main/sqlite: security upgrade to 3.25.3 (CVE-2018-20346)

fixes #9794
author: Natanael Copa <ncopa@alpinelinux.org> 2018-12-31 08:49:07 +0100
committer: Natanael Copa <ncopa@alpinelinux.org> 2019-01-01 13:12:16 +0100
commit: 91728ec7bae0fc5f0a2669ad3d8edcdb8f37e4ac (patch)
tree: 00c347e33a8cccadf95709f9e87e587595c62dbc
parent: b02bbf085421c6efa07378f71077a1a317428866 (diff)
download: aports-91728ec7bae0fc5f0a2669ad3d8edcdb8f37e4ac.tar.bz2
aports-91728ec7bae0fc5f0a2669ad3d8edcdb8f37e4ac.tar.xz
3 files changed, 7 insertions, 60 deletions
diff --git a/main/sqlite/APKBUILD b/main/sqlite/APKBUILD
index c79902a8ad..369e12e317 100644
--- a/main/sqlite/APKBUILD
+++ b/main/sqlite/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 # Contributor: Łukasz Jendrysik <scadu@yandex.com>
 pkgname=sqlite
-pkgver=3.20.1
+pkgver=3.25.3
 _a=${pkgver%%.*}
 _b=${pkgver#${_a}.}
 _b=${_b%%.*}
@@ -17,16 +17,14 @@ esac
 [ $_d -lt 10 ] && _d=0$_d
 _ver=${_a}${_b}${_c}${_d}
 
-pkgrel=2
+pkgrel=0
 pkgdesc="A C library that implements an SQL database engine"
 url="http://www.sqlite.org/"
 arch="all"
 license="custom"
 depends=""
 makedepends="readline-dev"
-source="http://www.sqlite.org/2017/$pkgname-autoconf-$_ver.tar.gz
-	CVE-2017-15286.patch
-	CVE-2018-8740.patch
+source="http://www.sqlite.org/2018/$pkgname-autoconf-$_ver.tar.gz
 	license.txt"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-libs"
 
@@ -43,6 +41,8 @@ _amalgamation="-DSQLITE_ENABLE_FTS4 \
 	-DSQLITE_ENABLE_JSON1"
 
 # secfixes:
+#   3.25.3-r0:
+#   - CVE-2018-20346
 #   3.20.1-r2:
 #   - CVE-2018-8740
 #   3.20.1-r1:
@@ -51,6 +51,7 @@ _amalgamation="-DSQLITE_ENABLE_FTS4 \
 #   - CVE-2017-10989
 
 builddir="$srcdir/$pkgname-autoconf-$_ver"
+
 build() {
 	cd "$builddir"
 	export CFLAGS="$CFLAGS $_amalgamation"
@@ -87,7 +88,5 @@ libs() {
 	mv "$pkgdir"/usr/lib "$subpkgdir"/usr/
 }
 
-sha512sums="56e3d326ea2225cadc628c3518d46d9f7c4bafa0e3612f2b7ab0dc0d79fcbb7e095f6d84a9a48e1c6d83adcdc8706ad5ac4404f0f622c7fe38cfde3a7e7e69f0  sqlite-autoconf-3200100.tar.gz
-7baa7a2ed60a6b3b2400d9d11de8e6f7bc6d648e3337020efc2915c1ec17f49747d784333aee984248d590e12987f8e530e868316ce9106ce261c2e5af7f652a  CVE-2017-15286.patch
-95c21d066f514f47765d81352b7e0651b2acd6f91631c7a3dcc032aefce0b6148545ecb961aad4fd64851e12f95db9c8eb76be3197874ed5304471da78ab277a  CVE-2018-8740.patch
+sha512sums="5bc501d15367e097f4070185974b0c3a8246c06b205fb2258ed18870ff3fbf120ac5e0ba031a6744af89f7659206e28e7de2f0367bdb190b8412e453b43de4ba  sqlite-autoconf-3250300.tar.gz
 5bde14bec5bf18cc686b8b90a8b2324c8c6600bca1ae56431a795bb34b8b5ae85527143f3b5f0c845c776bce60eaa537624104cefc3a47b3820d43083f40c6e9  license.txt"
diff --git a/main/sqlite/CVE-2017-15286.patch b/main/sqlite/CVE-2017-15286.patch
deleted file mode 100644
index ea88b3c3ca..0000000000
--- a/main/sqlite/CVE-2017-15286.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Index: src/shell.c
-==================================================================
---- src/shell.c
-+++ src/shell.c
-@@ -3799,10 +3799,11 @@
-         isIPK = 0;
-       }
-     }
-   }
-   sqlite3_finalize(pStmt);
-+  if( azCol==0 ) return 0;
-   azCol[0] = 0;
-   azCol[nCol+1] = 0;
- 
-   /* The decision of whether or not a rowid really needs to be preserved
-   ** is tricky.  We never need to preserve a rowid for a WITHOUT ROWID table
-
diff --git a/main/sqlite/CVE-2018-8740.patch b/main/sqlite/CVE-2018-8740.patch
deleted file mode 100644
index 04cca7ff50..0000000000
--- a/main/sqlite/CVE-2018-8740.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-This patch is based on https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b.
-
-See-Also: https://nvd.nist.gov/vuln/detail/CVE-2018-8740
-
---- a/sqlite3.c
-+++ b/sqlite3.c
-@@ -102551,8 +102551,6 @@
-   p = pParse->pNewTable;
-   if( p==0 ) return;
- 
--  assert( !db->init.busy || !pSelect );
--
-   /* If the db->init.busy is 1 it means we are reading the SQL off the
-   ** "sqlite_master" or "sqlite_temp_master" table on the disk.
-   ** So do not write to the disk again.  Extract the root page number
-@@ -102563,6 +102561,10 @@
-   ** table itself.  So mark it read-only.
-   */
-   if( db->init.busy ){
-+    if( pSelect ){
-+      sqlite3ErrorMsg(pParse, "");
-+      return;
-+    }
-     p->tnum = db->init.newTnum;
-     if( p->tnum==1 ) p->tabFlags |= TF_Readonly;
-   }
-@@ -116817,7 +116819,7 @@
-     char *z;
-     if( zObj==0 ) zObj = "?";
-     z = sqlite3MPrintf(db, "malformed database schema (%s)", zObj);
--    if( zExtra ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra);
-+    if( zExtra && zExtra[0] ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra);
-     sqlite3DbFree(db, *pData->pzErrMsg);
-     *pData->pzErrMsg = z;
-   }
author	Natanael Copa <ncopa@alpinelinux.org>	2018-12-31 08:49:07 +0100
committer	Natanael Copa <ncopa@alpinelinux.org>	2019-01-01 13:12:16 +0100
commit	91728ec7bae0fc5f0a2669ad3d8edcdb8f37e4ac (patch)
tree	00c347e33a8cccadf95709f9e87e587595c62dbc
parent	b02bbf085421c6efa07378f71077a1a317428866 (diff)
download	aports-91728ec7bae0fc5f0a2669ad3d8edcdb8f37e4ac.tar.bz2 aports-91728ec7bae0fc5f0a2669ad3d8edcdb8f37e4ac.tar.xz