diff --git a/6000-0001-Fix-CVE-2020-9327.patch b/0001-Fix-CVE-2020-9327.patch similarity index 100% rename from 6000-0001-Fix-CVE-2020-9327.patch rename to 0001-Fix-CVE-2020-9327.patch diff --git a/6001-0002-Fix-CVE-2020-9327.patch b/0002-Fix-CVE-2020-9327.patch similarity index 100% rename from 6001-0002-Fix-CVE-2020-9327.patch rename to 0002-Fix-CVE-2020-9327.patch diff --git a/6002-Fix-CVE-2020-11655.patch b/0003-Fix-CVE-2020-11655.patch similarity index 100% rename from 6002-Fix-CVE-2020-11655.patch rename to 0003-Fix-CVE-2020-11655.patch diff --git a/6003-Fix-CVE-2020-11656.patch b/0004-Fix-CVE-2020-11656.patch similarity index 100% rename from 6003-Fix-CVE-2020-11656.patch rename to 0004-Fix-CVE-2020-11656.patch diff --git a/0005-Fix-CVE-2020-15358.patch b/0005-Fix-CVE-2020-15358.patch new file mode 100644 index 0000000000000000000000000000000000000000..7622ddbab06f881b8fba15e1a30d4fa329d56baf --- /dev/null +++ b/0005-Fix-CVE-2020-15358.patch @@ -0,0 +1,90 @@ +From a144b923c5f3a60e4f7caa77305a3e4765bdba5d Mon Sep 17 00:00:00 2001 +From: Peibao Liu +Date: Mon, 6 Jul 2020 15:59:47 -0400 +Subject: [PATCH] backport-Fix-CVE-2020-15358 + +Signed-off-by: Peibao Liu +--- + src/select.c | 7 +++---- + src/sqliteInt.h | 1 + + test/selectA.test | 21 +++++++++++++++++++++ + 3 files changed, 25 insertions(+), 4 deletions(-) + +diff --git a/src/select.c b/src/select.c +index b5e5a75..7f88e35 100644 +--- a/src/select.c ++++ b/src/select.c +@@ -2717,9 +2717,7 @@ static int multiSelect( + selectOpName(p->op))); + rc = sqlite3Select(pParse, p, &uniondest); + testcase( rc!=SQLITE_OK ); +- /* Query flattening in sqlite3Select() might refill p->pOrderBy. +- ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */ +- sqlite3ExprListDelete(db, p->pOrderBy); ++ assert( p->pOrderBy==0 ); + pDelete = p->pPrior; + p->pPrior = pPrior; + p->pOrderBy = 0; +@@ -4068,7 +4066,7 @@ static int flattenSubquery( + ** We look at every expression in the outer query and every place we see + ** "a" we substitute "x*3" and every place we see "b" we substitute "y+10". + */ +- if( pSub->pOrderBy ){ ++ if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){ + /* At this point, any non-zero iOrderByCol values indicate that the + ** ORDER BY column expression is identical to the iOrderByCol'th + ** expression returned by SELECT statement pSub. Since these values +@@ -5769,6 +5767,7 @@ int sqlite3Select( + sqlite3ExprListDelete(db, p->pOrderBy); + p->pOrderBy = 0; + p->selFlags &= ~SF_Distinct; ++ p->selFlags |= SF_NoopOrderBy; + } + sqlite3SelectPrep(pParse, p, 0); + if( pParse->nErr || db->mallocFailed ){ +diff --git a/src/sqliteInt.h b/src/sqliteInt.h +index aa9556b..514df18 100644 +--- a/src/sqliteInt.h ++++ b/src/sqliteInt.h +@@ -3074,6 +3074,7 @@ struct Select { + #define SF_WhereBegin 0x0080000 /* Really a WhereBegin() call. Debug Only */ + #define SF_WinRewrite 0x0100000 /* Window function rewrite accomplished */ + #define SF_View 0x0200000 /* SELECT statement is a view */ ++#define SF_NoopOrderBy 0x0400000 /* ORDER BY is ignored for this query */ + + /* + ** The results of a SELECT can be distributed in several ways, as defined +diff --git a/test/selectA.test b/test/selectA.test +index 