Control: tags -1 - confirmed
On Thu, Oct 03, 2024 at 05:29:32PM +0200, László Böszörményi (GCS) wrote:
> On Wed, Oct 2, 2024 at 3:44 PM Adrian Bunk <b...@debian.org> wrote:
> > Thanks for noticing, debdiff is now attached.
> With my maintainer hat on, I ACK this update.
> I recommend two more updates which are very straightforward ones. The
> first one is a stack overflow [1] and the second is a signed integer
> overflow [2] fix. The choice is yours of course to include these or
> not.
Thanks for the feedback, and apologies for the late reply.
I agree that these make sense, an updated debdiff is attached.
> Regards,
> Laszlo/GCS
> [1] https://sqlite.org/src/info/074002718b2ecb9f
> [2] https://sqlite.org/src/info/e6bec37ea1ca51e1
cu
Adrian
diffstat for sqlite3-3.40.1 sqlite3-3.40.1
changelog | 11
+
patches/0001-Fix-a-buffer-overread-in-the-sessions-extension-that.patch | 45
+++++
patches/0002-Avoid-a-stack-overflow-that-could-be-caused-by-a-rec.patch | 58
++++++
patches/0003-Fix-a-technically-undefined-signed-integer-overflow-.patch | 90
++++++++++
patches/series | 3
5 files changed, 207 insertions(+)
diff -Nru sqlite3-3.40.1/debian/changelog sqlite3-3.40.1/debian/changelog
--- sqlite3-3.40.1/debian/changelog 2023-03-16 20:54:28.000000000 +0200
+++ sqlite3-3.40.1/debian/changelog 2024-11-02 22:03:43.000000000 +0200
@@ -1,3 +1,14 @@
+sqlite3 (3.40.1-2+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2023-7104: Session extension buffer overread
+ * Backport fix for a stack overflow that could be caused by a
+ recursively defined WINDOW() with a strategically embedded error.
+ * Backport fix for a technically undefined signed integer overflow
+ in fts5.
+
+ -- Adrian Bunk <b...@debian.org> Sat, 02 Nov 2024 22:03:43 +0200
+
sqlite3 (3.40.1-2) unstable; urgency=medium
[ Cyril Brulebois <cy...@debamax.com> ]
diff -Nru
sqlite3-3.40.1/debian/patches/0001-Fix-a-buffer-overread-in-the-sessions-extension-that.patch
sqlite3-3.40.1/debian/patches/0001-Fix-a-buffer-overread-in-the-sessions-extension-that.patch
---
sqlite3-3.40.1/debian/patches/0001-Fix-a-buffer-overread-in-the-sessions-extension-that.patch
1970-01-01 02:00:00.000000000 +0200
+++
sqlite3-3.40.1/debian/patches/0001-Fix-a-buffer-overread-in-the-sessions-extension-that.patch
2024-11-02 22:03:43.000000000 +0200
@@ -0,0 +1,45 @@
+From a13638ed10eff960cebe88554bca48704a66a268 Mon Sep 17 00:00:00 2001
+From: dan <Dan Kennedy>
+Date: Thu, 7 Sep 2023 13:53:09 +0000
+Subject: Fix a buffer overread in the sessions extension that could occur when
+ processing a corrupt changeset.
