[prev in list] [next in list] [prev in thread] [next in thread]
List: openembedded-core
Subject: Re: [OE-core] [poky][dunfell][PATCH] sqlite3: Apply security fixes from Ubuntu
From: "Steve Sakoman" <steve () sakoman ! com>
Date: 2020-10-30 15:47:53
Message-ID: CAOSpxdaqt9iPDdgaQanjM6YOW=McH9+hTd_h59mkd=qzUwa-fQ () mail ! gmail ! com
[Download RAW message or body]
On Fri, Oct 30, 2020 at 1:57 AM akash hadke <akash.hadke@kpit.com> wrote:
>
> Applied CVE patches of below issues which are present on
> ubuntu site given below.
>
> Link: https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/sqlite3/3.31.1-4ubuntu0.2/sqlite3_3.31.1-4ubuntu0.2.debian.tar.xz
>
> CVE Issues are as below:
> CVE-2020-13434
> CVE-2020-13435
> CVE-2020-13630
> CVE-2020-13631
> CVE-2020-13632
>
> Testing was done in an ARM64 product CI system.
>
> Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
> ---
> ...qlite3_CVEs_from_3.31.1-4ubuntu0.2.debian.patch | 334 +++++++++++++++++++++
> meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 +
> 2 files changed, 335 insertions(+)
> create mode 100644 \
> meta/recipes-support/sqlite/files/sqlite3_CVEs_from_3.31.1-4ubuntu0.2.debian.patch
> diff --git a/meta/recipes-support/sqlite/files/sqlite3_CVEs_from_3.31.1-4ubuntu0.2.debian.patch \
> b/meta/recipes-support/sqlite/files/sqlite3_CVEs_from_3.31.1-4ubuntu0.2.debian.patch
> new file mode 100644
> index 0000000..d10c9af
> --- /dev/null
> +++ b/meta/recipes-support/sqlite/files/sqlite3_CVEs_from_3.31.1-4ubuntu0.2.debian.patch
> @@ -0,0 +1,334 @@
> +Downloaded Ubuntu 20.04 LTS Sources
> +https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/sqlite3/3.31.1-4ubuntu0.2/sqlite3_3.31.1-4ubuntu0.2.debian.tar.xz
> +
> +Then copied the full tree and applied following CVE patches from
> +Ubuntu debian tar ball from path debian/patches using "patch -p1":
> +CVE-2020-13434
> +CVE-2020-13435-1
> +CVE-2020-13435-2
> +CVE-2020-13435-pre1
> +CVE-2020-13630
> +CVE-2020-13631
> +CVE-2020-13632
Please add these to the recipe as individual patch files, the contents
of the patch files should be unchanged except for the addition of the
Upstream-Status: and CVE: tags
See: https://wiki.yoctoproject.org/wiki/Security
in the "Patch name convention and commit message" section for details
Ross: in cases like this where there are multiple patch files for a
single CVE do we need the CVE: tag in all three files?
> +These patches were applied in the file sqlite3.c since we are
> +following amalgam format and the final patch was created after
> +taking diff of file sqlite3.c
> +
> +Upstream-Status: Backport \
> [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/sqlite3/3.31.1-4ubuntu0.2/sqlite3_3.31.1-4ubuntu0.2.debian.tar.xz]
> +
> +Comment: Refreshed some hunks by adding SQLITE_PRIVATE to some functions.
> + As our codebase having SQLITE_PRIVATE for functions.
I'm not going to be able to take security patches that have been
changed from the upstream in this way.
You would have to do this kind of patching in your own layer.
Thanks again for helping with CVE's.