838e5f4..7ca0096 100644 +--- a/test/selectA.test ++++ b/test/selectA.test +@@ -1446,5 +1446,26 @@ do_execsql_test 6.1 { + SELECT * FROM (SELECT a FROM t1 UNION SELECT b FROM t2) WHERE a=a; + } {12345} + ++# 2020-06-15 ticket 8f157e8010b22af0 ++# ++reset_db ++do_execsql_test 7.1 { ++ CREATE TABLE t1(c1); INSERT INTO t1 VALUES(12),(123),(1234),(NULL),('abc'); ++ CREATE TABLE t2(c2); INSERT INTO t2 VALUES(44),(55),(123); ++ CREATE TABLE t3(c3,c4); INSERT INTO t3 VALUES(66,1),(123,2),(77,3); ++ CREATE VIEW t4 AS SELECT c3 FROM t3; ++ CREATE VIEW t5 AS SELECT c3 FROM t3 ORDER BY c4; ++} ++do_execsql_test 7.2 { ++ SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t4) AND c1=123; ++} {123 123} ++do_execsql_test 7.3 { ++ SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t5) AND c1=123; ++} {123 123} ++do_execsql_test 7.4 { ++ CREATE TABLE a(b); ++ CREATE VIEW c(d) AS SELECT b FROM a ORDER BY b; ++ SELECT sum(d) OVER( PARTITION BY(SELECT 0 FROM c JOIN a WHERE b =(SELECT b INTERSECT SELECT d FROM c) AND b = 123)) FROM c; ++} {} + + finish_test +-- +2.23.0 + diff --git a/0006-Fix-CVE-2020-13631.patch b/0006-Fix-CVE-2020-13631.patch new file mode 100644 index 0000000000000000000000000000000000000000..781ec6a6fecace88ba622e6b991fa158ac2e027e --- /dev/null +++ b/0006-Fix-CVE-2020-13631.patch @@ -0,0 +1,82 @@ +diff -Naur 1/src/alter.c 2/src/alter.c +--- 1/src/alter.c 2020-06-02 16:02:38.294309518 -0400 ++++ 2/src/alter.c 2020-06-02 16:05:27.248309518 -0400 +@@ -123,7 +123,10 @@ + /* Check that a table or index named 'zName' does not already exist + ** in database iDb. If so, this is an error. + */ +- if( sqlite3FindTable(db, zName, zDb) || sqlite3FindIndex(db, zName, zDb) ){ ++ if( sqlite3FindTable(db, zName, zDb) ++ || sqlite3FindIndex(db, zName, zDb) ++ || sqlite3IsShadowTableOf(db, pTab, zName) ++ ){ + sqlite3ErrorMsg(pParse, + "there is already another table or index with this name: %s", zName); + goto exit_rename_table; +diff -Naur 1/src/build.c 2/src/build.c +--- 1/src/build.c 2020-06-02 16:02:38.325309518 -0400 ++++ 2/src/build.c 2020-06-02 16:11:12.023309518 -0400 +@@ -2129,6 +2129,28 @@ + recomputeColumnsNotIndexed(pPk); + } + ++ ++#ifndef SQLITE_OMIT_VIRTUALTABLE ++/* ++ * ** Return true if pTab is a virtual table and zName is a shadow table name ++ * ** for that virtual table. ++ * */ ++int sqlite3IsShadowTableOf(sqlite3 *db, Table *pTab, const char *zName){ ++ int nName; /* Length of zName */ ++ Module *pMod; /* Module for the virtual table */ ++ ++ if( !IsVirtual(pTab) ) return 0; ++ nName = sqlite3Strlen30(pTab->zName); ++ if( sqlite3_strnicmp(zName, pTab->zName, nName)!=0 ) return 0; ++ if( zName[nName]!='_' ) return 0; ++ pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]); ++ if( pMod==0 ) return 0; ++ if( pMod->pModule->iVersion<3 ) return 0; ++ if( pMod->pModule->xShadowName==0 ) return 0; ++ return pMod->pModule->xShadowName(zName+nName+1); ++} ++#endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */ ++ + #ifndef SQLITE_OMIT_VIRTUALTABLE + /* + ** Return true if zName is a shadow table name in the current database +@@ -2140,7 +2162,6 @@ + int sqlite3ShadowTableName(sqlite3 *db, const char *zName){ + char *zTail; /* Pointer to the last "_" in zName */ + Table *pTab; /* Table that zName is a shadow of */ +- Module *pMod; /* Module for the virtual table */ + + zTail = strrchr(zName, '_'); + if( zTail==0 ) return 0; +@@ -2149,11 +2170,7 @@ + *zTail = '_'; + if( pTab==0 ) return 0; + if( !IsVirtual(pTab) ) return 0; +- pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]); +- if( pMod==0 ) return 0; +- if( pMod->pModule->iVersion<3 ) return 0; +- if( pMod->pModule->xShadowName==0 ) return 0; +- return pMod->pModule->xShadowName(zTail+1); ++ return sqlite3IsShadowTableOf(db, pTab, zName); + } + #endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */ + +diff -Naur 1/src/sqliteInt.h 2/src/sqliteInt.h +--- 1/src/sqliteInt.h 2020-06-02 16:02:38.291309518 -0400 ++++ 2/src/sqliteInt.h 2020-06-02 16:14:49.356309518 -0400 +@@ -4673,8 +4673,10 @@ + int sqlite3ReadOnlyShadowTables(sqlite3 *db); + #ifndef SQLITE_OMIT_VIRTUALTABLE + int sqlite3ShadowTableName(sqlite3 *db, const char *zName); ++ int sqlite3IsShadowTableOf(sqlite3*,Table*,const char*); + #else + # define sqlite3ShadowTableName(A,B) 0 ++# define sqlite3IsShadowTableOf(A,B,C) 0 + #endif + int sqlite3VtabEponymousTableInit(Parse*,Module*); + void sqlite3VtabEponymousTableClear(sqlite3*,Module*); diff --git a/0000-sqlite-no-malloc-usable-size.patch b/0007-sqlite-no-malloc-usable-size.patch similarity index 100% rename from 0000-sqlite-no-malloc-usable-size.patch rename to 0007-sqlite-no-malloc-usable-size.patch diff --git a/sqlite.spec b/sqlite.spec index 35c460b1fa0f7606776c08725880de0a1a8b245c..d0188373273baf8a7c69e59b60f8aedbe6f39c52 100644 --- a/sqlite.spec +++ b/sqlite.spec @@ -7,7 +7,7 @@ Name: sqlite Version: 3.31.1 -Release: 0 +Release: 1 Summary: Embeded SQL database License: Public Domain URL: http://www.sqlite.org/ @@ -16,12 +16,13 @@ Source0: http://www.sqlite.org/%{year}/sqlite-src-%{extver}.zip Source1: http://www.sqlite.org/%{year}/sqlite-doc-%{extver}.zip Source2: https://www.sqlite.org/%{year}/sqlite-autoconf-%{extver}.tar.gz -Patch0000: 0000-sqlite-no-malloc-usable-size.patch - -Patch6000: 6000-0001-Fix-CVE-2020-9327.patch -Patch6001: 6001-0002-Fix-CVE-2020-9327.patch -Patch6002: 6002-Fix-CVE-2020-11655.patch -Patch6003: 6003-Fix-CVE-2020-11656.patch +Patch1: 0001-Fix-CVE-2020-9327.patch +Patch2: 0002-Fix-CVE-2020-9327.patch +Patch3: 0003-Fix-CVE-2020-11655.patch +Patch4: 0004-Fix-CVE-2020-11656.patch +Patch5: 0005-Fix-CVE-2020-15358.patch +Patch6: 0006-Fix-CVE-2020-13631.patch +Patch7: 0007-sqlite-no-malloc-usable-size.patch BuildRequires: gcc autoconf tcl tcl-devel BuildRequires: ncurses-devel readline-devel glibc-devel @@ -64,11 +65,14 @@ This contains man files and HTML files for the using of sqlite. %prep #autosetup will fail because of 2 zip files %setup -q -a1 -n %{name}-src-%{extver} -%patch0000 -p1 -%patch6000 -p0 -%patch6001 -p0 -%patch6002 -p1 -%patch6003 -p1 +%patch1 -p0 +%patch2 -p0 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 + rm -f %{name}-doc-%{extver}/sqlite.css~ || : @@ -141,6 +145,12 @@ make test %{_mandir}/man*/* %changelog +* Mon Aug 3 2020 yanglongkang - 3.31.1-1 +- Type:cves +- ID:CVE-2020-13871 CVE-2020-13631 +- SUG: NA +- DESC: fix cve + * Fri Apr 17 2020 luoshijie - 3.31.1-0 - Type:enhancement - ID:NA