packages/sqlite
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!11 Fix CVEs

Browse Source 
Merge pull request !11 from hy/mywork
This commit is contained in:
openeuler-ci-bot 2020-01-12 17:22:27 +08:00 committed by Gitee
commit e70227c888
15 changed files with 321 additions and 332 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
0000-sqlite-3.6.23-lemon-system-template.patch
View File

@ -1,21 +0,0 @@
diff -up sqlite-3.6.23/tool/lemon.c.system-template sqlite-3.6.23/tool/lemon.c
--- sqlite-3.6.23/tool/lemon.c.system-template 2010-03-10 16:40:35.000000000 +0200
+++ sqlite-3.6.23/tool/lemon.c 2010-03-10 16:40:39.000000000 +0200
@@ -3363,6 +3363,8 @@ PRIVATE FILE *tplt_open(struct lemon *le
tpltname = buf;
}else if( access(templatename,004)==0 ){
tpltname = templatename;
+ }else if( access("/usr/share/lemon/lempar.c", R_OK)==0){
+ tpltname = "/usr/share/lemon/lempar.c";
}else{
tpltname = pathsearch(lemp->argv0,templatename,0);
}
@@ -3374,7 +3376,7 @@ PRIVATE FILE *tplt_open(struct lemon *le
}
in = fopen(tpltname,"rb");
if( in==0 ){
- fprintf(stderr,"Can't open the template file \"%s\".\n",templatename);
+ fprintf(stderr,"Can't open the template file \"%s\".\n",tpltname);
lemp->errorcnt++;
return 0;
}

0
0002-sqlite-3.12.2-no-malloc-usable-size.patch → 0000-sqlite-no-malloc-usable-size.patch
View File

37
0001-sqlite-3.7.7.1-stupid-openfiles-test.patch
View File

@ -1,37 +0,0 @@
--- sqlite-src-3240000/test/oserror.test.old 2018-06-05 08:40:35.656122573 +0200
+++ sqlite-src-3240000/test/oserror.test 2018-06-05 08:40:45.614935197 +0200
@@ -51,20 +51,20 @@
# a call to getcwd() may fail if there are no free file descriptors. So
# an error may be reported for either open() or getcwd() here.
#
-if {![clang_sanitize_address]} {
- do_test 1.1.1 {
- set ::log [list]
- list [catch {
- for {set i 0} {$i < 20000} {incr i} { sqlite3 dbh_$i test.db -readonly 1 }
- } msg] $msg
- } {1 {unable to open database file}}
- do_test 1.1.2 {
- catch { for {set i 0} {$i < 20000} {incr i} { dbh_$i close } }
- } {1}
- do_re_test 1.1.3 {
- lindex $::log 0
- } {^os_unix.c:\d+: \(\d+\) (open|getcwd)\(.*test.db\) - }
-}
+#if {![clang_sanitize_address]} {
+# do_test 1.1.1 {
+# set ::log [list]
+# list [catch {
+# for {set i 0} {$i < 20000} {incr i} { sqlite3 dbh_$i test.db -readonly 1 }
+# } msg] $msg
+# } {1 {unable to open database file}}
+# do_test 1.1.2 {
+# catch { for {set i 0} {$i < 20000} {incr i} { dbh_$i close } }
+# } {1}
+# do_re_test 1.1.3 {
+# lindex $::log 0
+# } {^os_unix.c:\d+: \(\d+\) (open|getcwd)\(.*test.db\) - }
+#}
# Test a failure in open() due to the path being a directory.