Steve
> +CVE: CVE-2020-13434
> +CVE: CVE-2020-13435
> +CVE: CVE-2020-13630
> +CVE: CVE-2020-13631
> +CVE: CVE-2020-13632
> +
> +--- a/sqlite3.c 2020-01-27 20:25:19.000000000 +0000
> ++++ b/sqlite3.c 2020-10-10 11:28:20.622405611 +0000
> +@@ -18965,6 +18965,9 @@
> + SQLITE_PRIVATE int sqlite3ExprWalkNoop(Walker*, Expr*);
> + SQLITE_PRIVATE int sqlite3SelectWalkNoop(Walker*, Select*);
> + SQLITE_PRIVATE int sqlite3SelectWalkFail(Walker*, Select*);
> ++SQLITE_PRIVATE int sqlite3WalkerDepthIncrease(Walker*,Select*);
> ++SQLITE_PRIVATE void sqlite3WalkerDepthDecrease(Walker*,Select*);
> ++
> + #ifdef SQLITE_DEBUG
> + SQLITE_PRIVATE void sqlite3SelectWalkAssert2(Walker*, Select*);
> + #endif
> +@@ -19945,8 +19948,10 @@
> + SQLITE_PRIVATE int sqlite3ReadOnlyShadowTables(sqlite3 *db);
> + #ifndef SQLITE_OMIT_VIRTUALTABLE
> + SQLITE_PRIVATE int sqlite3ShadowTableName(sqlite3 *db, const char *zName);
> ++SQLITE_PRIVATE int sqlite3IsShadowTableOf(sqlite3*,Table*,const char*);
> + #else
> + # define sqlite3ShadowTableName(A,B) 0
> ++# define sqlite3IsShadowTableOf(A,B,C) 0
> + #endif
> + SQLITE_PRIVATE int sqlite3VtabEponymousTableInit(Parse*,Module*);
> + SQLITE_PRIVATE void sqlite3VtabEponymousTableClear(sqlite3*,Module*);
> +@@ -28148,6 +28153,13 @@
> + #define etBUFSIZE SQLITE_PRINT_BUF_SIZE /* Size of the output buffer */
> +
> + /*
> ++** Hard limit on the precision of floating-point conversions.
> ++*/
> ++#ifndef SQLITE_PRINTF_PRECISION_LIMIT
> ++# define SQLITE_FP_PRECISION_LIMIT 100000000
> ++#endif
> ++
> ++/*
> + ** Render a string given by "fmt" into the StrAccum object.
> + */
> + SQLITE_API void sqlite3_str_vappendf(
> +@@ -28468,6 +28480,11 @@
> + length = 0;
> + #else
> + if( precision<0 ) precision = 6; /* Set default precision */
> ++#ifdef SQLITE_FP_PRECISION_LIMIT
> ++ if( precision>SQLITE_FP_PRECISION_LIMIT ){
> ++ precision = SQLITE_FP_PRECISION_LIMIT;
> ++ }
> ++#endif
> + if( realvalue<0.0 ){
> + realvalue = -realvalue;
> + prefix = '-';
> +@@ -96761,6 +96778,42 @@
> + return WRC_Continue;
> + }
> +
> ++/* Increase the walkerDepth when entering a subquery, and
> ++** descrease when leaving the subquery.
> ++*/
> ++SQLITE_PRIVATE int sqlite3WalkerDepthIncrease(Walker *pWalker, Select *pSelect){
> ++ UNUSED_PARAMETER(pSelect);
> ++ pWalker->walkerDepth++;
> ++ return WRC_Continue;
> ++}
> ++SQLITE_PRIVATE void sqlite3WalkerDepthDecrease(Walker *pWalker, Select *pSelect){
> ++ UNUSED_PARAMETER(pSelect);
> ++ pWalker->walkerDepth--;
> ++}
> ++
> ++/*
> ++** No-op routine for the parse-tree walker.
> ++**
> ++** When this routine is the Walker.xExprCallback then expression trees
> ++** are walked without any actions being taken at each node. Presumably,
> ++** when this routine is used for Walker.xExprCallback then
> ++** Walker.xSelectCallback is set to do something useful for every
> ++** subquery in the parser tree.
> ++*/
> ++SQLITE_PRIVATE int sqlite3ExprWalkNoop(Walker *NotUsed, Expr *NotUsed2){
> ++ UNUSED_PARAMETER2(NotUsed, NotUsed2);
> ++ return WRC_Continue;
> ++}
> ++
> ++/*
> ++** No-op routine for the parse-tree walker for SELECT statements.
