diff options
author | Jakub Jirutka <jakub@jirutka.cz> | 2018-05-20 23:22:10 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-05-30 21:26:39 +0200 |
commit | 11eca5b8a2cd0293d87aa138d0d770d5ed7a8633 (patch) | |
tree | de0ebf3f4fe26a0a8454d807d0c142bd118387c4 | |
parent | 8d596d657b2f79582ae566d4663ed84eb73b722c (diff) | |
download | aports-11eca5b8a2cd0293d87aa138d0d770d5ed7a8633.tar.bz2 aports-11eca5b8a2cd0293d87aa138d0d770d5ed7a8633.tar.xz |
main/sqlite: fix CVE-2018-8740
-rw-r--r-- | main/sqlite/APKBUILD | 8 | ||||
-rw-r--r-- | main/sqlite/CVE-2018-8740.patch | 35 |
2 files changed, 42 insertions, 1 deletions
diff --git a/main/sqlite/APKBUILD b/main/sqlite/APKBUILD index 2c11913bfc..ebc6cb4c59 100644 --- a/main/sqlite/APKBUILD +++ b/main/sqlite/APKBUILD @@ -17,7 +17,7 @@ esac [ $_d -lt 10 ] && _d=0$_d _ver=${_a}${_b}${_c}${_d} -pkgrel=1 +pkgrel=2 pkgdesc="A C library that implements an SQL database engine" url="http://www.sqlite.org/" arch="all" @@ -26,12 +26,15 @@ depends="" makedepends="readline-dev" source="http://www.sqlite.org/2016/$pkgname-autoconf-$_ver.tar.gz CVE-2017-10989.patch + CVE-2018-8740.patch license.txt" subpackages="$pkgname-doc $pkgname-dev $pkgname-libs" builddir="$srcdir/$pkgname-autoconf-$_ver" # secfixes: +# 3.13.0-r2: +# - CVE-2018-8740 # 3.13.0-r1: # - CVE-2017-10989 @@ -82,10 +85,13 @@ libs() { md5sums="4e83f39fa2ffb610ac5ecd36865da6a2 sqlite-autoconf-3130000.tar.gz fe95af610a7d640c1ff3dbebc6308216 CVE-2017-10989.patch +14f2b89e9f7955c689ce3b3dabb7e797 CVE-2018-8740.patch c1cdbc5544034d9012e421e75a5e4890 license.txt" sha256sums="e2797026b3310c9d08bd472f6d430058c6dd139ff9d4e30289884ccd9744086b sqlite-autoconf-3130000.tar.gz a59bf7f38e52e9ffda920707ef9fb0ad2c5c97e09a440095edcbd6cde57aee89 CVE-2017-10989.patch +f6db135a50ae4429eb7325df5d5a3366757c97b0387c0bb8d03a07c1fb5638cb CVE-2018-8740.patch 4e57d9ac979f1c9872e69799c2597eeef4c6ce7224f3ede0bf9dc8d217b1e65d license.txt" sha512sums="c2547ff9a144c46829344058b4f8dcc5b8c9c823cbc667be2944dc7beecb9cc213858cc9ce302a763200278397d9a0fc6bb35c542028a124ef0980fedd574c2f sqlite-autoconf-3130000.tar.gz 74e5aa45e8189048a8efe4093b4b772e9f8e4457a89638fcb4e60a75e35213af6f9cd5b7be276b9e91109ebcad7c6b20bc3bd3d00102ca15e2c1e50606f310e4 CVE-2017-10989.patch +95c21d066f514f47765d81352b7e0651b2acd6f91631c7a3dcc032aefce0b6148545ecb961aad4fd64851e12f95db9c8eb76be3197874ed5304471da78ab277a CVE-2018-8740.patch 5bde14bec5bf18cc686b8b90a8b2324c8c6600bca1ae56431a795bb34b8b5ae85527143f3b5f0c845c776bce60eaa537624104cefc3a47b3820d43083f40c6e9 license.txt" diff --git a/main/sqlite/CVE-2018-8740.patch b/main/sqlite/CVE-2018-8740.patch new file mode 100644 index 0000000000..04cca7ff50 --- /dev/null +++ b/main/sqlite/CVE-2018-8740.patch @@ -0,0 +1,35 @@ +This patch is based on https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b. + +See-Also: https://nvd.nist.gov/vuln/detail/CVE-2018-8740 + +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -102551,8 +102551,6 @@ + p = pParse->pNewTable; + if( p==0 ) return; + +- assert( !db->init.busy || !pSelect ); +- + /* If the db->init.busy is 1 it means we are reading the SQL off the + ** "sqlite_master" or "sqlite_temp_master" table on the disk. + ** So do not write to the disk again. Extract the root page number +@@ -102563,6 +102561,10 @@ + ** table itself. So mark it read-only. + */ + if( db->init.busy ){ ++ if( pSelect ){ ++ sqlite3ErrorMsg(pParse, ""); ++ return; ++ } + p->tnum = db->init.newTnum; + if( p->tnum==1 ) p->tabFlags |= TF_Readonly; + } +@@ -116817,7 +116819,7 @@ + char *z; + if( zObj==0 ) zObj = "?"; + z = sqlite3MPrintf(db, "malformed database schema (%s)", zObj); +- if( zExtra ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra); ++ if( zExtra && zExtra[0] ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra); + sqlite3DbFree(db, *pData->pzErrMsg); + *pData->pzErrMsg = z; + } |