2 files changed, 22 insertions, 1 deletions

diff --git a/main/sqlite/APKBUILD b/main/sqlite/APKBUILD
index d3b44aa8b8..d8314219a3 100644
--- a/main/sqlite/APKBUILD
+++ b/main/sqlite/APKBUILD
@@ -17,7 +17,7 @@ esac
 [ $_d -lt 10 ] && _d=0$_d
 _ver=${_a}${_b}${_c}${_d}
 
-pkgrel=0
+pkgrel=1
 pkgdesc="A C library that implements an SQL database engine"
 url="http://www.sqlite.org/"
 arch="all"
@@ -25,6 +25,7 @@ license="custom"
 depends=""
 makedepends="readline-dev"
 source="http://www.sqlite.org/2017/$pkgname-autoconf-$_ver.tar.gz
+	CVE-2017-15286.patch
 	license.txt"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-libs"
 
@@ -41,6 +42,8 @@ _amalgamation="-DSQLITE_ENABLE_FTS4 \
 	-DSQLITE_ENABLE_JSON1"
 
 # secfixes:
+#   3.20.1-r1:
+#   - CVE-2017-15286
 #   3.20.0:
 #   - CVE-2017-10989
 
@@ -82,4 +85,5 @@ libs() {
 }
 
 sha512sums="56e3d326ea2225cadc628c3518d46d9f7c4bafa0e3612f2b7ab0dc0d79fcbb7e095f6d84a9a48e1c6d83adcdc8706ad5ac4404f0f622c7fe38cfde3a7e7e69f0  sqlite-autoconf-3200100.tar.gz
+7baa7a2ed60a6b3b2400d9d11de8e6f7bc6d648e3337020efc2915c1ec17f49747d784333aee984248d590e12987f8e530e868316ce9106ce261c2e5af7f652a  CVE-2017-15286.patch
 5bde14bec5bf18cc686b8b90a8b2324c8c6600bca1ae56431a795bb34b8b5ae85527143f3b5f0c845c776bce60eaa537624104cefc3a47b3820d43083f40c6e9  license.txt"
diff --git a/main/sqlite/CVE-2017-15286.patch b/main/sqlite/CVE-2017-15286.patch
new file mode 100644
index 0000000000..ea88b3c3ca
--- /dev/null
+++ b/main/sqlite/CVE-2017-15286.patch
@@ -0,0 +1,17 @@
+Index: src/shell.c
+==================================================================
+--- src/shell.c
++++ src/shell.c
+@@ -3799,10 +3799,11 @@
+         isIPK = 0;
+       }
+     }
+   }
+   sqlite3_finalize(pStmt);
++  if( azCol==0 ) return 0;
+   azCol[0] = 0;
+   azCol[nCol+1] = 0;
+ 
+   /* The decision of whether or not a rowid really needs to be preserved
+   ** is tricky.  We never need to preserve a rowid for a WITHOUT ROWID table
+