* [OE-Core][dunfell][PATCH 2/2] sqlite3: Fix CVE-2020-35527
@ 2022-09-19 14:10 Virendra Thakur
2022-09-19 14:12 ` Virendra Kumar Thakur
0 siblings, 1 reply; 2+ messages in thread
From: Virendra Thakur @ 2022-09-19 14:10 UTC (permalink / raw)
To: openembedded-core; +Cc: steve, Virendra Thakur
From: Virendra Thakur <virendrak@kpit.com>
Add patch file to fix CVE-2020-35527
Reference:
http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz
Signed-off-by: Virendra Thakur <virendrak@kpit.com>
---
.../sqlite/files/CVE-2020-35527.patch | 22 +++++++++++++++++++
meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 +
2 files changed, 23 insertions(+)
create mode 100644 meta/recipes-support/sqlite/files/CVE-2020-35527.patch
diff --git a/meta/recipes-support/sqlite/files/CVE-2020-35527.patch b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch
new file mode 100644
index 0000000000..d1dae389b0
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch
@@ -0,0 +1,22 @@
+From: dan <dan@noemail.net>
+Date: Mon, 26 Oct 2020 13:24:36 +0000
+Subject: [PATCH] Fix a problem with ALTER TABLE for views that have a nested
+ FROM clause. Ticket [f50af3e8a565776b].
+
+Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz]
+CVE: CVE-2020-35527
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+Index: sqlite-autoconf-3310100/sqlite3.c
+===================================================================
+--- sqlite-autoconf-3310100.orig/sqlite3.c
++++ sqlite-autoconf-3310100/sqlite3.c
+@@ -133110,7 +133110,7 @@ static int selectExpander(Walker *pWalke
+ pNew = sqlite3ExprListAppend(pParse, pNew, pExpr);
+ sqlite3TokenInit(&sColname, zColname);
+ sqlite3ExprListSetName(pParse, pNew, &sColname, 0);
+- if( pNew && (p->selFlags & SF_NestedFrom)!=0 ){
++ if( pNew && (p->selFlags & SF_NestedFrom)!=0 && !IN_RENAME_OBJECT ){
+ struct ExprList_item *pX = &pNew->a[pNew->nExpr-1];
+ sqlite3DbFree(db, pX->zEName);
+ if( pSub ){
diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
index 48051593e4..d9e98c9120 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \
file://CVE-2020-13632.patch \
file://CVE-2022-35737.patch \
file://CVE-2020-35525.patch \
+ file://CVE-2020-35527.patch \
"
SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"
--
2.17.1
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [OE-Core][dunfell][PATCH 2/2] sqlite3: Fix CVE-2020-35527
2022-09-19 14:10 [OE-Core][dunfell][PATCH 2/2] sqlite3: Fix CVE-2020-35527 Virendra Thakur
@ 2022-09-19 14:12 ` Virendra Kumar Thakur
0 siblings, 0 replies; 2+ messages in thread
From: Virendra Kumar Thakur @ 2022-09-19 14:12 UTC (permalink / raw)
To: openembedded-core; +Cc: steve
[-- Attachment #1.1: Type: text/plain, Size: 4779 bytes --]
Attaching patch file also
________________________________
From: Virendra Kumar Thakur <Virendra.Thakur@kpit.com>
Sent: Monday, September 19, 2022 7:40 PM
To: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Cc: steve@sakoman.com <steve@sakoman.com>; Virendra Kumar Thakur <Virendra.Thakur@kpit.com>
Subject: [OE-Core][dunfell][PATCH 2/2] sqlite3: Fix CVE-2020-35527
From: Virendra Thakur <virendrak@kpit.com>
Add patch file to fix CVE-2020-35527
Reference:
https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsecurity.debian.org%2Fdebian-security%2Fpool%2Fupdates%2Fmain%2Fs%2Fsqlite3%2Fsqlite3_3.27.2-3%2Bdeb10u2.debian.tar.xz&data=05%7C01%7CVirendra.Thakur%40kpit.com%7C137fc88ada814f8afb7c08da9a48cda1%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637991934731945883%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5JGYey8Gm0ngS09jsjZbdSrQOogBmVmRW3bivwvnmes%3D&reserved=0
Signed-off-by: Virendra Thakur <virendrak@kpit.com>
---
.../sqlite/files/CVE-2020-35527.patch | 22 +++++++++++++++++++
meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 +
2 files changed, 23 insertions(+)
create mode 100644 meta/recipes-support/sqlite/files/CVE-2020-35527.patch
diff --git a/meta/recipes-support/sqlite/files/CVE-2020-35527.patch b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch
new file mode 100644
index 0000000000..d1dae389b0
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch
@@ -0,0 +1,22 @@
+From: dan <dan@noemail.net>
+Date: Mon, 26 Oct 2020 13:24:36 +0000
+Subject: [PATCH] Fix a problem with ALTER TABLE for views that have a nested
+ FROM clause. Ticket [f50af3e8a565776b].
