sqlite: add security patches

CVE-2017-13685: The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file. CVE-2017-15286: SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in shell.c because it fails to consider certain cases where `sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never initialized. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-10-22 16:00:08 +02:00 · 2017-10-22 16:00:08 +02:00 · d3c96bd5a6
commit d3c96bd5a6
parent df36d26d06
2 changed files with 82 additions and 0 deletions
--- a/package/sqlite/0001-CVE-2017-13685.patch
+++ b/package/sqlite/0001-CVE-2017-13685.patch
@ -0,0 +1,54 @@
+Fix CVE-2017-13685
+
+The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a
+denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.
+
+Patch taken from Debian:
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873762
+
+Upstream issue: https://sqlite.org/src/info/02f0f4c54f2819b3
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+
+Index: src/shell.c
+==================================================================
+--- src/shell.c
+++ src/shell.c
+@@ -2657,10 +2657,11 @@
+   int *aiType      /* Column types */
+ ){
+   int i;
+   ShellState *p = (ShellState*)pArg;
+ 
+  if( azArg==0 ) return 0;
+   switch( p->cMode ){
+     case MODE_Line: {
+       int w = 5;
+       if( azArg==0 ) break;
+       for(i=0; i<nArg; i++){
+@@ -3007,10 +3008,11 @@
+ */
+ static int captureOutputCallback(void *pArg, int nArg, char **azArg, char **az){
+   ShellText *p = (ShellText*)pArg;
+   int i;
+   UNUSED_PARAMETER(az);
+  if( azArg==0 ) return 0;
+   if( p->n ) appendText(p, "|", 0);
+   for(i=0; i<nArg; i++){
+     if( i ) appendText(p, ",", 0);
+     if( azArg[i] ) appendText(p, azArg[i], 0);
+   }
+@@ -3888,11 +3890,11 @@
+   const char *zType;
+   const char *zSql;
+   ShellState *p = (ShellState *)pArg;
+ 
+   UNUSED_PARAMETER(azNotUsed);
+-  if( nArg!=3 ) return 1;
+  if( nArg!=3 || azArg==0 ) return 0;
+   zTable = azArg[0];
+   zType = azArg[1];
+   zSql = azArg[2];
+ 
+   if( strcmp(zTable, "sqlite_sequence")==0 ){
+
--- a/package/sqlite/0002-CVE-2017-15286.patch
+++ b/package/sqlite/0002-CVE-2017-15286.patch
@ -0,0 +1,28 @@
+Fix CVE-2017-15286
+
+SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in shell.c 
+because it fails to consider certain cases where 
+`sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never 
+initialized.
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878680
+
+Upstream commit: http://www.sqlite.org/src/info/5d0ceb8dcdef92cd
+
+Index: src/shell.c
+==================================================================
+--- src/shell.c
+++ src/shell.c
+@@ -3807,10 +3807,11 @@
+         isIPK = 0;
+       }
+     }
+   }
+   sqlite3_finalize(pStmt);
+  if( azCol==0 ) return 0;
+   azCol[0] = 0;
+   azCol[nCol+1] = 0;
+ 
+   /* The decision of whether or not a rowid really needs to be preserved
+   ** is tricky.  We never need to preserve a rowid for a WITHOUT ROWID table
+