[thud][PATCH v2] sqlite3: CVE fix

[thud][PATCH v2] sqlite3: CVE fix

[shuagr97]

From: Shubham Agrawal <shuagr@microsoft.com>

CVE:CVE-2019-161680
Status: Backport

whitelist as changes already there due to previous patches in upstream
CVE:CVE-2018-20346
Status: Backported

Sign off: Shubham Agrawaslshuagr@microsoft.com
---
 .../sqlite/files/CVE-2019-16168.patch              | 37 ++++++++++++++++++++++
 meta/recipes-support/sqlite/sqlite3_3.23.1.bb      |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-support/sqlite/files/CVE-2019-16168.patch

diff --git a/meta/recipes-support/sqlite/files/CVE-2019-16168.patch b/meta/recipes-support/sqlite/files/CVE-2019-16168.patch
new file mode 100644
index 0000000..d8e93c0
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2019-16168.patch
@@ -0,0 +1,37 @@
+From fc8bb8d6ae2d4cd024546e9e7bbab115427c3f41 Mon Sep 17 00:00:00 2001
+From: Shubham Agrawal <shuagr@microsoft.com>
+Date: Fri, 11 Oct 2019 20:20:18 +0000
+Subject: [PATCH] sqlite3 CVE: CVE-2019-16168 Status: backported Sign off:
+ Shubham Agrawal<shuagr@microsoft.com>
+Reply-To: shuagr@microsoft.com
+
+---
+ sqlite3.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 0f71a44..c480e53 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -101836,7 +101836,9 @@ static void decodeIntArray(
+       if( sqlite3_strglob("unordered*", z)==0 ){
+         pIndex->bUnordered = 1;
+       }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){
+-        pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3));
++        int sz = sqlite3Atoi(z+3);
++        if( sz<2 ) sz = 2;
++        pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(sz));
+       }else if( sqlite3_strglob("noskipscan*", z)==0 ){
+         pIndex->noSkipScan = 1;
+       }
+@@ -137151,6 +137153,7 @@ static int whereLoopAddBtreeIndex(
+     ** it to pNew->rRun, which is currently set to the cost of the index
+     ** seek only. Then, if this is a non-covering index, add the cost of
+     ** visiting the rows in the main table.  */
++    assert( pSrc->pTab->szTabRow>0 );
+     rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;
+     pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx);
+     if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){
+-- 
+2.7.4
+
diff --git a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
index 7df61cd..e2e9b50 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
@@ -8,6 +8,7 @@ SRC_URI = "\
   file://CVE-2018-20505.patch \
   file://CVE-2018-20506.patch \
   file://CVE-2019-8457.patch \
+  file://CVE-2019-16168.patch \
   "
 SRC_URI[md5sum] = "99a51b40a66872872a91c92f6d0134fa"
 SRC_URI[sha256sum] = "92842b283e5e744eff5da29ed3c69391de7368fccc4d0ee6bf62490ce555ef25"
-- 
2.7.4

✗ patchtest: failure for sqlite3: CVE fix

[Patchwork]

== Series Details ==

Series: sqlite3: CVE fix
Revision: 1
URL   : https://patchwork.openembedded.org/series/20461/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Patch            [thud,v2] sqlite3: CVE fix
 Issue             Patch is missing Signed-off-by [test_signed_off_by_presence] 
  Suggested fix    Sign off the patch (either manually or with "git commit --amend -s")

* Patch            [thud,v2] sqlite3: CVE fix
 Issue             Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format] 
  Suggested fix    Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"

* Issue             A patch file has been added, but does not have a Signed-off-by tag [test_signed_off_by_presence] 
  Suggested fix    Sign off the added patch file (meta/recipes-support/sqlite/files/CVE-2019-16168.patch)

* Issue             Added patch file is missing Upstream-Status in the header [test_upstream_status_presence_format] 
  Suggested fix    Add Upstream-Status: <Valid status> to the header of meta/recipes-support/sqlite/files/CVE-2019-16168.patch
  Standard format  Upstream-Status: <Valid status>
  Valid status     Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where]



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

Re: [thud][PATCH v2] sqlite3: CVE fix

[akuster808]

