From: Armin Kuster <akus...@mvista.com> Source: sqlite.org MR: 104526 Type: Security Fix Disposition: Backport from https://www.sqlite.org/src/vinfo/10fa79d00f8091e5?diff=1 ChangeID: a1c012b8c8aecd4970f3ae16686bf25f2376f542 Description:
Affects sqlite < 3.32.3 Fixes CVE CVE-2020-15358 Signed-off-by: Armin Kuster <akus...@mvista.com> Signed-off-by: Steve Sakoman <st...@sakoman.com> --- .../sqlite/files/CVE-2020-15358.patch | 47 +++++++++++++++++++ meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-support/sqlite/files/CVE-2020-15358.patch diff --git a/meta/recipes-support/sqlite/files/CVE-2020-15358.patch b/meta/recipes-support/sqlite/files/CVE-2020-15358.patch new file mode 100644 index 0000000000..086f6ef913 --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2020-15358.patch @@ -0,0 +1,47 @@ +Fix a defect in the query-flattener optimization identified by ticket [8f157e8010b22af0]. + +Upstream-Status: Backport +https://www.sqlite.org/src/info/10fa79d00f8091e5 +CVE: CVE-2020-15358 +Signed-off-by: Armin Kuster <akus...@mvista.com> + +Index: sqlite-autoconf-3310100/sqlite3.c +=================================================================== +--- sqlite-autoconf-3310100.orig/sqlite3.c ++++ sqlite-autoconf-3310100/sqlite3.c +@@ -18349,6 +18349,7 @@ struct Select { + #define SF_WhereBegin 0x0080000 /* Really a WhereBegin() call. Debug Only */ + #define SF_WinRewrite 0x0100000 /* Window function rewrite accomplished */ + #define SF_View 0x0200000 /* SELECT statement is a view */ ++#define SF_NoopOrderBy 0x0400000 /* ORDER BY is ignored for this query */ + + /* + ** The results of a SELECT can be distributed in several ways, as defined +@@ -130607,9 +130608,7 @@ static int multiSelect( + selectOpName(p->op))); + rc = sqlite3Select(pParse, p, &uniondest); + testcase( rc!=SQLITE_OK ); +- /* Query flattening in sqlite3Select() might refill p->pOrderBy. +- ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */ +- sqlite3ExprListDelete(db, p->pOrderBy); ++ assert( p->pOrderBy==0 ); + pDelete = p->pPrior; + p->pPrior = pPrior; + p->pOrderBy = 0; +@@ -131958,7 +131957,7 @@ static int flattenSubquery( + ** We look at every expression in the outer query and every place we see + ** "a" we substitute "x*3" and every place we see "b" we substitute "y+10". + */ +- if( pSub->pOrderBy ){ ++ if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){ + /* At this point, any non-zero iOrderByCol values indicate that the + ** ORDER BY column expression is identical to the iOrderByCol'th + ** expression returned by SELECT statement pSub. Since these values +@@ -133659,6 +133658,7 @@ SQLITE_PRIVATE int sqlite3Select( + sqlite3ExprListDelete(db, p->pOrderBy); + p->pOrderBy = 0; + p->selFlags &= ~SF_Distinct; ++ p->selFlags |= SF_NoopOrderBy; + } + sqlite3SelectPrep(pParse, p, 0); + if( pParse->nErr || db->mallocFailed ){ diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb index 57a791385c..e5071b48bb 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb @@ -7,6 +7,7 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \ file://CVE-2020-9327.patch \ file://CVE-2020-11656.patch \ file://CVE-2020-11655.patch \ + file://CVE-2020-15358.patch \ " SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125" SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae" -- 2.17.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#140352): https://lists.openembedded.org/g/openembedded-core/message/140352 Mute This Topic: https://lists.openembedded.org/mt/75336316/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