0
0007-sqlite-CVE-2018-20346.patch → 0001-sqlite-CVE-2018-20346.patch
View File

52
0002-remove-fail-testcase-in-no-free-fd-situation.patch Normal file
View File

@ -0,0 +1,52 @@
From defded46ea50037500590122d847ba6a7cb96110 Mon Sep 17 00:00:00 2001
From: eulerstorage <eulerstoragemt@huawei.com>
Date: Sat, 11 Jan 2020 11:33:54 +0800
Subject: [PATCH] remove fail testcase in no free fd situation
Remove testcase 1.1.1, 1.1.2 and 1.1.3, since it can not success in
some situation if there is no enough fd resource.
---
test/oserror.test | 27 ---------------------------
1 file changed, 27 deletions(-)
diff --git a/test/oserror.test b/test/oserror.test
index 271163a..d46218f 100644
--- a/test/oserror.test
+++ b/test/oserror.test
@@ -40,33 +40,6 @@ proc do_re_test {tn script expression} {
}
-#--------------------------------------------------------------------------
-# Tests oserror-1.* test failures in the open() system call.
-#
-
-# Test a failure in open() due to too many files.
-#
-# The xOpen() method of the unix VFS calls getcwd() as well as open().
-# Although this does not appear to be documented in the man page, on OSX
-# a call to getcwd() may fail if there are no free file descriptors. So
-# an error may be reported for either open() or getcwd() here.
-#
-if {![clang_sanitize_address]} {
- do_test 1.1.1 {
- set ::log [list]
- list [catch {
- for {set i 0} {$i < 20000} {incr i} { sqlite3 dbh_$i test.db -readonly 1 }
- } msg] $msg
- } {1 {unable to open database file}}
- do_test 1.1.2 {
- catch { for {set i 0} {$i < 20000} {incr i} { dbh_$i close } }
- } {1}
- do_re_test 1.1.3 {
- lindex $::log 0
- } {^os_unix.c:\d+: \(\d+\) (open|getcwd)\(.*test.db\) - }
-}
-
-
# Test a failure in open() due to the path being a directory.
#
do_test 1.2.1 {
--
1.8.3.1

15
0003-sqlite-3.8.0-percentile-test.patch
View File

@ -1,15 +0,0 @@
# On i686 arch the removed test fails with result 2749999.50004681 instead of expected
# 2749999.5. This patch is temporary workaround and should be dropped as soon as a valid
# fix is found.
diff -up sqlite-src-3080002/test/percentile.test.broken sqlite-src-3080002/test/percentile.test
--- sqlite-src-3080002/test/percentile.test.broken 2013-09-16 13:19:53.406004041 +0200
+++ sqlite-src-3080002/test/percentile.test 2013-09-16 13:20:00.079024945 +0200
@@ -195,7 +195,6 @@ ifcapable vtab {
foreach {in out} {
0 0.0
100 9999990.0
- 50 2749999.5
10 99999.9
} {
do_test percentile-2.1.$in {

