diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-12-17 15:17:36 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-12-17 15:18:10 +0000 |
commit | 8fe3109377cfbec22f6613be0b559e1751bd1db6 (patch) | |
tree | 2f8c691444fd2a9790990852c65b109fd5cda0b0 | |
parent | 6f62242d5794308f322c4276657785c6ffec86cd (diff) | |
download | aports-8fe3109377cfbec22f6613be0b559e1751bd1db6.tar.bz2 aports-8fe3109377cfbec22f6613be0b559e1751bd1db6.tar.xz |
main/sqlite: security fixes (CVE-2019-19242, CVE-2019-19244)
ref #11015
-rw-r--r-- | main/sqlite/APKBUILD | 15 | ||||
-rw-r--r-- | main/sqlite/CVE-2019-19242.patch | 18 | ||||
-rw-r--r-- | main/sqlite/CVE-2019-19244.patch | 12 |
3 files changed, 41 insertions, 4 deletions
diff --git a/main/sqlite/APKBUILD b/main/sqlite/APKBUILD index 9feb10ded2..7beca97288 100644 --- a/main/sqlite/APKBUILD +++ b/main/sqlite/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Ćukasz Jendrysik <scadu@yandex.com> pkgname=sqlite pkgver=3.30.1 -pkgrel=0 +pkgrel=1 pkgdesc="C library that implements an SQL database engine" url="https://www.sqlite.org/" arch="all" @@ -29,12 +29,17 @@ _ver=${_a}${_b}${_c}${_d} builddir="$srcdir/$pkgname-autoconf-$_ver" source="https://www.sqlite.org/2019/$pkgname-autoconf-$_ver.tar.gz license.txt + CVE-2019-19242.patch + CVE-2019-19244.patch " # secfixes: +# 3.30.1-r1: +# - CVE-2019-19242 +# - CVE-2019-19242 # 3.28.0-r0: -# - CVE-2019-5018 -# - CVE-2019-8457 +# - CVE-2019-5018 +# - CVE-2019-8457 # additional CFLAGS to set _amalgamation="-DSQLITE_ENABLE_FTS4 \ @@ -103,4 +108,6 @@ static() { } sha512sums="9ec0283c417fb0323b0e43550af2a49e9a63988e4212c27ea62cc9da3534caa6faf5bdc7e051b6772c4ce61560a433b3d3288b68e05e9ba8495f61a3bcebda3e sqlite-autoconf-3300100.tar.gz -5bde14bec5bf18cc686b8b90a8b2324c8c6600bca1ae56431a795bb34b8b5ae85527143f3b5f0c845c776bce60eaa537624104cefc3a47b3820d43083f40c6e9 license.txt" +5bde14bec5bf18cc686b8b90a8b2324c8c6600bca1ae56431a795bb34b8b5ae85527143f3b5f0c845c776bce60eaa537624104cefc3a47b3820d43083f40c6e9 license.txt +c4e8123da7d85d59c9d2d1d07e443185cbc82102805361f2dd24da0482b683da57b7032f2c27273b46e6ed1b12f3714590cfc1258720bcb4e8405f67da214fe6 CVE-2019-19242.patch +e7982014a62b4fa465918fd65384cec406ea09598f3e0511eb2b68f618983b2f29a932267397aff9b88b97367dc8e05c4074fa8e276e3f4294ac019df498a724 CVE-2019-19244.patch" diff --git a/main/sqlite/CVE-2019-19242.patch b/main/sqlite/CVE-2019-19242.patch new file mode 100644 index 0000000000..6c2e79f063 --- /dev/null +++ b/main/sqlite/CVE-2019-19242.patch @@ -0,0 +1,18 @@ +diff --git a/sqlite3.c b/sqlite3.c +index 8fd740b..c67f4fe 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -101055,7 +101055,12 @@ expr_code_doover: + ** constant. + */ + int iReg = sqlite3ExprCodeTarget(pParse, pExpr->pLeft,target); +- int aff = sqlite3TableColumnAffinity(pExpr->y.pTab, pExpr->iColumn); ++ int aff; ++ if( pExpr->y.pTab ){ ++ aff = sqlite3TableColumnAffinity(pExpr->y.pTab, pExpr->iColumn); ++ }else{ ++ aff = pExpr->affExpr; ++ } + if( aff>SQLITE_AFF_BLOB ){ + static const char zAff[] = "B\000C\000D\000E"; + assert( SQLITE_AFF_BLOB=='A' ); diff --git a/main/sqlite/CVE-2019-19244.patch b/main/sqlite/CVE-2019-19244.patch new file mode 100644 index 0000000000..3d4e2df8e2 --- /dev/null +++ b/main/sqlite/CVE-2019-19244.patch @@ -0,0 +1,12 @@ +diff --git a/sqlite3.c b/sqlite3.c +index 8fd740b..bd647ca 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -131679,6 +131679,7 @@ SQLITE_PRIVATE int sqlite3Select( + */ + if( (p->selFlags & (SF_Distinct|SF_Aggregate))==SF_Distinct + && sqlite3ExprListCompare(sSort.pOrderBy, pEList, -1)==0 ++ && p->pWin==0 + ){ + p->selFlags &= ~SF_Distinct; + pGroupBy = p->pGroupBy = sqlite3ExprListDup(db, pEList, 0); |