue<0.0 ){
+           realvalue = -realvalue;
+           prefix = '-';
+diff -Naur a/test/printf.test b/test/printf.test
+--- a/test/printf.test	2020-06-23 03:01:16.963000000 +0000
++++ b/test/printf.test	2020-06-23 03:52:25.410000000 +0000
+@@ -540,7 +540,7 @@
+ } {abc: 1 1 (1e-20) :xyz}
+ do_test printf-2.1.2.10 {
+   sqlite3_mprintf_double {abc: %*.*f}  2000000000 1000000000 1.0e-20
+-} {abc: }
++} {}
+ do_test printf-2.1.3.1 {
+   sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0
+ } {abc: (1.0) :xyz}

6059-Fix-CVE-2020-13435.patch

@@ -0,0 +1,41 @@
+From 6412131325fb2266c3faf0faea93c1d5a4e479a9 Mon Sep 17 00:00:00 2001
+From: Peibao Liu <peibao.liu@windriver.com>
+Date: Fri, 29 May 2020 02:04:15 -0400
+Subject: [PATCH] Defensive code that tries to prevent a recurrence of
+ problems.
+
+port from:
+https://www.sqlite.org/src/info/572105de1d44bca4
+
+Signed-off-by: Peibao Liu <peibao.liu@windriver.com>
+---
+ src/expr.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff -Naur c/src/expr.c d/src/expr.c
+--- c/src/expr.c	2020-06-23 03:05:10.871000000 +0000
++++ d/src/expr.c	2020-06-23 03:15:14.426000000 +0000
+@@ -3542,7 +3542,10 @@
+   switch( op ){
+     case TK_AGG_COLUMN: {
+       AggInfo *pAggInfo = pExpr->pAggInfo;
+-      struct AggInfo_col *pCol = &pAggInfo->aCol[pExpr->iAgg];
++      struct AggInfo_col *pCol;
++      assert( pAggInfo!=0 );
++      assert( pExpr->iAgg>=0 && pExpr->iAgg<pAggInfo->nColumn );
++      pCol = &pAggInfo->aCol[pExpr->iAgg];
+       if( !pAggInfo->directMode ){
+         assert( pCol->iMem>0 );
+         return pCol->iMem;
+@@ -3761,7 +3764,10 @@
+     }
+     case TK_AGG_FUNCTION: {
+       AggInfo *pInfo = pExpr->pAggInfo;
+-      if( pInfo==0 ){
++      if( pInfo==0
++       || NEVER(pExpr->iAgg<0)
++       || NEVER(pExpr->iAgg>=pInfo->nFunc)
++      ){
+         assert( !ExprHasProperty(pExpr, EP_IntValue) );
+         sqlite3ErrorMsg(pParse, "misuse of aggregate: %s()", pExpr->u.zToken);
+       }else{

6060-Fix-CVE-2020-13630.patch

@@ -0,0 +1,25 @@
+From 3528b0de3aa5fefc4cb91599c920e2c9d6c2ffc3 Mon Sep 17 00:00:00 2001
+From: yanglongkang <yanglongkang@huawei.com>
+Date: Thu, 11 Jun 2020 19:21:35 +0000
+Subject: [PATCH] sqlite: fix CVE-2020-13630
+
+Fix a use-after-free bug in the fts3 snippet() function.
+https://sqlite.org/src/info/0d69f76f0865f962
+
+Signed-off-by: dan <dan@noemail.net>
+Signed-off-by: yanglongkang <yanglongkang@huawei.com>
+---
+ ext/fts3/fts3.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff -Naur e/ext/fts3/fts3.c f/ext/fts3/fts3.c
+--- e/ext/fts3/fts3.c	2020-06-23 03:05:29.962000000 +0000
++++ f/ext/fts3/fts3.c	2020-06-23 03:25:15.587000000 +0000
+@@ -5192,6 +5192,7 @@
+                 fts3EvalNextRow(pCsr, pLeft, pRc);
+               }
+             }
++	    pRight->bEof = pLeft->bEof = 1;
+           }
+         }
+         break;

6061-Fix-CVE-2020-13632.patch

@@ -0,0 +1,26 @@
+From 3528b0de3aa5fefc4cb91599c920e2c9d6c2ffc3 Mon Sep 17 00:00:00 2001
+From: yanglongkang <yanglongkang@huawei.com>
+Date: Thu, 11 Jun 2020 19:21:35 +0000
+Subject: [PATCH] sqlite: fix CVE-2020-13632
+
+Fix a null pointer deference that can occur on a strange matchinfo() query.
+https://sqlite.org/src/info/a4dd148928ea65bd
+
+Signed-off-by: drh <drh@noemail.net>
+Signed-off-by: yanglongkang <yanglongkang@huawei.com>
+---
+ ext/fts3/fts3_snippet.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff -Naur 1/ext/fts3/fts3_snippet.c 2/ext/fts3/fts3_snippet.c
+--- 1/ext/fts3/fts3_snippet.c	2020-06-23 03:05:55.432000000 +0000
++++ 2/ext/fts3/fts3_snippet.c	2020-06-23 03:32:44.272000000 +0000
+@@ -869,7 +869,7 @@
+     iStart = pExpr->iPhrase * ((p->nCol + 31) / 32);
+   }
+ 
+-  while( 1 ){
++  if( pIter ) while( 1 ){
+     int nHit = fts3ColumnlistCount(&pIter);
+     if( (pPhrase->iColumn>=pTab->nColumn || pPhrase->iColumn==iCol) ){
+       if( p->flag==FTS3_MATCHINFO_LHITS ){

sqlite.spec

@@ -6,7 +6,7 @@
 
 Name:    sqlite
 Version: 3.24.0
-Release: 10
+Release: 11
 Summary: Embeded SQL database
 License: Public Domain
 URL:     http://www.sqlite.org/
@@ -77,6 +77,10 @@ Patch6054: 6054-Fix-the-zipfile-function-in-the-zipfile-extension-so.patch
 Patch6055: 6055-Fix-CVE-2018-20505.patch
 Patch6056: 6056-Fix-CVE-2020-9327.patch
 Patch6057: 6057-Fix-CVE-2020-11655.patch
+Patch6058: 6058-Fix-CVE-2020-13434.patch
+Patch6059: 6059-Fix-CVE-2020-13435.patch
+Patch6060: 6060-Fix-CVE-2020-13630.patch
+Patch6061: 6061-Fix-CVE-2020-13632.patch
 
 BuildRequires: gcc autoconf tcl tcl-devel
 BuildRequires: ncurses-devel readline-devel glibc-devel
@@ -180,6 +184,10 @@ This contains man files and HTML files for the using of sqlite.
 %patch6055 -p1
 %patch6056 -p1
 %patch6057 -p1
+%patch6058 -p1
+%patch6059 -p1
+%patch6060 -p1
+%patch6061 -p1
 
 rm -f %{name}-doc-%{extver}/sqlite.css~ || :
 
@@ -250,6 +258,12 @@ make test
 %{_mandir}/man*/*
 
 %changelog
+* Tue Jun 23 2020 yanglongkang <yanglongkang@huawei.com> - 3.24.0-11
+- Type:cves
+- ID:CVE-2020-13434 CVE-2020-13435 CVE-2020-13630 CVE-2020-13632
+- SUG:NA
+- DESC:fix CVE-2020-13434 CVE-2020-13435 CVE-2020-13630 CVE-2020-13632
+
 * Sun Apr 19 2020 ethan848 <mingfangsen@huawei.com>
 - Type:enhancement
 - ID:NA