137
0004-sqlite-3.8.10.1-tcl-regress-tests.patch
View File

@ -1,137 +0,0 @@
This patch disables a test which caused failed assertion in tcl 8.6.3.
According to sqlite upstream[1], this should be fixed in tcl 8.6.5.
[1] http://mailinglists.sqlite.org/cgi-bin/mailman/private/sqlite-users/2015-May/059518.html
diff -up sqlite-src-3130000/test/shell1.test.orig sqlite-src-3130000/test/shell1.test
--- sqlite-src-3140100/test/shell1.test.orig 2016-08-12 02:17:02.000000000 +0200
+++ sqlite-src-3140100/test/shell1.test 2016-08-15 15:00:59.869664051 +0200
@@ -855,67 +855,67 @@ do_test shell1-4.6 {
# Test using arbitrary byte data with the shell via standard input/output.
#
-do_test shell1-5.0 {
- #
- # NOTE: Skip NUL byte because it appears to be incompatible with command
- # shell argument parsing.
- #
- for {set i 1} {$i < 256} {incr i} {
- #
- # NOTE: Due to how the Tcl [exec] command works (i.e. where it treats
- # command channels opened for it as textual ones), the carriage
- # return character (and on Windows, the end-of-file character)
- # cannot be used here.
- #
- if {$i==0x0D || ($tcl_platform(platform)=="windows" && $i==0x1A)} {
- continue
- }
- if {$i>=0xE0 && $tcl_platform(os)=="OpenBSD"} continue
- if {$i>=0xE0 && $i<=0xEF && $tcl_platform(os)=="Linux"} continue
- set hex [format %02X $i]
- set char [subst \\x$hex]; set oldChar $char
- set escapes [list]
- if {$tcl_platform(platform)=="windows"} {
- #
- # NOTE: On Windows, we need to escape all the whitespace characters,
- # the alarm (\a) character, and those with special meaning to
- # the SQLite shell itself.
- #
- set escapes [list \
- \a \\a \b \\b \t \\t \n \\n \v \\v \f \\f \r \\r \
- " " "\" \"" \" \\\" ' \"'\" \\ \\\\]
- } else {
- #
- # NOTE: On Unix, we need to escape most of the whitespace characters
- # and those with special meaning to the SQLite shell itself.
- # The alarm (\a), backspace (\b), and carriage-return (\r)
- # characters do not appear to require escaping on Unix. For
- # the alarm and backspace characters, this is probably due to
- # differences in the command shell. For the carriage-return,
- # it is probably due to differences in how Tcl handles command
- # channel end-of-line translations.
- #
- set escapes [list \
- \t \\t \n \\n \v \\v \f \\f \
- " " "\" \"" \" \\\" ' \"'\" \\ \\\\]
- }
- set char [string map $escapes $char]
- set x [catchcmdex test.db ".print $char\n"]
- set code [lindex $x 0]
- set res [lindex $x 1]
- if {$code ne "0"} {
- error "failed with error: $res"
- }
- if {$res ne "$oldChar\n"} {
- if {[llength $res] > 0} {
- set got [format %02X [scan $res %c]]
- } else {
- set got <empty>
- }
- error "failed with byte $hex mismatch, got $got"
- }
- }
-} {}
+#do_test shell1-5.0 {
+# #
+# # NOTE: Skip NUL byte because it appears to be incompatible with command
+# # shell argument parsing.
+# #
+# for {set i 1} {$i < 256} {incr i} {
+# #
+# # NOTE: Due to how the Tcl [exec] command works (i.e. where it treats
+# # command channels opened for it as textual ones), the carriage
+# # return character (and on Windows, the end-of-file character)
+# # cannot be used here.
+# #
+# if {$i==0x0D || ($tcl_platform(platform)=="windows" && $i==0x1A)} {
+# continue
+# }
+# if {$i>=0xE0 && $tcl_platform(os)=="OpenBSD"} continue
+# if {$i>=0xE0 && $i<=0xEF && $tcl_platform(os)=="Linux"} continue
+# set hex [format %02X $i]
+# set char [subst \\x$hex]; set oldChar $char
+# set escapes [list]
+# if {$tcl_platform(platform)=="windows"} {
+# #
+# # NOTE: On Windows, we need to escape all the whitespace characters,
+# # the alarm (\a) character, and those with special meaning to
+# # the SQLite shell itself.
+# #
+# set escapes [list \
+# \a \\a \b \\b \t \\t \n \\n \v \\v \f \\f \r \\r \
+# " " "\" \"" \" \\\" ' \"'\" \\ \\\\]
+# } else {
+# #
+# # NOTE: On Unix, we need to escape most of the whitespace characters
+# # and those with special meaning to the SQLite shell itself.
+# # The alarm (\a), backspace (\b), and carriage-return (\r)
+# # characters do not appear to require escaping on Unix. For
+# # the alarm and backspace characters, this is probably due to
+# # differences in the command shell. For the carriage-return,
+# # it is probably due to differences in how Tcl handles command
+# # channel end-of-line translations.
+# #
+# set escapes [list \
+# \t \\t \n \\n \v \\v \f \\f \
+# " " "\" \"" \" \\\" ' \"'\" \\ \\\\]
+# }
+# set char [string map $escapes $char]
+# set x [catchcmdex test.db ".print $char\n"]
+# set code [lindex $x 0]
+# set res [lindex $x 1]
+# if {$code ne "0"} {
+# error "failed with error: $res"
+# }
+# if {$res ne "$oldChar\n"} {
+# if {[llength $res] > 0} {
+# set got [format %02X [scan $res %c]]
+# } else {
+# set got <empty>
+# }
+# error "failed with byte $hex mismatch, got $got"
+# }
+# }
+#} {}
# These test cases do not work on MinGW
if 0 {

