!23 fix CVE-2020-13631 CVE-2020-15358

Merge pull request !23 from Markeryang/openEuler-20.03-LTS

0005-Fix-CVE-2020-15358.patch

@@ -0,0 +1,90 @@
+From a144b923c5f3a60e4f7caa77305a3e4765bdba5d Mon Sep 17 00:00:00 2001
+From: Peibao Liu <peibao.liu@windriver.com>
+Date: Mon, 6 Jul 2020 15:59:47 -0400
+Subject: [PATCH] backport-Fix-CVE-2020-15358
+
+Signed-off-by: Peibao Liu <peibao.liu@windriver.com>
+---
+ src/select.c      |  7 +++----
+ src/sqliteInt.h   |  1 +
+ test/selectA.test | 21 +++++++++++++++++++++
+ 3 files changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/src/select.c b/src/select.c
+index b5e5a75..7f88e35 100644
+--- a/src/select.c
++++ b/src/select.c
+@@ -2717,9 +2717,7 @@ static int multiSelect(
+                           selectOpName(p->op)));
+         rc = sqlite3Select(pParse, p, &uniondest);
+         testcase( rc!=SQLITE_OK );
+-        /* Query flattening in sqlite3Select() might refill p->pOrderBy.
+-        ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */
+-        sqlite3ExprListDelete(db, p->pOrderBy);
++        assert( p->pOrderBy==0 );
+         pDelete = p->pPrior;
+         p->pPrior = pPrior;
+         p->pOrderBy = 0;
+@@ -4068,7 +4066,7 @@ static int flattenSubquery(
+     ** We look at every expression in the outer query and every place we see
+     ** "a" we substitute "x*3" and every place we see "b" we substitute "y+10".
+     */
+-    if( pSub->pOrderBy ){
++    if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){
+       /* At this point, any non-zero iOrderByCol values indicate that the
+       ** ORDER BY column expression is identical to the iOrderByCol'th
+       ** expression returned by SELECT statement pSub. Since these values
+@@ -5769,6 +5767,7 @@ int sqlite3Select(
+     sqlite3ExprListDelete(db, p->pOrderBy);
+     p->pOrderBy = 0;
+     p->selFlags &= ~SF_Distinct;
++    p->selFlags |= SF_NoopOrderBy;
+   }
+   sqlite3SelectPrep(pParse, p, 0);
+   if( pParse->nErr || db->mallocFailed ){
+diff --git a/src/sqliteInt.h b/src/sqliteInt.h
+index aa9556b..514df18 100644
+--- a/src/sqliteInt.h
++++ b/src/sqliteInt.h
+@@ -3074,6 +3074,7 @@ struct Select {
+ #define SF_WhereBegin    0x0080000 /* Really a WhereBegin() call.  Debug Only */
+ #define SF_WinRewrite    0x0100000 /* Window function rewrite accomplished */
+ #define SF_View          0x0200000 /* SELECT statement is a view */
++#define SF_NoopOrderBy   0x0400000 /* ORDER BY is ignored for this query */
+ 
+ /*
+ ** The results of a SELECT can be distributed in several ways, as defined
+diff --git a/test/selectA.test b/test/selectA.test
+index 838e5f4..7ca0096 100644
+--- a/test/selectA.test
++++ b/test/selectA.test
+@@ -1446,5 +1446,26 @@ do_execsql_test 6.1 {
+   SELECT * FROM (SELECT a FROM t1 UNION SELECT b FROM t2) WHERE a=a;
+ } {12345}
+ 
++# 2020-06-15 ticket 8f157e8010b22af0
++#
++reset_db
++do_execsql_test 7.1 {
++  CREATE TABLE t1(c1);     INSERT INTO t1 VALUES(12),(123),(1234),(NULL),('abc');
++  CREATE TABLE t2(c2);     INSERT INTO t2 VALUES(44),(55),(123);
++  CREATE TABLE t3(c3,c4);  INSERT INTO t3 VALUES(66,1),(123,2),(77,3);
++  CREATE VIEW t4 AS SELECT c3 FROM t3;
++  CREATE VIEW t5 AS SELECT c3 FROM t3 ORDER BY c4;
++}
++do_execsql_test 7.2 {
++  SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t4) AND c1=123;
++} {123 123}
++do_execsql_test 7.3 {
++  SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t5) AND c1=123;
++} {123 123}
++do_execsql_test 7.4 {
++  CREATE TABLE a(b);
++  CREATE VIEW c(d) AS SELECT b FROM a ORDER BY b;
++  SELECT sum(d) OVER( PARTITION BY(SELECT 0 FROM c JOIN a WHERE b =(SELECT b INTERSECT SELECT d FROM c) AND b = 123)) FROM c;
++} {}
+ 
+ finish_test
+-- 
+2.23.0
+

0006-Fix-CVE-2020-13631.patch

@@ -0,0 +1,82 @@
+diff -Naur 1/src/alter.c 2/src/alter.c
+--- 1/src/alter.c	2020-06-02 16:02:38.294309518 -0400
++++ 2/src/alter.c	2020-06-02 16:05:27.248309518 -0400
+@@ -123,7 +123,10 @@
+   /* Check that a table or index named 'zName' does not already exist
+   ** in database iDb. If so, this is an error.
+   */
+-  if( sqlite3FindTable(db, zName, zDb) || sqlite3FindIndex(db, zName, zDb) ){
++  if( sqlite3FindTable(db, zName, zDb)
++   || sqlite3FindIndex(db, zName, zDb)
++   || sqlite3IsShadowTableOf(db, pTab, zName)
++  ){
+     sqlite3ErrorMsg(pParse, 
+         "there is already another table or index with this name: %s", zName);
+     goto exit_rename_table;
+diff -Naur 1/src/build.c 2/src/build.c
+--- 1/src/build.c	2020-06-02 16:02:38.325309518 -0400
++++ 2/src/build.c	2020-06-02 16:11:12.023309518 -0400
+@@ -2129,6 +2129,28 @@
+   recomputeColumnsNotIndexed(pPk);
+ }
+ 
++
++#ifndef SQLITE_OMIT_VIRTUALTABLE
++/*
++ * ** Return true if pTab is a virtual table and zName is a shadow table name
++ * ** for that virtual table.
++ * */
++int sqlite3IsShadowTableOf(sqlite3 *db, Table *pTab, const char *zName){
++  int nName;                    /* Length of zName */
++  Module *pMod;                 /* Module for the virtual table */
++
++  if( !IsVirtual(pTab) ) return 0;
++  nName = sqlite3Strlen30(pTab->zName);
++  if( sqlite3_strnicmp(zName, pTab->zName, nName)!=0 ) return 0;
++  if( zName[nName]!='_' ) return 0;
++  pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
++  if( pMod==0 ) return 0;
++  if( pMod->pModule->iVersion<3 ) return 0;
++  if( pMod->pModule->xShadowName==0 ) return 0;
++  return pMod->pModule->xShadowName(zName+nName+1);
++}
++#endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */
++
+ #ifndef SQLITE_OMIT_VIRTUALTABLE
+ /*
+ ** Return true if zName is a shadow table name in the current database
+@@ -2140,7 +2162,6 @@
+ int sqlite3ShadowTableName(sqlite3 *db, const char *zName){
+   char *zTail;                  /* Pointer to the last "_" in zName */
+   Table *pTab;                  /* Table that zName is a shadow of */
+-  Module *pMod;                 /* Module for the virtual table */
+ 
+   zTail = strrchr(zName, '_');
+   if( zTail==0 ) return 0;
+@@ -2149,11 +2170,7 @@
+   *zTail = '_';
+   if( pTab==0 ) return 0;
+   if( !IsVirtual(pTab) ) return 0;
+-  pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
+-  if( pMod==0 ) return 0;
+-  if( pMod->pModule->iVersion<3 ) return 0;
+-  if( pMod->pModule->xShadowName==0 ) return 0;
+-  return pMod->pModule->xShadowName(zTail+1);
++  return sqlite3IsShadowTableOf(db, pTab, zName);
+ }
+ #endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */
+ 
+diff -Naur 1/src/sqliteInt.h 2/src/sqliteInt.h
+--- 1/src/sqliteInt.h	2020-06-02 16:02:38.291309518 -0400
++++ 2/src/sqliteInt.h	2020-06-02 16:14:49.356309518 -0400
+@@ -4673,8 +4673,10 @@
+ int sqlite3ReadOnlyShadowTables(sqlite3 *db);
+ #ifndef SQLITE_OMIT_VIRTUALTABLE
+   int sqlite3ShadowTableName(sqlite3 *db, const char *zName);
++  int sqlite3IsShadowTableOf(sqlite3*,Table*,const char*);
+ #else
+ # define sqlite3ShadowTableName(A,B) 0
++# define sqlite3IsShadowTableOf(A,B,C) 0
+ #endif
+ int sqlite3VtabEponymousTableInit(Parse*,Module*);
+ void sqlite3VtabEponymousTableClear(sqlite3*,Module*);

sqlite.spec

@@ -7,7 +7,7 @@
 
 Name:    sqlite
 Version: 3.31.1
-Release: 0
+Release: 1
 Summary: Embeded SQL database
 License: Public Domain
 URL:     http://www.sqlite.org/
@@ -16,12 +16,13 @@ Source0: http://www.sqlite.org/%{year}/sqlite-src-%{extver}.zip
 Source1: http://www.sqlite.org/%{year}/sqlite-doc-%{extver}.zip
 Source2: https://www.sqlite.org/%{year}/sqlite-autoconf-%{extver}.tar.gz
 
-Patch0000: 0000-sqlite-no-malloc-usable-size.patch
+Patch1: 0001-Fix-CVE-2020-9327.patch
-
+Patch2: 0002-Fix-CVE-2020-9327.patch
-Patch6000: 6000-0001-Fix-CVE-2020-9327.patch
+Patch3: 0003-Fix-CVE-2020-11655.patch
-Patch6001: 6001-0002-Fix-CVE-2020-9327.patch
+Patch4: 0004-Fix-CVE-2020-11656.patch
-Patch6002: 6002-Fix-CVE-2020-11655.patch
+Patch5: 0005-Fix-CVE-2020-15358.patch
-Patch6003: 6003-Fix-CVE-2020-11656.patch
+Patch6: 0006-Fix-CVE-2020-13631.patch
+Patch7: 0007-sqlite-no-malloc-usable-size.patch
 
 BuildRequires: gcc autoconf tcl tcl-devel
 BuildRequires: ncurses-devel readline-devel glibc-devel
@@ -64,11 +65,14 @@ This contains man files and HTML files for the using of sqlite.
 %prep
 #autosetup will fail because of 2 zip files
 %setup -q -a1 -n %{name}-src-%{extver}
-%patch0000 -p1
+%patch1 -p0
-%patch6000 -p0
+%patch2 -p0
-%patch6001 -p0
+%patch3 -p1
-%patch6002 -p1
+%patch4 -p1
-%patch6003 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+
 
 rm -f %{name}-doc-%{extver}/sqlite.css~ || :
 
@@ -141,6 +145,12 @@ make test
 %{_mandir}/man*/*
 
 %changelog
+* Mon Aug 3 2020 yanglongkang <yanglongkang@huawei.com> - 3.31.1-1
+- Type:cves
+- ID:CVE-2020-13871 CVE-2020-13631
+- SUG: NA
+- DESC: fix cve
+
 * Fri Apr 17 2020 luoshijie <luoshijie1@huawei.com> - 3.31.1-0
 - Type:enhancement
 - ID:NA