On 10/14/19 1:22 PM, shuagr97@gmail.com wrote:
> From: Shubham Agrawal <shuagr@microsoft.com>
>
> CVE:CVE-2019-161680
Does not match patch name.
> Status: Backport
>
> whitelist as changes already there due to previous patches in upstream
> CVE:CVE-2018-20346
> Status: Backported
>
> Sign off: Shubham Agrawaslshuagr@microsoft.com

This need to be fixed in Master then Warrior.
> ---
>  .../sqlite/files/CVE-2019-16168.patch              | 37 ++++++++++++++++++++++
>  meta/recipes-support/sqlite/sqlite3_3.23.1.bb      |  1 +
>  2 files changed, 38 insertions(+)
>  create mode 100644 meta/recipes-support/sqlite/files/CVE-2019-16168.patch
>
> diff --git a/meta/recipes-support/sqlite/files/CVE-2019-16168.patch b/meta/recipes-support/sqlite/files/CVE-2019-16168.patch
> new file mode 100644
> index 0000000..d8e93c0
> --- /dev/null
> +++ b/meta/recipes-support/sqlite/files/CVE-2019-16168.patch
> @@ -0,0 +1,37 @@
> +From fc8bb8d6ae2d4cd024546e9e7bbab115427c3f41 Mon Sep 17 00:00:00 2001
> +From: Shubham Agrawal <shuagr@microsoft.com>
> +Date: Fri, 11 Oct 2019 20:20:18 +0000
> +Subject: [PATCH] sqlite3 CVE: CVE-2019-16168 Status: backported Sign off:
> + Shubham Agrawal<shuagr@microsoft.com>
> +Reply-To: shuagr@microsoft.com
> +
Add this kind of information into the patch itself.

CVE:CVE-2018-20346
Status: Backported

Sign off: Shubham Agrawaslshuagr@microsoft.com

See https://patchwork.openembedded.org/patch/165800/ as an example


> +---
> + sqlite3.c | 5 ++++-
> + 1 file changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/sqlite3.c b/sqlite3.c
> +index 0f71a44..c480e53 100644
> +--- a/sqlite3.c
> ++++ b/sqlite3.c
> +@@ -101836,7 +101836,9 @@ static void decodeIntArray(
> +       if( sqlite3_strglob("unordered*", z)==0 ){
> +         pIndex->bUnordered = 1;
> +       }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){
> +-        pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3));
> ++        int sz = sqlite3Atoi(z+3);
> ++        if( sz<2 ) sz = 2;
> ++        pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(sz));
> +       }else if( sqlite3_strglob("noskipscan*", z)==0 ){
> +         pIndex->noSkipScan = 1;
> +       }
> +@@ -137151,6 +137153,7 @@ static int whereLoopAddBtreeIndex(
> +     ** it to pNew->rRun, which is currently set to the cost of the index
> +     ** seek only. Then, if this is a non-covering index, add the cost of
> +     ** visiting the rows in the main table.  */
> ++    assert( pSrc->pTab->szTabRow>0 );
> +     rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;
> +     pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx);
> +     if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){
> +-- 
> +2.7.4
> +
> diff --git a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
> index 7df61cd..e2e9b50 100644
> --- a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
> +++ b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
> @@ -8,6 +8,7 @@ SRC_URI = "\
>    file://CVE-2018-20505.patch \
>    file://CVE-2018-20506.patch \
>    file://CVE-2019-8457.patch \
> +  file://CVE-2019-16168.patch \
>    "
>  SRC_URI[md5sum] = "99a51b40a66872872a91c92f6d0134fa"
>  SRC_URI[sha256sum] = "92842b283e5e744eff5da29ed3c69391de7368fccc4d0ee6bf62490ce555ef25"

Re: [thud][PATCH v2] sqlite3: CVE fix

[Shubham Agrawal]

Thanks for pointing it out. I have corrected the commit and emailed.