> ++** subquery in the parser tree.
> ++*/
> ++SQLITE_PRIVATE int sqlite3SelectWalkNoop(Walker *NotUsed, Select *NotUsed2){
> ++ UNUSED_PARAMETER2(NotUsed, NotUsed2);
> ++ return WRC_Continue;
> ++}
> ++
> + /************** End of walker.c **********************************************/
> + /************** Begin file resolve.c *****************************************/
> + /*
> +@@ -96789,6 +96842,8 @@
> + **
> + ** incrAggFunctionDepth(pExpr,n) is the main routine. incrAggDepth(..)
> + ** is a helper function - a callback for the tree walker.
> ++**
> ++** See also the sqlite3WindowExtraAggFuncDepth() routine in window.c
> + */
> + static int incrAggDepth(Walker *pWalker, Expr *pExpr){
> + if( pExpr->op==TK_AGG_FUNCTION ) pExpr->op2 += pWalker->u.n;
> +@@ -102447,7 +102502,10 @@
> + switch( op ){
> + case TK_AGG_COLUMN: {
> + AggInfo *pAggInfo = pExpr->pAggInfo;
> +- struct AggInfo_col *pCol = &pAggInfo->aCol[pExpr->iAgg];
> ++ struct AggInfo_col *pCol;
> ++ assert( pAggInfo!=0 );
> ++ assert( pExpr->iAgg>=0 && pExpr->iAgg<pAggInfo->nColumn );
> ++ pCol = &pAggInfo->aCol[pExpr->iAgg];
> + if( !pAggInfo->directMode ){
> + assert( pCol->iMem>0 );
> + return pCol->iMem;
> +@@ -102741,7 +102799,10 @@
> + }
> + case TK_AGG_FUNCTION: {
> + AggInfo *pInfo = pExpr->pAggInfo;
> +- if( pInfo==0 ){
> ++ if( pInfo==0
> ++ || NEVER(pExpr->iAgg<0)
> ++ || NEVER(pExpr->iAgg>=pInfo->nFunc)
> ++ ){
> + assert( !ExprHasProperty(pExpr, EP_IntValue) );
> + sqlite3ErrorMsg(pParse, "misuse of aggregate: %s()", pExpr->u.zToken);
> + }else{
> +@@ -104480,15 +104541,6 @@
> + }
> + return WRC_Continue;
> + }
> +-static int analyzeAggregatesInSelect(Walker *pWalker, Select *pSelect){
> +- UNUSED_PARAMETER(pSelect);
> +- pWalker->walkerDepth++;
> +- return WRC_Continue;
> +-}
> +-static void analyzeAggregatesInSelectEnd(Walker *pWalker, Select *pSelect){
> +- UNUSED_PARAMETER(pSelect);
> +- pWalker->walkerDepth--;
> +-}
> +
> + /*
> + ** Analyze the pExpr expression looking for aggregate functions and
> +@@ -104502,8 +104554,8 @@
> + SQLITE_PRIVATE void sqlite3ExprAnalyzeAggregates(NameContext *pNC, Expr *pExpr){
> + Walker w;
> + w.xExprCallback = analyzeAggregate;
> +- w.xSelectCallback = analyzeAggregatesInSelect;
> +- w.xSelectCallback2 = analyzeAggregatesInSelectEnd;
> ++ w.xSelectCallback = sqlite3WalkerDepthIncrease;
> ++ w.xSelectCallback2 = sqlite3WalkerDepthDecrease;
> + w.walkerDepth = 0;
> + w.u.pNC = pNC;
> + w.pParse = 0;
> +@@ -104742,7 +104794,10 @@
> + /* Check that a table or index named 'zName' does not already exist
> + ** in database iDb. If so, this is an error.