+
+FossilOrigin-Name:
0e4e7a05c4204b47a324d67e18e76d2a98e26b2723d19d5c655ec9fd2e41f4b7
+---
+ ext/session/sqlite3session.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
+index fd06f3b4d6..776797ff29 100644
+--- a/ext/session/sqlite3session.c
++++ b/ext/session/sqlite3session.c
+@@ -3050,15 +3050,19 @@ static int sessionReadRecord(
+ }
+ }
+ if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
+- sqlite3_int64 v = sessionGetI64(aVal);
+- if( eType==SQLITE_INTEGER ){
+- sqlite3VdbeMemSetInt64(apOut[i], v);
++ if( (pIn->nData-pIn->iNext)<8 ){
++ rc = SQLITE_CORRUPT_BKPT;
+ }else{
+- double d;
+- memcpy(&d, &v, 8);
+- sqlite3VdbeMemSetDouble(apOut[i], d);
++ sqlite3_int64 v = sessionGetI64(aVal);
++ if( eType==SQLITE_INTEGER ){
++ sqlite3VdbeMemSetInt64(apOut[i], v);
++ }else{
++ double d;
++ memcpy(&d, &v, 8);
++ sqlite3VdbeMemSetDouble(apOut[i], d);
++ }
++ pIn->iNext += 8;
+ }
+- pIn->iNext += 8;
+ }
+ }
+ }
+--
+2.30.2
+
diff -Nru
sqlite3-3.40.1/debian/patches/0002-Avoid-a-stack-overflow-that-could-be-caused-by-a-rec.patch
sqlite3-3.40.1/debian/patches/0002-Avoid-a-stack-overflow-that-could-be-caused-by-a-rec.patch
---
sqlite3-3.40.1/debian/patches/0002-Avoid-a-stack-overflow-that-could-be-caused-by-a-rec.patch
1970-01-01 02:00:00.000000000 +0200
+++
sqlite3-3.40.1/debian/patches/0002-Avoid-a-stack-overflow-that-could-be-caused-by-a-rec.patch
2024-11-02 22:03:43.000000000 +0200
@@ -0,0 +1,58 @@
+From da3b3bb73b5483cf9b277501c7020c882db14740 Mon Sep 17 00:00:00 2001
+From: dan <Dan Kennedy>
+Date: Sat, 24 Aug 2024 15:54:15 +0000
+Subject: Avoid a stack overflow that could be caused by a recursively defined
+ WINDOW() with a strategically embedded error.
+
+FossilOrigin-Name:
bada54bd6bf54190e40aa721b77081015957d204c7b6a9fdbe8c67bcf20798f8
+---
+ src/resolve.c | 2 +-
+ test/windowE.test | 20 ++++++++++++++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/src/resolve.c b/src/resolve.c
+index 1c3a9d9097..05d23ce029 100644
+--- a/src/resolve.c
++++ b/src/resolve.c
+@@ -1159,7 +1159,7 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){
+ sqlite3WalkExprList(pWalker, pList);
+ if( is_agg ){
+ #ifndef SQLITE_OMIT_WINDOWFUNC
+- if( pWin ){
++ if( pWin && pParse->nErr==0 ){
+ Select *pSel = pNC->pWinSelect;
+ assert( pWin==0 || (ExprUseYWin(pExpr) && pWin==pExpr->y.pWin) );
+ if( IN_RENAME_OBJECT==0 ){
+diff --git a/test/windowE.test b/test/windowE.test
+index f20bcdaaa8..9128468b3c 100644
+--- a/test/windowE.test
++++ b/test/windowE.test
+@@ -54,5 +54,25 @@ do_execsql_test 1.3 {
+ 5 5,4 5,4,1 5,4,1,6 5,4,1,6,3 5,4,1,6,3,2
+ }
+
++#-------------------------------------------------------------------------
++reset_db
++do_execsql_test 2.0 {
++ CREATE TABLE t1(x);
++}
++
++sqlite3_create_aggregate db
++
++breakpoint
++do_catchsql_test 2.1 {
++ SELECT min(x) OVER w1 FROM t1
++ WINDOW w1 AS (PARTITION BY x_count(x) OVER w1);
++} {1 {x_count() may not be used as a window function}}
++
++do_catchsql_test 2.2 {
++ SELECT min(x) FILTER (WHERE x_count(x) OVER w1) OVER w1 FROM t1
++ WINDOW w1 AS (PARTITION BY x OVER w1);
++} {1 {near "OVER": syntax error}}
++
++
+ finish_test
+
+--
+2.30.2
+
diff -Nru
sqlite3-3.40.1/debian/patches/0003-Fix-a-technically-undefined-signed-integer-overflow-.patch
sqlite3-3.40.1/debian/patches/0003-Fix-a-technically-undefined-signed-integer-overflow-.patch
---
sqlite3-3.40.1/debian/patches/0003-Fix-a-technically-undefined-signed-integer-overflow-.patch
1970-01-01 02:00:00.000000000 +0200
+++
sqlite3-3.40.1/debian/patches/0003-Fix-a-technically-undefined-signed-integer-overflow-.patch
2024-11-02 22:03:43.000000000 +0200
@@ -0,0 +1,90 @@
+From b8ab0b5de0243b7a4a849148d584b2e6199e10b3 Mon Sep 17 00:00:00 2001
+From: dan <Dan Kennedy>
+Date: Mon, 2 Sep 2024 18:41:59 +0000
+Subject: Fix a technically undefined signed integer overflow in fts5.