14
0005-sqlite-3.16-datetest-2.2c.patch
View File

@ -1,14 +0,0 @@
--- sqlite-src-3160100/test/date.test.orig 2017-01-04 14:48:46.113737093 +0100
+++ sqlite-src-3160100/test/date.test 2017-01-04 14:49:11.144833563 +0100
@@ -76,11 +76,6 @@ datetest 2.1c datetime(0,'unixepochx') N
datetest 2.1d datetime('2003-10-22','unixepoch') NULL
datetest 2.2 datetime(946684800,'unixepoch') {2000-01-01 00:00:00}
datetest 2.2b datetime('946684800','unixepoch') {2000-01-01 00:00:00}
-for {set i 0} {$i<1000} {incr i} {
- set sql [format {strftime('%%H:%%M:%%f',1237962480.%03d,'unixepoch')} $i]
- set res [format {06:28:00.%03d} $i]
- datetest 2.2c-$i $sql $res
-}
datetest 2.3 {date('2003-10-22','weekday 0')} 2003-10-26
datetest 2.4 {date('2003-10-22','weekday 1')} 2003-10-27
datetest 2.4a {date('2003-10-22','weekday 1')} 2003-10-27

90
0006-sqlite-3.18.0-sync2-dirsync.patch
View File

@ -1,90 +0,0 @@
--- sqlite-src-3180000/test/sync2.test.sync2-dirsync 2017-03-30 21:26:42.000000000 +0200
+++ sqlite-src-3180000/test/sync2.test 2017-04-03 13:16:14.422329691 +0200
@@ -44,6 +44,15 @@
uplevel [list do_test $tn [list execsql_sync $sql] [list {*}$res]]
}
+# Wrapper over the expected sync count, takes DIRSYNC into consideration
+proc expected_sync_count {sync_count} {
+ ifcapable dirsync {
+ return $sync_count
+ } else {
+ return [ incr sync_count -1 ]
+ }
+}
+
#-----------------------------------------------------------------------
# Tests for journal mode.
#
@@ -53,13 +62,13 @@
INSERT INTO t1 VALUES(1, 2);
}
-do_execsql_sync_test 1.1 { INSERT INTO t1 VALUES(3, 4) } 4
+do_execsql_sync_test 1.1 { INSERT INTO t1 VALUES(3, 4) } [ expected_sync_count 4 ]
# synchronous=normal. So, 1 sync on the directory, 1 on the journal, 1
# on the db file. 3 in total.
do_execsql_test 1.2.1 { PRAGMA main.synchronous = NORMAL }
do_execsql_test 1.2.2 { PRAGMA main.synchronous } 1
-do_execsql_sync_test 1.2.3 { INSERT INTO t1 VALUES(5, 6) } 3
+do_execsql_sync_test 1.2.3 { INSERT INTO t1 VALUES(5, 6) } [ expected_sync_count 3 ]
# synchronous=off. No syncs.
do_execsql_test 1.3.1 { PRAGMA main.synchronous = OFF }
@@ -70,7 +79,7 @@
# 2 on the journal, 1 on the db file. 4 in total.
do_execsql_test 1.4.1 { PRAGMA main.synchronous = FULL }
do_execsql_test 1.4.2 { PRAGMA main.synchronous } 2
-do_execsql_sync_test 1.4.3 { INSERT INTO t1 VALUES(9, 10) } 4
+do_execsql_sync_test 1.4.3 { INSERT INTO t1 VALUES(9, 10) } [ expected_sync_count 4 ]
#-----------------------------------------------------------------------
# Tests for wal mode.
@@ -79,7 +88,7 @@
# sync=full, journal_mode=wal. One sync on the directory, two on the
# wal file.
-do_execsql_sync_test 1.6 { INSERT INTO t1 VALUES(11, 12) } 3
+do_execsql_sync_test 1.6 { INSERT INTO t1 VALUES(11, 12) } [ expected_sync_count 3 ]
# One sync on the wal file.
do_execsql_sync_test 1.7 { INSERT INTO t1 VALUES(13, 14) } 1
@@ -112,7 +121,7 @@
# Wal mode, sync=normal. The first transaction does one sync on directory,
# one on the wal file. The second does no syncs.
- do_execsql_sync_test 1.11.1 { INSERT INTO t1 VALUES(19, 20) } 2
+ do_execsql_sync_test 1.11.1 { INSERT INTO t1 VALUES(19, 20) } [ expected_sync_count 2 ]
do_execsql_sync_test 1.11.2 { INSERT INTO t1 VALUES(21, 22) } 0
do_execsql_test 1.11.3 { PRAGMA main.synchronous } 1
@@ -129,14 +138,14 @@
# Delete mode, sync=full. The first transaction does one sync on
# directory, two on the journal file, one on the db. The second does
# the same.
- do_execsql_sync_test 1.15.1 { INSERT INTO t1 VALUES(26, 27) } 4
- do_execsql_sync_test 1.15.2 { INSERT INTO t1 VALUES(28, 29) } 4
+ do_execsql_sync_test 1.15.1 { INSERT INTO t1 VALUES(26, 27) } [ expected_sync_count 4 ]
+ do_execsql_sync_test 1.15.2 { INSERT INTO t1 VALUES(28, 29) } [ expected_sync_count 4 ]
do_execsql_test 1.15.3 { PRAGMA main.synchronous } 2
# Switch back to wal mode.
do_execsql_test 1.16 { PRAGMA journal_mode = wal } {wal}
- do_execsql_sync_test 1.17.1 { INSERT INTO t1 VALUES(30, 31) } 2
+ do_execsql_sync_test 1.17.1 { INSERT INTO t1 VALUES(30, 31) } [ expected_sync_count 2 ]
do_execsql_sync_test 1.17.2 { INSERT INTO t1 VALUES(32, 33) } 0
do_execsql_test 1.17.3 { PRAGMA main.synchronous } 1
@@ -152,8 +161,8 @@
# Close and reopen the db. Back to synchronous=normal.
db close
sqlite3 db test.db
- do_execsql_sync_test 1.20.1 { INSERT INTO t1 VALUES(38, 39) } 4
- do_execsql_sync_test 1.20.2 { INSERT INTO t1 VALUES(40, 41) } 4
+ do_execsql_sync_test 1.20.1 { INSERT INTO t1 VALUES(38, 39) } [ expected_sync_count 4 ]
+ do_execsql_sync_test 1.20.2 { INSERT INTO t1 VALUES(40, 41) } [ expected_sync_count 4 ]
do_execsql_test 1.20.3 { PRAGMA main.synchronous } 2
}