> + */
> +- if( sqlite3FindTable(db, zName, zDb) || sqlite3FindIndex(db, zName, zDb) ){
> ++ if( sqlite3FindTable(db, zName, zDb)
> ++ || sqlite3FindIndex(db, zName, zDb)
> ++ || sqlite3IsShadowTableOf(db, pTab, zName)
> ++ ){
> + sqlite3ErrorMsg(pParse,
> + "there is already another table or index with this name: %s", zName);
> + goto exit_rename_table;
> +@@ -111252,6 +111307,28 @@
> + recomputeColumnsNotIndexed(pPk);
> + }
> +
> ++
> ++#ifndef SQLITE_OMIT_VIRTUALTABLE
> ++/*
> ++** Return true if pTab is a virtual table and zName is a shadow table name
> ++** for that virtual table.
> ++*/
> ++SQLITE_PRIVATE int sqlite3IsShadowTableOf(sqlite3 *db, Table *pTab, const char \
> *zName){ ++ int nName; /* Length of zName */
> ++ Module *pMod; /* Module for the virtual table */
> ++
> ++ if( !IsVirtual(pTab) ) return 0;
> ++ nName = sqlite3Strlen30(pTab->zName);
> ++ if( sqlite3_strnicmp(zName, pTab->zName, nName)!=0 ) return 0;
> ++ if( zName[nName]!='_' ) return 0;
> ++ pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
> ++ if( pMod==0 ) return 0;
> ++ if( pMod->pModule->iVersion<3 ) return 0;
> ++ if( pMod->pModule->xShadowName==0 ) return 0;
> ++ return pMod->pModule->xShadowName(zName+nName+1);
> ++}
> ++#endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */
> ++
> + #ifndef SQLITE_OMIT_VIRTUALTABLE
> + /*
> + ** Return true if zName is a shadow table name in the current database
> +@@ -111263,8 +111340,6 @@
> + SQLITE_PRIVATE int sqlite3ShadowTableName(sqlite3 *db, const char *zName){
> + char *zTail; /* Pointer to the last "_" in zName */
> + Table *pTab; /* Table that zName is a shadow of */
> +- Module *pMod; /* Module for the virtual table */
> +-
> + zTail = strrchr(zName, '_');
> + if( zTail==0 ) return 0;
> + *zTail = 0;
> +@@ -111272,11 +111347,7 @@
> + *zTail = '_';
> + if( pTab==0 ) return 0;
> + if( !IsVirtual(pTab) ) return 0;
> +- pMod = (Module*)sqlite3HashFind(&db->aModule, pTab->azModuleArg[0]);
> +- if( pMod==0 ) return 0;
> +- if( pMod->pModule->iVersion<3 ) return 0;
> +- if( pMod->pModule->xShadowName==0 ) return 0;
> +- return pMod->pModule->xShadowName(zTail+1);
> ++ return sqlite3IsShadowTableOf(db, pTab, zName);
> + }
> + #endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */
> +
> +@@ -133053,29 +133124,6 @@
> + return WRC_Continue;
> + }
> +
> +-/*
> +-** No-op routine for the parse-tree walker.
> +-**
> +-** When this routine is the Walker.xExprCallback then expression trees
> +-** are walked without any actions being taken at each node. Presumably,
> +-** when this routine is used for Walker.xExprCallback then
> +-** Walker.xSelectCallback is set to do something useful for every
> +-** subquery in the parser tree.
> +-*/
> +-SQLITE_PRIVATE int sqlite3ExprWalkNoop(Walker *NotUsed, Expr *NotUsed2){
> +- UNUSED_PARAMETER2(NotUsed, NotUsed2);
> +- return WRC_Continue;
> +-}
> +-
> +-/*
> +-** No-op routine for the parse-tree walker for SELECT statements.
> +-** subquery in the parser tree.
