* [Buildroot] [PATCH] sqlite: add security patches
@ 2017-10-22 14:00 Baruch Siach
2017-10-22 15:02 ` Peter Korsgaard
2017-10-22 22:50 ` Peter Korsgaard
0 siblings, 2 replies; 5+ messages in thread
From: Baruch Siach @ 2017-10-22 14:00 UTC (permalink / raw)
To: buildroot
CVE-2017-13685: The dump_callback function in SQLite 3.20.0 allows
remote attackers to cause a denial of service (EXC_BAD_ACCESS and
application crash) via a crafted file.
CVE-2017-15286: SQLite 3.20.1 has a NULL pointer dereference in
tableColumnList in shell.c
because it fails to consider certain cases where
`sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never
initialized.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
package/sqlite/0001-CVE-2017-13685.patch | 54 ++++++++++++++++++++++++++++++++
package/sqlite/0002-CVE-2017-15286.patch | 28 +++++++++++++++++
2 files changed, 82 insertions(+)
create mode 100644 package/sqlite/0001-CVE-2017-13685.patch
create mode 100644 package/sqlite/0002-CVE-2017-15286.patch
diff --git a/package/sqlite/0001-CVE-2017-13685.patch b/package/sqlite/0001-CVE-2017-13685.patch
new file mode 100644
index 000000000000..9fd88f27e2e6
--- /dev/null
+++ b/package/sqlite/0001-CVE-2017-13685.patch
@@ -0,0 +1,54 @@
+Fix CVE-2017-13685
+
+The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a
+denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.
+
+Patch taken from Debian:
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873762
+
+Upstream issue: https://sqlite.org/src/info/02f0f4c54f2819b3
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+
+Index: src/shell.c
+==================================================================
+--- src/shell.c
++++ src/shell.c
+@@ -2657,10 +2657,11 @@
+ int *aiType /* Column types */
+ ){
+ int i;
+ ShellState *p = (ShellState*)pArg;
+
++ if( azArg==0 ) return 0;
+ switch( p->cMode ){
+ case MODE_Line: {
+ int w = 5;
+ if( azArg==0 ) break;
+ for(i=0; i<nArg; i++){
+@@ -3007,10 +3008,11 @@
+ */
+ static int captureOutputCallback(void *pArg, int nArg, char **azArg, char **az){
+ ShellText *p = (ShellText*)pArg;
+ int i;
+ UNUSED_PARAMETER(az);
++ if( azArg==0 ) return 0;
+ if( p->n ) appendText(p, "|", 0);
+ for(i=0; i<nArg; i++){
+ if( i ) appendText(p, ",", 0);
+ if( azArg[i] ) appendText(p, azArg[i], 0);
+ }
+@@ -3888,11 +3890,11 @@
+ const char *zType;
+ const char *zSql;
+ ShellState *p = (ShellState *)pArg;
+
+ UNUSED_PARAMETER(azNotUsed);
+- if( nArg!=3 ) return 1;
++ if( nArg!=3 || azArg==0 ) return 0;
+ zTable = azArg[0];
+ zType = azArg[1];
+ zSql = azArg[2];
+
+ if( strcmp(zTable, "sqlite_sequence")==0 ){
+
diff --git a/package/sqlite/0002-CVE-2017-15286.patch b/package/sqlite/0002-CVE-2017-15286.patch
new file mode 100644
index 000000000000..681e9d06047d
--- /dev/null
+++ b/package/sqlite/0002-CVE-2017-15286.patch
@@ -0,0 +1,28 @@
+Fix CVE-2017-15286
+
+SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in shell.c
+because it fails to consider certain cases where
+`sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never
+initialized.
