[OE-core] [thud][PATCH] sqlite3: CVE-2019-8457.patch fix Backport from 3.28.0 Sign off: Shubham Agrawal<shuagr at microsoft.com>

akuster808 akuster808 at gmail.com
Sun Oct 6 22:25:41 UTC 2019 


On 10/1/19 11:12 AM, shuagr97 at gmail.com wrote:
> From: Shubham Agrawal <shuagr at microsoft.com>

I cleaned up the patch to conform to the patch guide.

see
https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/thud-nmut&id=c0c66d213b4b6deb0a5e9a688810d2e9674d3ecf 
as an example of what was meant.

- armin
>
> ---
>  .../sqlite/files/CVE-2019-8457.patch               | 124 +++++++++++++++++++++
>  meta/recipes-support/sqlite/sqlite3_3.23.1.bb      |   1 +
>  2 files changed, 125 insertions(+)
>  create mode 100644 meta/recipes-support/sqlite/files/CVE-2019-8457.patch
>
> diff --git a/meta/recipes-support/sqlite/files/CVE-2019-8457.patch b/meta/recipes-support/sqlite/files/CVE-2019-8457.patch
> new file mode 100644
> index 0000000..a103dd8
> --- /dev/null
> +++ b/meta/recipes-support/sqlite/files/CVE-2019-8457.patch
> @@ -0,0 +1,124 @@
> +From fbf2392644f0ae4282fa4583c9bb67260995d983 Mon Sep 17 00:00:00 2001
> +From: Shubham Agrawal <shuagr at microsoft.com>
> +Date: Mon, 23 Sep 2019 20:58:47 +0000
> +Subject: [PATCH] CVE: CVE-2019-8457 Upstream-Status: Backport
> +
> +Sign off: Shubham Agrawal <shuagr at microsoft.com>
> +---
> + sqlite3.c | 50 +++++++++++++++++++++++++++++++-------------------
> + 1 file changed, 31 insertions(+), 19 deletions(-)
> +
> +diff --git a/sqlite3.c b/sqlite3.c
> +index 00513d4..5c8c7f4 100644
> +--- a/sqlite3.c
> ++++ b/sqlite3.c
> +@@ -172325,6 +172325,33 @@
> + }
> + 
> + 
> ++/* Allocate and initialize a new dynamic string object */
> ++StrAccum *sqlite3_str_new(sqlite3 *db){
> ++  StrAccum *p = sqlite3DbMallocRaw(db, sizeof(*p));
> ++  if( p ){
> ++    sqlite3StrAccumInit(p, db, 0, 0, SQLITE_MAX_LENGTH);
> ++  }
> ++  return p;
> ++}
> ++
> ++/* Finalize a string created using sqlite3_str_new().
> ++*/
> ++
> ++char *sqlite3_str_finish(StrAccum *p){
> ++  char *z;
> ++  if( p ){
> ++    z = sqlite3StrAccumFinish(p);
> ++    sqlite3DbFree(p->db, p);
> ++  }else{
> ++    z = 0;
> ++  }
> ++  return z;
> ++}
> ++/* Return any error code associated with p */
> ++int sqlite3_str_errcode(StrAccum *p){
> ++  return p ? p->accError : SQLITE_NOMEM;
> ++}
> ++
> + /*
> + ** Implementation of a scalar function that decodes r-tree nodes to
> + ** human readable strings. This can be used for debugging and analysis.
> +@@ -172342,49 +172369,53 @@
> + ** <num-dimension>*2 coordinates.
> + */
> + static void rtreenode(sqlite3_context *ctx, int nArg, sqlite3_value **apArg){
> +-  char *zText = 0;
> ++
> +   RtreeNode node;
> +   Rtree tree;
> +   int ii;
> ++  int nData;
> ++  int errCode;
> ++  StrAccum *pOut;
> + 
> +   UNUSED_PARAMETER(nArg);
> +   memset(&node, 0, sizeof(RtreeNode));
> +   memset(&tree, 0, sizeof(Rtree));
> +   tree.nDim = (u8)sqlite3_value_int(apArg[0]);
> ++  if( tree.nDim<1 || tree.nDim>5 ) return;
> +   tree.nDim2 = tree.nDim*2;
> +   tree.nBytesPerCell = 8 + 8 * tree.nDim;
> +   node.zData = (u8 *)sqlite3_value_blob(apArg[1]);
> ++  nData = sqlite3_value_bytes(apArg[1]);
> ++  if( nData<4 ) return;
> ++  if( nData<NCELL(&node)*tree.nBytesPerCell ) return;
> + 
> ++  pOut = sqlite3_str_new(0);
> +   for(ii=0; ii<NCELL(&node); ii++){
> +-    char zCell[512];
> +-    int nCell = 0;
> ++
> ++
> +     RtreeCell cell;
> +     int jj;
> + 
> +     nodeGetCell(&tree, &node, ii, &cell);
> +-    sqlite3_snprintf(512-nCell,&zCell[nCell],"%lld", cell.iRowid);
> +-    nCell = (int)strlen(zCell);
> ++    if( ii>0 ) sqlite3StrAccumAppend(pOut, " ", 1);
> ++    sqlite3XPrintf(pOut, "{%lld", cell.iRowid);
> ++
> +     for(jj=0; jj<tree.nDim2; jj++){
> + #ifndef SQLITE_RTREE_INT_ONLY
> +-      sqlite3_snprintf(512-nCell,&zCell[nCell], " %g",
> +-                       (double)cell.aCoord[jj].f);
> ++
> ++      sqlite3XPrintf(pOut, " %g", (double)cell.aCoord[jj].f);
> + #else
> +-      sqlite3_snprintf(512-nCell,&zCell[nCell], " %d",
> +-                       cell.aCoord[jj].i);
> ++
> ++      sqlite3XPrintf(pOut, " %d", cell.aCoord[jj].i);
> + #endif
> +-      nCell = (int)strlen(zCell);
> +-    }
> + 
> +-    if( zText ){
> +-      char *zTextNew = sqlite3_mprintf("%s {%s}", zText, zCell);
> +-      sqlite3_free(zText);
> +-      zText = zTextNew;
> +-    }else{
> +-      zText = sqlite3_mprintf("{%s}", zCell);
> +     }
> ++    sqlite3StrAccumAppend(pOut, "}", 1);
> +   }
> +-  
> +-  sqlite3_result_text(ctx, zText, -1, sqlite3_free);
> ++
> ++  errCode = sqlite3_str_errcode(pOut);
> ++  sqlite3_result_text(ctx, sqlite3_str_finish(pOut), -1, sqlite3_free);
> ++  sqlite3_result_error_code(ctx, errCode);
> + }
> + 
> + /* This routine implements an SQL function that returns the "depth" parameter
> +-- 
> +2.7.4
> +
> diff --git a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
> index d214ea1..7df61cd 100644
> --- a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
> +++ b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
> @@ -7,6 +7,7 @@ SRC_URI = "\
>    http://www.sqlite.org/2018/sqlite-autoconf-${SQLITE_PV}.tar.gz \
>    file://CVE-2018-20505.patch \
>    file://CVE-2018-20506.patch \
> +  file://CVE-2019-8457.patch \
>    "
>  SRC_URI[md5sum] = "99a51b40a66872872a91c92f6d0134fa"
>  SRC_URI[sha256sum] = "92842b283e5e744eff5da29ed3c69391de7368fccc4d0ee6bf62490ce555ef25"

More information about the Openembedded-core mailing list