> +-*/
> +-SQLITE_PRIVATE int sqlite3SelectWalkNoop(Walker *NotUsed, Select *NotUsed2){
> +- UNUSED_PARAMETER2(NotUsed, NotUsed2);
> +- return WRC_Continue;
> +-}
> +-
> + #if SQLITE_DEBUG
> + /*
> + ** Always assert. This xSelectCallback2 implementation proves that the
> +@@ -150214,6 +150262,23 @@
> + }
> +
> + /*
> ++** When rewriting a query, if the new subquery in the FROM clause
> ++** contains TK_AGG_FUNCTION nodes that refer to an outer query,
> ++** then we have to increase the Expr->op2 values of those nodes
> ++** due to the extra subquery layer that was added.
> ++**
> ++** See also the incrAggDepth() routine in resolve.c
> ++*/
> ++static int sqlite3WindowExtraAggFuncDepth(Walker *pWalker, Expr *pExpr){
> ++ if( pExpr->op==TK_AGG_FUNCTION
> ++ && pExpr->op2>=pWalker->walkerDepth
> ++ ){
> ++ pExpr->op2++;
> ++ }
> ++ return WRC_Continue;
> ++}
> ++
> ++/*
> + ** If the SELECT statement passed as the second argument does not invoke
> + ** any SQL window functions, this function is a no-op. Otherwise, it
> + ** rewrites the SELECT statement so that window function xStep functions
> +@@ -150321,6 +150386,7 @@
> + p->pSrc = sqlite3SrcListAppend(pParse, 0, 0, 0);
> + if( p->pSrc ){
> + Table *pTab2;
> ++ Walker w;
> + p->pSrc->a[0].pSelect = pSub;
> + sqlite3SrcListAssignCursors(pParse, p->pSrc);
> + pSub->selFlags |= SF_Expanded;
> +@@ -150335,6 +150401,11 @@
> + pTab->tabFlags |= TF_Ephemeral;
> + p->pSrc->a[0].pTab = pTab;
> + pTab = pTab2;
> ++ memset(&w, 0, sizeof(w));
> ++ w.xExprCallback = sqlite3WindowExtraAggFuncDepth;
> ++ w.xSelectCallback = sqlite3WalkerDepthIncrease;
> ++ w.xSelectCallback2 = sqlite3WalkerDepthDecrease;
> ++ sqlite3WalkSelect(&w, pSub);
> + }
> + }else{
> + sqlite3SelectDelete(db, pSub);
> +@@ -170206,6 +170277,7 @@
> + fts3EvalNextRow(pCsr, pLeft, pRc);
> + }
> + }
> ++ pRight->bEof = pLeft->bEof = 1;
> + }
> + }
> + break;
> +@@ -181747,7 +181819,7 @@
> + iStart = pExpr->iPhrase * ((p->nCol + 31) / 32);
> + }
> +
> +- while( 1 ){
> ++ if( pIter ) while( 1 ){
> + int nHit = fts3ColumnlistCount(&pIter);
> + if( (pPhrase->iColumn>=pTab->nColumn || pPhrase->iColumn==iCol) ){
> + if( p->flag==FTS3_MATCHINFO_LHITS ){
> diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb \
> b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb index e5071b4..9017593 100644
> --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
> +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
> @@ -8,6 +8,7 @@ SRC_URI = \
> "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \ \
> file://CVE-2020-11656.patch \ file://CVE-2020-11655.patch \
> file://CVE-2020-15358.patch \
> + file://sqlite3_CVEs_from_3.31.1-4ubuntu0.2.debian.patch \
> "
> SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
> SRC_URI[sha256sum] = \
> "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"
> --
> 2.7.4
>
> This message contains information that may be privileged or confidential and is the \
> property of the KPIT Technologies Ltd. It is intended only for the person to whom \
> it is addressed. If you are not the intended recipient, you are not authorized to \
> read, print, retain copy, disseminate, distribute, or use this message or any part \
> thereof. If you receive this message in error, please notify the sender immediately \
> and delete all copies of this message. KPIT Technologies Ltd. does not accept any \
> liability for virus infected mails.
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#144008): https://lists.openembedded.org/g/openembedded-core/message/144008
Mute This Topic: https://lists.openembedded.org/mt/77910046/4454766
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [openembedded-core@marc.info]
-=-=-=-=-=-=-=-=-=-=-=-
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic