* Re: [oe][zeus][PATCH] sqlite3; fix 2 CVEs (CVE-2020-11655 and CVE-2020-11656)
[not found] <20200421061455.6968-1-yue.tao@windriver.com>
@ 2020-05-09 1:47 ` Yue Tao
0 siblings, 0 replies; only message in thread
From: Yue Tao @ 2020-05-09 1:47 UTC (permalink / raw)
To: OE-core; +Cc: yue.tao
Just a heads up, do you have a chance to review this patch?
ytao
On 4/21/20 2:14 PM, Yue Tao wrote:
> From: Yue Tao <Yue.Tao@windriver.com>
>
> Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
> ---
> .../sqlite/sqlite3/CVE-2020-11655.patch | 33 ++++++++++
> .../sqlite/sqlite3/CVE-2020-11656.patch | 60 +++++++++++++++++++
> meta/recipes-support/sqlite/sqlite3_3.29.0.bb | 2 +
> 3 files changed, 95 insertions(+)
> create mode 100644 meta/recipes-support/sqlite/sqlite3/CVE-2020-11655.patch
> create mode 100644 meta/recipes-support/sqlite/sqlite3/CVE-2020-11656.patch
>
> diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2020-11655.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2020-11655.patch
> new file mode 100644
> index 0000000000..e518dd43e5
> --- /dev/null
> +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2020-11655.patch
> @@ -0,0 +1,33 @@
> +From c415d91007e1680e4eb17def583b202c3c83c718 Mon Sep 17 00:00:00 2001
> +From: drh <drh@noemail.net>
> +Date: Fri, 3 Apr 2020 13:19:03 +0000
> +Subject: [PATCH] In the event of a semantic error in an aggregate query,
> + early-out the resetAccumulator() function to prevent problems due to
> + incomplete or incorrect initialization of the AggInfo object. Fix for ticket
> + [af4556bb5c285c08].
> +
> +FossilOrigin-Name: 4a302b42c7bf5e11ddb5522ca999f74aba397d3a7eb91b1844bb02852f772441
> +
> +CVE: CVE-2020-11655
> +
> +Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/c415d91007e1680e4eb17def583b202]
> +
> +Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
> +
> +---
> +
> +diff --git a/sqlite3.c b/sqlite3.c
> +index b2dd5f149..59ba706fc 100644
> +--- a/sqlite3.c
> ++++ b/sqlite3.c
> +@@ -130409,6 +130409,7 @@ static void resetAccumulator(Parse *pPar
> + struct AggInfo_func *pFunc;
> + int nReg = pAggInfo->nFunc + pAggInfo->nColumn;
> + if( nReg==0 ) return;
> ++ if( pParse->nErr ) return;
> + #ifdef SQLITE_DEBUG
> + /* Verify that all AggInfo registers are within the range specified by
> + ** AggInfo.mnReg..AggInfo.mxReg */
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2020-11656.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2020-11656.patch
> new file mode 100644
> index 0000000000..5635fef48b
> --- /dev/null
> +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2020-11656.patch
> @@ -0,0 +1,60 @@
> +From fb99e388ec7f30fe43e4878236e3695ff24ae58d Mon Sep 17 00:00:00 2001
> +From: dan <dan@noemail.net>
> +Date: Fri, 3 Apr 2020 11:20:40 +0000
> +Subject: [PATCH] Fix a case when a pointer might be used after being freed in
> + the ALTER TABLE code. Fix for [4722bdab08cb1].
> +
> +FossilOrigin-Name: d09f8c3621d5f7f8c6d99d7d82bcaa8421855b3f470bea2b26c858106382b906
> +
> +CVE: CVE-2020-11656
> +
> +Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/fb99e388ec7f30fe43e4878236e3695ff24ae58d]
> +
> +Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
> +---
> +
> +diff --git a/sqlite3.c b/sqlite3.c
> +index ee193d18b..7114757a2 100644
> +--- a/sqlite3.c
> ++++ b/sqlite3.c
> +@@ -103507,6 +103507,21 @@ SQLITE_PRIVATE void sqlite3RenameTokenRe
> + }
> +
> + /*
> ++** Unmap all tokens in the IdList object passed as the second argument.
> ++*/
> ++static void unmapColumnIdlistNames(
> ++ Parse *pParse,
> ++ IdList *pIdList
> ++){
> ++ if( pIdList ){
> ++ int ii;
> ++ for(ii=0; ii<pIdList->nId; ii++){
> ++ sqlite3RenameTokenRemap(pParse, 0, (void*)pIdList->a[ii].zName);
> ++ }
> ++ }
> ++}
> ++
> ++/*
> + ** Walker callback used by sqlite3RenameExprUnmap().
> + */
> + static int renameUnmapExprCb(Walker *pWalker, Expr *pExpr){
> +@@ -103534,6 +103549,7 @@ static int renameUnmapSelectCb(Walker *p
> + SrcList *pSrc = p->pSrc;
> + for(i=0; i<pSrc->nSrc; i++){
> + sqlite3RenameTokenRemap(pParse, 0, (void*)pSrc->a[i].zName);
> ++ unmapColumnIdlistNames(pParse, pSrc->a[i].pUsing);
> + }
> + }
> + return WRC_Continue;
> +@@ -103750,6 +103766,7 @@ static void renameColumnIdlistNames(
> + }
> + }
> +
> ++
> + /*
> + ** Parse the SQL statement zSql using Parse object (*p). The Parse object
> + ** is initialized by this function before it is used.
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-support/sqlite/sqlite3_3.29.0.bb b/meta/recipes-support/sqlite/sqlite3_3.29.0.bb
> index cf3b179845..1db72f0b9a 100644
> --- a/meta/recipes-support/sqlite/sqlite3_3.29.0.bb
> +++ b/meta/recipes-support/sqlite/sqlite3_3.29.0.bb
> @@ -12,6 +12,8 @@ SRC_URI = "http://www.sqlite.org/2019/sqlite-autoconf-${SQLITE_PV}.tar.gz \
> file://CVE-2019-19926.patch \
> file://CVE-2019-19959.patch \
> file://CVE-2019-20218.patch \
> + file://CVE-2020-11655.patch \
> + file://CVE-2020-11656.patch \
> "
> SRC_URI[md5sum] = "8f3dfe83387e62ecb91c7c5c09c688dc"
> SRC_URI[sha256sum] = "8e7c1e2950b5b04c5944a981cb31fffbf9d2ddda939d536838ebc854481afd5b"
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-05-09 1:47 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20200421061455.6968-1-yue.tao@windriver.com>
2020-05-09 1:47 ` [oe][zeus][PATCH] sqlite3; fix 2 CVEs (CVE-2020-11655 and CVE-2020-11656) Yue Tao
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.