+
+Upstream-Status: Backport [https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsecurity.debian.org%2Fdebian-security%2Fpool%2Fupdates%2Fmain%2Fs%2Fsqlite3%2Fsqlite3_3.27.2-3%2Bdeb10u2.debian.tar.xz&data=05%7C01%7CVirendra.Thakur%40kpit.com%7C137fc88ada814f8afb7c08da9a48cda1%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637991934731945883%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5JGYey8Gm0ngS09jsjZbdSrQOogBmVmRW3bivwvnmes%3D&reserved=0]
+CVE: CVE-2020-35527
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+Index: sqlite-autoconf-3310100/sqlite3.c
+===================================================================
+--- sqlite-autoconf-3310100.orig/sqlite3.c
++++ sqlite-autoconf-3310100/sqlite3.c
+@@ -133110,7 +133110,7 @@ static int selectExpander(Walker *pWalke
+ pNew = sqlite3ExprListAppend(pParse, pNew, pExpr);
+ sqlite3TokenInit(&sColname, zColname);
+ sqlite3ExprListSetName(pParse, pNew, &sColname, 0);
+- if( pNew && (p->selFlags & SF_NestedFrom)!=0 ){
++ if( pNew && (p->selFlags & SF_NestedFrom)!=0 && !IN_RENAME_OBJECT ){
+ struct ExprList_item *pX = &pNew->a[pNew->nExpr-1];
+ sqlite3DbFree(db, pX->zEName);
+ if( pSub ){
diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
index 48051593e4..d9e98c9120 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -15,6 +15,7 @@ SRC_URI = "https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.sqlite.org%2F2020%2Fsqlite-autoconf-%24&data=05%7C01%7CVirendra.Thakur%40kpit.com%7C137fc88ada814f8afb7c08da9a48cda1%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637991934731945883%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=n%2B8s1tL9NuC8%2BkcAIxrrK0LmWgsjC5J3fWagEcO2ks4%3D&reserved=0{SQLITE_PV}.tar.gz \
file://CVE-2020-13632.patch \
file://CVE-2022-35737.patch \
file://CVE-2020-35525.patch \
+ file://CVE-2020-35527.patch \
"
SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"
--
2.17.1
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
[-- Attachment #1.2: Type: text/html, Size: 8017 bytes --]
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-sqlite3-Fix-CVE-2020-35527.patch --]
[-- Type: text/x-patch; name="0001-sqlite3-Fix-CVE-2020-35527.patch", Size: 2744 bytes --]
From 465af95fc244581029963f2e8740791d6e4e9ff5 Mon Sep 17 00:00:00 2001
From: Virendra Thakur <virendrak@kpit.com>
Date: Thu, 15 Sep 2022 18:11:10 +0530
Subject: [PATCH] sqlite3: Fix CVE-2020-35527
Add patch file to fix CVE-2020-35527
Reference:
http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz
Signed-off-by: Virendra Thakur <virendrak@kpit.com>
---
.../sqlite/files/CVE-2020-35527.patch | 22 +++++++++++++++++++
meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 +
2 files changed, 23 insertions(+)
create mode 100644 meta/recipes-support/sqlite/files/CVE-2020-35527.patch
diff --git a/meta/recipes-support/sqlite/files/CVE-2020-35527.patch b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch
new file mode 100644
index 0000000000..d1dae389b0
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch
@@ -0,0 +1,22 @@
+From: dan <dan@noemail.net>
+Date: Mon, 26 Oct 2020 13:24:36 +0000
+Subject: [PATCH] Fix a problem with ALTER TABLE for views that have a nested
+ FROM clause. Ticket [f50af3e8a565776b].
+
+Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz]
+CVE: CVE-2020-35527
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+Index: sqlite-autoconf-3310100/sqlite3.c
+===================================================================
+--- sqlite-autoconf-3310100.orig/sqlite3.c
++++ sqlite-autoconf-3310100/sqlite3.c
+@@ -133110,7 +133110,7 @@ static int selectExpander(Walker *pWalke
+ pNew = sqlite3ExprListAppend(pParse, pNew, pExpr);
+ sqlite3TokenInit(&sColname, zColname);
+ sqlite3ExprListSetName(pParse, pNew, &sColname, 0);
+- if( pNew && (p->selFlags & SF_NestedFrom)!=0 ){
++ if( pNew && (p->selFlags & SF_NestedFrom)!=0 && !IN_RENAME_OBJECT ){
+ struct ExprList_item *pX = &pNew->a[pNew->nExpr-1];
+ sqlite3DbFree(db, pX->zEName);
+ if( pSub ){
diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
index 48051593e4..d9e98c9120 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \
file://CVE-2020-13632.patch \
file://CVE-2022-35737.patch \
file://CVE-2020-35525.patch \
+ file://CVE-2020-35527.patch \
"
SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-09-19 14:12 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-19 14:10 [OE-Core][dunfell][PATCH 2/2] sqlite3: Fix CVE-2020-35527 Virendra Thakur
2022-09-19 14:12 ` Virendra Kumar Thakur
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.