72
6049-Fix-CVE-2019-19923-Continue-to-back-away-from-the-LEFT-JOIN-optimizatio.patch Normal file
View File

@ -0,0 +1,72 @@
From 396afe6f6aa90a31303c183e11b2b2d4b7956b35 Mon Sep 17 00:00:00 2001
From: drh <drh@noemail.net>
Date: Wed, 18 Dec 2019 20:51:58 +0000
Subject: [PATCH] Fix CVE-2019-19923
Continue to back away from the LEFT JOIN optimization of
check-in [41c27bc0ff1d3135] by disallowing query flattening if the outer
query is DISTINCT. Without this fix, if an index scan is run on the table
within the view on the right-hand side of the LEFT JOIN, stale result
registers might be accessed yielding incorrect results, and/or an
OP_IfNullRow opcode might be invoked on the un-opened table, resulting in a
NULL-pointer dereference. This problem was found by the Yongheng and Rui
fuzzer.
FossilOrigin-Name: 862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e
Change by Weifeng <suweifeng1@huawei.com>:
Fit for version 3.24.0
---
src/select.c | 8 ++++++--
test/join.test | 13 +++++++++++++
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/src/select.c b/src/select.c
index 529df0f..4510b77 100644
--- a/src/select.c
+++ b/src/select.c
@@ -3582,6 +3582,7 @@ static void substSelect(
** (3b) the FROM clause of the subquery may not contain a virtual
** table and
** (3c) the outer query may not be an aggregate.
+** (3d) the outer query may not be DISTINCT.
**
** (4) The subquery can not be DISTINCT.
**
@@ -3770,8 +3771,11 @@ static int flattenSubquery(
*/
if( (pSubitem->fg.jointype & JT_OUTER)!=0 ){
isLeftJoin = 1;
- if( pSubSrc->nSrc>1 || isAgg || IsVirtual(pSubSrc->a[0].pTab) ){
- /* (3a) (3c) (3b) */
+ if( pSubSrc->nSrc>1 /* (3a) */
+ || isAgg /* (3b) */
+ || IsVirtual(pSubSrc->a[0].pTab) /* (3c) */
+ || (p->selFlags & SF_Distinct)!=0 /* (3d) */
+ ){
return 0;
}
}
diff --git a/test/join.test b/test/join.test
index 8c6f463..8c6a53d 100644
--- a/test/join.test
+++ b/test/join.test
@@ -844,4 +844,17 @@ do_execsql_test join-15.110 {
ORDER BY a1, a2, a3, a4, a5;
} {1 {} {} {} {} 1 11 {} {} {} 1 12 {} {} {} 1 12 121 {} {} 1 13 {} {} {}}
+# 2019-12-18 problem with a LEFT JOIN where the RHS is a view.
+# Detected by Yongheng and Rui.
+# Follows from the optimization attempt of check-in 41c27bc0ff1d3135
+# on 2017-04-18
+#
+reset_db
+do_execsql_test join-22.10 {
+ CREATE TABLE t0(a, b);
+ CREATE INDEX t0a ON t0(a);
+ INSERT INTO t0 VALUES(10,10),(10,11),(10,12);
+ SELECT DISTINCT c FROM t0 LEFT JOIN (SELECT a+1 AS c FROM t0) ORDER BY c ;
+} {11}
+
finish_test
--
2.19.1