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878680
+
+Upstream commit: http://www.sqlite.org/src/info/5d0ceb8dcdef92cd
+
+Index: src/shell.c
+==================================================================
+--- src/shell.c
++++ src/shell.c
+@@ -3807,10 +3807,11 @@
+ isIPK = 0;
+ }
+ }
+ }
+ sqlite3_finalize(pStmt);
++ if( azCol==0 ) return 0;
+ azCol[0] = 0;
+ azCol[nCol+1] = 0;
+
+ /* The decision of whether or not a rowid really needs to be preserved
+ ** is tricky. We never need to preserve a rowid for a WITHOUT ROWID table
+
--
2.14.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] sqlite: add security patches
2017-10-22 14:00 [Buildroot] [PATCH] sqlite: add security patches Baruch Siach
@ 2017-10-22 15:02 ` Peter Korsgaard
2017-10-22 15:09 ` Baruch Siach
2017-10-22 22:50 ` Peter Korsgaard
1 sibling, 1 reply; 5+ messages in thread
From: Peter Korsgaard @ 2017-10-22 15:02 UTC (permalink / raw)
To: buildroot
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> CVE-2017-13685: The dump_callback function in SQLite 3.20.0 allows
> remote attackers to cause a denial of service (EXC_BAD_ACCESS and
> application crash) via a crafted file.
> CVE-2017-15286: SQLite 3.20.1 has a NULL pointer dereference in
> tableColumnList in shell.c
> because it fails to consider certain cases where
> `sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never
> initialized.
Do you know if this also applies to 2017.08.x (3.19.3) or 2017.02.x
(3.16.2)?
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] sqlite: add security patches
2017-10-22 15:02 ` Peter Korsgaard
@ 2017-10-22 15:09 ` Baruch Siach
2017-10-22 22:45 ` Peter Korsgaard
0 siblings, 1 reply; 5+ messages in thread
From: Baruch Siach @ 2017-10-22 15:09 UTC (permalink / raw)
To: buildroot
Hi Peter,
On Sun, Oct 22, 2017 at 05:02:38PM +0200, Peter Korsgaard wrote:
> >>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
>
> > CVE-2017-13685: The dump_callback function in SQLite 3.20.0 allows
> > remote attackers to cause a denial of service (EXC_BAD_ACCESS and
> > application crash) via a crafted file.
>
> > CVE-2017-15286: SQLite 3.20.1 has a NULL pointer dereference in
> > tableColumnList in shell.c
> > because it fails to consider certain cases where
> > `sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never
> > initialized.
>
> Do you know if this also applies to 2017.08.x (3.19.3) or 2017.02.x
> (3.16.2)?
According to the Debian CVE-2017-13685 tracker page[1] versions as old as
3.7.13 are affected.
The CVE-2017-15286 page[2] indicates that 3.16.2 is not affected. Not sure
about 3.19.3.
[1] https://security-tracker.debian.org/tracker/CVE-2017-13685
[2] https://security-tracker.debian.org/tracker/CVE-2017-15286
baruch
--
http://baruch.siach.name/blog/ ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il -
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] sqlite: add security patches
2017-10-22 15:09 ` Baruch Siach
@ 2017-10-22 22:45 ` Peter Korsgaard
0 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2017-10-22 22:45 UTC (permalink / raw)
To: buildroot
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
Hi,
>> Do you know if this also applies to 2017.08.x (3.19.3) or 2017.02.x
>> (3.16.2)?
> According to the Debian CVE-2017-13685 tracker page[1] versions as old as
> 3.7.13 are affected.
> The CVE-2017-15286 page[2] indicates that 3.16.2 is not affected. Not sure
> about 3.19.3.
> [1] https://security-tracker.debian.org/tracker/CVE-2017-13685
> [2] https://security-tracker.debian.org/tracker/CVE-2017-15286
Ok, thanks!
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] sqlite: add security patches
2017-10-22 14:00 [Buildroot] [PATCH] sqlite: add security patches Baruch Siach
2017-10-22 15:02 ` Peter Korsgaard
@ 2017-10-22 22:50 ` Peter Korsgaard
1 sibling, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2017-10-22 22:50 UTC (permalink / raw)
To: buildroot
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> CVE-2017-13685: The dump_callback function in SQLite 3.20.0 allows
> remote attackers to cause a denial of service (EXC_BAD_ACCESS and
> application crash) via a crafted file.
> CVE-2017-15286: SQLite 3.20.1 has a NULL pointer dereference in
> tableColumnList in shell.c
> because it fails to consider certain cases where
> `sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never
> initialized.
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Committed to 2017.08.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-10-22 22:50 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-22 14:00 [Buildroot] [PATCH] sqlite: add security patches Baruch Siach
2017-10-22 15:02 ` Peter Korsgaard
2017-10-22 15:09 ` Baruch Siach
2017-10-22 22:45 ` Peter Korsgaard
2017-10-22 22:50 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.