* [kirkstone] [PATCH] sqlite: Increase the size of loop variables in the printf() implementation to avoid harmless compiler warnings.
@ 2022-08-25 7:25 ghassaneben
2022-08-25 7:33 ` [OE-core] " Marta Rybczynska
0 siblings, 1 reply; 3+ messages in thread
From: ghassaneben @ 2022-08-25 7:25 UTC (permalink / raw)
To: openembedded-core; +Cc: ghassaneben
From: ghassaneben <ghassaneb.aattar@huawei.com>
Increase the size of loop variables in the printf() implementation to avoid integer overflow on multi-gigabyte string arguments. CVE-2022-35737. This bug fix refers to: CVE-2022-35737 and it's a backport of a fix added in sqlite 3.39.2 (2022-07-21).
Original commit: https://www.sqlite.org/src/info/aab790a16e1bdff7.
Signed-off-by: Ghassane Ben El Aattar <ghassaneb.aattar@huawei.com>
---
...riables-in-the-printf-implementation.patch | 31 +++++++++++++++++++
meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 5 +++
2 files changed, 36 insertions(+)
create mode 100644 meta/recipes-support/sqlite/sqlite/0001-sqlite-Increased-the-size-of-loop-variables-in-the-printf-implementation.patch
diff --git a/meta/recipes-support/sqlite/sqlite/0001-sqlite-Increased-the-size-of-loop-variables-in-the-printf-implementation.patch b/meta/recipes-support/sqlite/sqlite/0001-sqlite-Increased-the-size-of-loop-variables-in-the-printf-implementation.patch
new file mode 100644
index 0000000000..998e93bc6c
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite/0001-sqlite-Increased-the-size-of-loop-variables-in-the-printf-implementation.patch
@@ -0,0 +1,31 @@
+From ec75530b8d8268cb07d8e476d79e1b0e59492fa2 Mon Sep 17 00:00:00 2001
+From: drh
+Date: Thu, 18 Aug 2022 15:10:46 +0200
+Subject: [PATCH] sqlite: Increase the size of loop variables in the printf() implementation to avoid harmless compiler warnings.
+
+Increase the size of loop variables in the printf() implementation to avoid integer overflow on multi-gigabyte string arguments. CVE-2022-35737. This bug fix refers to: CVE-2022-35737 and it's a backport of a fix added in sqlite 3.39.2 (2022-07-21).
+Original commit: https://www.sqlite.org/src/info/aab790a16e1bdff7.
+
+Signed-off-by: Ghassane Ben El Aattar <ghassaneb.aattar@huawei.com>
+
+CVE: CVE-2022-35737
+
+Upstream-Status: Backport https://github.com/sqlite/sqlite/commit/6eb7354fabede50a3601f251caaec172556a3a82
+---
+ src/printf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/printf.c b/src/printf.c
+index f867d62..490199a 100644
+--- a/src/printf.c
++++ b/src/printf.c
+@@ -542,7 +542,8 @@ static int vxprintf(
+ case etSQLESCAPE:
+ case etSQLESCAPE2:
+ {
+- int i, j, n, c, isnull;
++ i64 i, j, n, c;
++ int isnull;
+ char *arg = va_arg(ap,char*);
+ isnull = arg==0;
+ if( isnull ) arg = (xtype==etSQLESCAPE2 ? "NULL" : "(NULL)");
diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
index d56a3a0209..7b62980e24 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
@@ -12,3 +12,8 @@ CVE_CHECK_IGNORE += "CVE-2019-19242"
CVE_CHECK_IGNORE += "CVE-2015-3717"
# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
CVE_CHECK_IGNORE += "CVE-2021-36690"
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "file://0001-sqlite-Increased-the-size-of-loop-variables-in-the-printf-implementation.patch"
+
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [kirkstone] [PATCH] sqlite: Increase the size of loop variables in the printf() implementation to avoid harmless compiler warnings.
2022-08-25 7:25 [kirkstone] [PATCH] sqlite: Increase the size of loop variables in the printf() implementation to avoid harmless compiler warnings ghassaneben
@ 2022-08-25 7:33 ` Marta Rybczynska
2022-08-25 14:08 ` Steve Sakoman
0 siblings, 1 reply; 3+ messages in thread
From: Marta Rybczynska @ 2022-08-25 7:33 UTC (permalink / raw)
To: ghassaneben, Steve Sakoman, openembedded-core; +Cc: ghassaneben
[-- Attachment #1: Type: text/plain, Size: 616 bytes --]
On Thu, Aug 25, 2022 at 9:25 AM ghassaneben <ghassanebb@gmail.com> wrote:
> From: ghassaneben <ghassaneb.aattar@huawei.com>
>
> Increase the size of loop variables in the printf() implementation to
> avoid integer overflow on multi-gigabyte string arguments. CVE-2022-35737.
> This bug fix refers to: CVE-2022-35737 and it's a backport of a fix added
> in sqlite 3.39.2 (2022-07-21).
> Original commit: https://www.sqlite.org/src/info/aab790a16e1bdff7.
>
>
Steve,
I'm adding it to your watch list. This is a CVE fix contrary to the
"harmless warnings" one of the commit messages is telling us.
Kind regards,
Marta
[-- Attachment #2: Type: text/html, Size: 1188 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] [kirkstone] [PATCH] sqlite: Increase the size of loop variables in the printf() implementation to avoid harmless compiler warnings.
2022-08-25 7:33 ` [OE-core] " Marta Rybczynska
@ 2022-08-25 14:08 ` Steve Sakoman
0 siblings, 0 replies; 3+ messages in thread
From: Steve Sakoman @ 2022-08-25 14:08 UTC (permalink / raw)
To: Marta Rybczynska; +Cc: ghassaneben, openembedded-core, ghassaneben
On Wed, Aug 24, 2022 at 9:34 PM Marta Rybczynska <rybczynska@gmail.com> wrote:
>
>
>
> On Thu, Aug 25, 2022 at 9:25 AM ghassaneben <ghassanebb@gmail.com> wrote:
>>
>> From: ghassaneben <ghassaneb.aattar@huawei.com>
>>
>> Increase the size of loop variables in the printf() implementation to avoid integer overflow on multi-gigabyte string arguments. CVE-2022-35737. This bug fix refers to: CVE-2022-35737 and it's a backport of a fix added in sqlite 3.39.2 (2022-07-21).
>> Original commit: https://www.sqlite.org/src/info/aab790a16e1bdff7.
>>
>
> Steve,
> I'm adding it to your watch list. This is a CVE fix contrary to the "harmless warnings" one of the commit messages is telling us.
Thanks! I'll update the short message to reflect this.
Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-08-25 14:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-25 7:25 [kirkstone] [PATCH] sqlite: Increase the size of loop variables in the printf() implementation to avoid harmless compiler warnings ghassaneben
2022-08-25 7:33 ` [OE-core] " Marta Rybczynska
2022-08-25 14:08 ` Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.