50
6050-Fix-CVE-2019-19924-When-an-error-occurs-while-rewriting-the-parser-tree.patch Normal file
View File

@ -0,0 +1,50 @@
From 8654186b0236d556aa85528c2573ee0b6ab71be3 Mon Sep 17 00:00:00 2001
From: drh <drh@noemail.net>
Date: Thu, 19 Dec 2019 20:37:32 +0000
Subject: [PATCH] Fix CVE-2019-19924
When an error occurs while rewriting the parser tree for
window functions in the sqlite3WindowRewrite() routine, make sure that
pParse->nErr is set, and make sure that this shuts down any subsequent code
generation that might depend on the transformations that were implemented.
This fixes a problem discovered by the Yongheng and Rui fuzzer.
FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f
Change by Weifeng <suweifeng1@huawei.com>:
Fit for version 3.24.0
---
src/expr.c | 2 ++
src/vdbeaux.c | 3 ++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/expr.c b/src/expr.c
index 36ca515..8fd8af9 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -344,6 +344,8 @@ static int codeCompare(
int addr;
CollSeq *p4;
+ if( pParse->nErr ) return 0;
+
p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight);
p5 = binaryCompareP5(pLeft, pRight, jumpIfNull);
addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1,
diff --git a/src/vdbeaux.c b/src/vdbeaux.c
index ba2396c..df8bcc2 100644
--- a/src/vdbeaux.c
+++ b/src/vdbeaux.c
@@ -1171,7 +1171,8 @@ void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){
*/
static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){
assert( p->nOp>0 || p->aOp==0 );
- assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed );
+ assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed
+ || p->pParse->nErr>0 );
if( p->nOp ){
assert( p->aOp );
sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment);
--
2.19.1

55
6051-Fix-CVE-2019-19925-Fix-the-zipfile-extension-so-that-INSERT-works-even-.patch Normal file
View File