+
+FossilOrigin-Name:
e6bec37ea1ca51e1d048941ce4c5211d8fc5c5e3556a1441f9c79b036843f9e3
+---
+ ext/fts5/fts5_index.c | 2 +-
+ ext/fts5/test/fts5integrity2.test | 56 +++++++++++++++++++++++++++++++
+ 2 files changed, 57 insertions(+), 1 deletion(-)
+ create mode 100644 ext/fts5/test/fts5integrity2.test
+
+diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
+index 7eca9b1321..86d90deb69 100644
+--- a/ext/fts5/fts5_index.c
++++ b/ext/fts5/fts5_index.c
+@@ -1977,7 +1977,7 @@ static void fts5SegIterNext_None(
+
+ if( iOff<pIter->iEndofDoclist ){
+ /* Next entry is on the current page */
+- i64 iDelta;
++ u64 iDelta;
+ iOff += sqlite3Fts5GetVarint(&pIter->pLeaf->p[iOff], (u64*)&iDelta);
+ pIter->iLeafOffset = iOff;
+ pIter->iRowid += iDelta;
+diff --git a/ext/fts5/test/fts5integrity2.test
b/ext/fts5/test/fts5integrity2.test
+new file mode 100644
+index 0000000000..968be3bddf
+--- /dev/null
++++ b/ext/fts5/test/fts5integrity2.test
+@@ -0,0 +1,56 @@
++# 2024 September 3
++#
++# The author disclaims copyright to this source code. In place of
++# a legal notice, here is a blessing:
++#
++# May you do good and not evil.
++# May you find forgiveness for yourself and forgive others.
++# May you share freely, never taking more than you give.
++#
++#***********************************************************************
++#
++# This file contains tests focused on the integrity-check procedure.
++#
++
++source [file join [file dirname [info script]] fts5_common.tcl]
++set testprefix fts5integrity2
++
++# If SQLITE_ENABLE_FTS5 is not defined, omit this file.
++ifcapable !fts5 {
++ finish_test
++ return
++}
++
++do_execsql_test 2.0 {
++ CREATE VIRTUAL TABLE t2 USING fts5(a, detail='none');
++ BEGIN;
++ INSERT INTO t2(rowid, a) VALUES(-1, 'hello world');
++ INSERT INTO t2(rowid, a) VALUES(9223372036854775807, 'hello world');
++ COMMIT;
++}
++
++do_execsql_test 2.1 {
++ SELECT rowid FROM t2('hello AND world');
++} {-1 9223372036854775807}
++
++#-------------------------------------------------------------------------
++do_execsql_test 2.0 {
++ CREATE VIRTUAL TABLE t1 USING fts5(a, detail='none');
++ CREATE TABLE r1(r);
++
++ WITH c(x) AS (VALUES(1) UNION SELECT x<<1 FROM c)
++ INSERT INTO r1(r) SELECT -1-x FROM c;
++
++ INSERT INTO t1(rowid, a) SELECT r, 'abc' FROM r1;
++}
++
++do_execsql_test 2.1 {
++ PRAGMA integrity_check;
++} {ok}
++
++do_execsql_test 2.2 {
++ SELECT rowid FROM t1('abc') ORDER BY +rowid;
++} [db eval {SELECT r FROM r1 ORDER BY r}]
++
++
++finish_test
+--
+2.30.2
+
diff -Nru sqlite3-3.40.1/debian/patches/series
sqlite3-3.40.1/debian/patches/series
--- sqlite3-3.40.1/debian/patches/series 2022-12-31 10:41:40.000000000
+0200
+++ sqlite3-3.40.1/debian/patches/series 2024-11-02 22:03:43.000000000
+0200
@@ -7,3 +7,6 @@
32-dynamic_link.patch
02-use-packaged-lempar.c.patch
40-amalgamation_configure.patch
+0001-Fix-a-buffer-overread-in-the-sessions-extension-that.patch
+0002-Avoid-a-stack-overflow-that-could-be-caused-by-a-rec.patch
+0003-Fix-a-technically-undefined-signed-integer-overflow-.patch