-----Original Message-----
From: akuster808 <akuster808@gmail.com> 
Sent: Tuesday, October 15, 2019 9:01 AM
To: Shubham Agrawal <shuagr@microsoft.com>; openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [thud][PATCH v2] sqlite3: CVE fix



On 10/14/19 1:22 PM, shuagr97@gmail.com wrote:
> From: Shubham Agrawal <shuagr@microsoft.com>
>
> CVE:CVE-2019-161680
Does not match patch name.
> Status: Backport
>
> whitelist as changes already there due to previous patches in upstream
> CVE:CVE-2018-20346
> Status: Backported
>
> Sign off: Shubham Agrawaslshuagr@microsoft.com

This need to be fixed in Master then Warrior.
> ---
>  .../sqlite/files/CVE-2019-16168.patch              | 37 ++++++++++++++++++++++
>  meta/recipes-support/sqlite/sqlite3_3.23.1.bb      |  1 +
>  2 files changed, 38 insertions(+)
>  create mode 100644 meta/recipes-support/sqlite/files/CVE-2019-16168.patch
>
> diff --git a/meta/recipes-support/sqlite/files/CVE-2019-16168.patch b/meta/recipes-support/sqlite/files/CVE-2019-16168.patch
> new file mode 100644
> index 0000000..d8e93c0
> --- /dev/null
> +++ b/meta/recipes-support/sqlite/files/CVE-2019-16168.patch
> @@ -0,0 +1,37 @@
> +From fc8bb8d6ae2d4cd024546e9e7bbab115427c3f41 Mon Sep 17 00:00:00 2001
> +From: Shubham Agrawal <shuagr@microsoft.com>
> +Date: Fri, 11 Oct 2019 20:20:18 +0000
> +Subject: [PATCH] sqlite3 CVE: CVE-2019-16168 Status: backported Sign off:
> + Shubham Agrawal<shuagr@microsoft.com>
> +Reply-To: shuagr@microsoft.com
> +
Add this kind of information into the patch itself.

CVE:CVE-2018-20346
Status: Backported

Sign off: Shubham Agrawaslshuagr@microsoft.com

See https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpatchwork.openembedded.org%2Fpatch%2F165800%2F&amp;data=02%7C01%7Cshuagr%40microsoft.com%7C2b40d2950423482e77a208d75188e3f1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637067520688841480&amp;sdata=B%2BzLPIEwjhdwGwpu2uJ0vXPqEscX0nWR18scu4oHSp8%3D&amp;reserved=0 as an example


> +---
> + sqlite3.c | 5 ++++-
> + 1 file changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/sqlite3.c b/sqlite3.c
> +index 0f71a44..c480e53 100644
> +--- a/sqlite3.c
> ++++ b/sqlite3.c
> +@@ -101836,7 +101836,9 @@ static void decodeIntArray(
> +       if( sqlite3_strglob("unordered*", z)==0 ){
> +         pIndex->bUnordered = 1;
> +       }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){
> +-        pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3));
> ++        int sz = sqlite3Atoi(z+3);
> ++        if( sz<2 ) sz = 2;
> ++        pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(sz));
> +       }else if( sqlite3_strglob("noskipscan*", z)==0 ){
> +         pIndex->noSkipScan = 1;
> +       }
> +@@ -137151,6 +137153,7 @@ static int whereLoopAddBtreeIndex(
> +     ** it to pNew->rRun, which is currently set to the cost of the index
> +     ** seek only. Then, if this is a non-covering index, add the cost of
> +     ** visiting the rows in the main table.  */
> ++    assert( pSrc->pTab->szTabRow>0 );
> +     rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;
> +     pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx);
> +     if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){
> +-- 
> +2.7.4
> +
> diff --git a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
> index 7df61cd..e2e9b50 100644
> --- a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
> +++ b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
> @@ -8,6 +8,7 @@ SRC_URI = "\
>    file://CVE-2018-20505.patch \
>    file://CVE-2018-20506.patch \
>    file://CVE-2019-8457.patch \
> +  file://CVE-2019-16168.patch \
>    "
>  SRC_URI[md5sum] = "99a51b40a66872872a91c92f6d0134fa"
>  SRC_URI[sha256sum] = "92842b283e5e744eff5da29ed3c69391de7368fccc4d0ee6bf62490ce555ef25"