@ -0,0 +1,55 @@
From 54d501092d88c0cf89bec4279951f548fb0b8618 Mon Sep 17 00:00:00 2001
From: drh <drh@noemail.net>
Date: Thu, 19 Dec 2019 15:15:40 +0000
Subject: [PATCH] Fix CVE-2019-19925
Fix the zipfile extension so that INSERT works even if the
pathname of the file being inserted is a NULL. Bug discovered by the
Yongheng and Rui fuzzer.
FossilOrigin-Name: a80f84b511231204658304226de3e075a55afc2e3f39ac063716f7a57f585c06
Change by Weifeng <suweifeng1@huawei.com>:
Fit for version 3.24.0
---
ext/misc/zipfile.c | 1 +
test/zipfile.test | 13 +++++++++++++
2 files changed, 14 insertions(+)
diff --git a/ext/misc/zipfile.c b/ext/misc/zipfile.c
index 9f2258e..01cd0ca 100644
--- a/ext/misc/zipfile.c
+++ b/ext/misc/zipfile.c
@@ -1617,6 +1617,7 @@ static int zipfileUpdate(
if( rc==SQLITE_OK ){
zPath = (const char*)sqlite3_value_text(apVal[2]);
+ if( zPath==0 ) zPath = "";
nPath = (int)strlen(zPath);
mTime = zipfileGetTime(apVal[4]);
}
diff --git a/test/zipfile.test b/test/zipfile.test
index ebc4977..abf432c 100644
--- a/test/zipfile.test
+++ b/test/zipfile.test
@@ -761,4 +761,17 @@ do_execsql_test 11.11 {
SELECT name, data FROM z ORDER BY name;
} {b0suffix two b2suffix one}
+# 2019-12-18 Yongheng and Rui fuzzer
+#
+do_execsql_test 13.10 {
+ DROP TABLE IF EXISTS t0;
+ DROP TABLE IF EXISTS t1;
+ CREATE TABLE t0(a,b,c,d,e,f,g);
+ REPLACE INTO t0(c,b,f) VALUES(10,10,10);
+ CREATE VIRTUAL TABLE t1 USING zipfile('h.zip');
+ REPLACE INTO t1 SELECT * FROM t0;
+ SELECT quote(name),quote(mode),quote(mtime),quote(sz),quote(rawdata),
+ quote(data),quote(method) FROM t1;
+} {'' 10 10 2 X'3130' X'3130' 0}
+
finish_test
--
2.19.1

39
6052-Fix-CVE-2019-19926-Continuation-of-e2bddcd4c55ba3cb-Add-another-spot-wh.patch Normal file
View File

@ -0,0 +1,39 @@
From 396afe6f6aa90a31303c183e11b2b2d4b7956b35 Mon Sep 17 00:00:00 2001
From: drh <drh@noemail.net>
Date: Wed, 18 Dec 2019 20:51:58 +0000
Subject: [PATCH] Fix CVE-2019-19926
Continue to back away from the LEFT JOIN optimization of
check-in [41c27bc0ff1d3135] by disallowing query flattening if the outer
query is DISTINCT. Without this fix, if an index scan is run on the table
within the view on the right-hand side of the LEFT JOIN, stale result
registers might be accessed yielding incorrect results, and/or an
OP_IfNullRow opcode might be invoked on the un-opened table, resulting in a
NULL-pointer dereference. This problem was found by the Yongheng and Rui
fuzzer.
FossilOrigin-Name: 862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e
Change by Weifeng <suweifeng1@huawei.com>:
Fit for version 3.24.0
---
src/select.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/select.c b/src/select.c
index 4510b77..f78c8a5 100644
--- a/src/select.c
+++ b/src/select.c
@@ -2813,7 +2813,8 @@ static int multiSelect(
}
#endif
}
-
+ if( pParse->nErr ) goto multi_select_end;
+
/* Compute collating sequences used by
** temporary tables needed to implement the compound select.
** Attach the KeyInfo structure to all temporary tables.
--
2.19.1

32
6053-Fix-CVE-2019-20218-Do-not-attempt-to-unwind-the-WITH-stack-in-the-Parse.patch Normal file
View File

@ -0,0 +1,32 @@
From a6c1a71cde082e09750465d5675699062922e387 Mon Sep 17 00:00:00 2001
From: dan <dan@noemail.net>
Date: Fri, 27 Dec 2019 20:54:42 +0000
Subject: [PATCH] Fix CVE-2019-20218
Do not attempt to unwind the WITH stack in the Parse object
following an error. This fixes a separate case to [de6e6d68].
FossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92
Change by Weifeng <suweifeng1@huawei.com>:
Fit for version 3.24.0
---
src/select.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/select.c b/src/select.c
index f78c8a5..3bb98ad 100644
--- a/src/select.c
+++ b/src/select.c
@@ -4717,7 +4717,7 @@ static int selectExpander(Walker *pWalker, Select *p){
/* Process NATURAL keywords, and ON and USING clauses of joins.
*/
- if( db->mallocFailed || sqliteProcessJoin(pParse, p) ){
+ if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){
return WRC_Abort;
}
--
2.19.1

39
sqlite.spec
View File

@ -6,7 +6,7 @@
Name: sqlite
Version: 3.24.0
Release: 6
Release: 7
Summary: Embeded SQL database
License: Public Domain
URL: http://www.sqlite.org/
@ -15,14 +15,9 @@ Source0: http://www.sqlite.org/2018/sqlite-src-%{extver}.zip
Source1: http://www.sqlite.org/2018/sqlite-doc-%{extver}.zip
Source2: https://www.sqlite.org/2018/sqlite-autoconf-%{extver}.tar.gz
Patch0000: 0000-sqlite-3.6.23-lemon-system-template.patch
Patch0001: 0001-sqlite-3.7.7.1-stupid-openfiles-test.patch
Patch0002: 0002-sqlite-3.12.2-no-malloc-usable-size.patch
Patch0003: 0003-sqlite-3.8.0-percentile-test.patch
Patch0004: 0004-sqlite-3.8.10.1-tcl-regress-tests.patch
Patch0005: 0005-sqlite-3.16-datetest-2.2c.patch
Patch0006: 0006-sqlite-3.18.0-sync2-dirsync.patch
Patch0007: 0007-sqlite-CVE-2018-20346.patch
Patch0000: 0000-sqlite-no-malloc-usable-size.patch
Patch0001: 0001-sqlite-CVE-2018-20346.patch
Patch0002: 0002-remove-fail-testcase-in-no-free-fd-situation.patch
Patch6000: 6000-Fix-the-sqlite3BeginTrans-calls-within-the-snapshot-.patch
Patch6001: 6001-Change-a-comma-into-a-logically-equivalent-but-seman.patch
@ -73,6 +68,11 @@ Patch6045: 6045-sqlite-CVE-2019-16168.patch
Patch6046: 6046-Fix-CVE-2019-19646.patch
Patch6047: 6047-Fix-CVE-2019-9936.patch
Patch6048: 6048-Fix-CVE-2019-9937.patch
Patch6049: 6049-Fix-CVE-2019-19923-Continue-to-back-away-from-the-LEFT-JOIN-optimizatio.patch
Patch6050: 6050-Fix-CVE-2019-19924-When-an-error-occurs-while-rewriting-the-parser-tree.patch
Patch6051: 6051-Fix-CVE-2019-19925-Fix-the-zipfile-extension-so-that-INSERT-works-even-.patch
Patch6052: 6052-Fix-CVE-2019-19926-Continuation-of-e2bddcd4c55ba3cb-Add-another-spot-wh.patch
Patch6053: 6053-Fix-CVE-2019-20218-Do-not-attempt-to-unwind-the-WITH-stack-in-the-Parse.patch
BuildRequires: gcc autoconf tcl tcl-devel
BuildRequires: ncurses-devel readline-devel glibc-devel
@ -116,16 +116,8 @@ This contains man files and HTML files for the using of sqlite.
#autosetup will fail because of 2 zip files
%setup -q -a1 -n %{name}-src-%{extver}
%patch0000 -p1
%patch0001 -p1
%patch0001 -p0
%patch0002 -p1
%patch0003 -p1
%patch0004 -p1
%ifarch %{ix86}
%patch0005 -p1
%endif
%patch0006 -p1
%patch0007 -p0
%patch6000 -p1
%patch6001 -p1
%patch6002 -p1
@ -175,6 +167,11 @@ This contains man files and HTML files for the using of sqlite.
%patch6046 -p1
%patch6047 -p1
%patch6048 -p1
%patch6049 -p1
%patch6050 -p1
%patch6051 -p1
%patch6052 -p1
%patch6053 -p1
rm -f %{name}-doc-%{extver}/sqlite.css~ || :
@ -245,6 +242,12 @@ make test
%{_mandir}/man*/*
%changelog
* Wed Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.24.0-7
- Type:enhancement
- ID:NA
- SUG:NA
- DESC:Fix CVE-2019-19923 CVE-2019-19924 CVE-2019-19925 CVE-2019-19926 CVE-2019-20218
* Fri Jan 3 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.24.0-6
- Type:cves
- ID:CVE-2019-9936,CVE-2019-9937