Thanks for pointing it out. I have corrected the commit and emailed. -----Original Message----- From: akuster808 <[email protected]> Sent: Tuesday, October 15, 2019 9:01 AM To: Shubham Agrawal <[email protected]>; [email protected] Subject: Re: [OE-core] [thud][PATCH v2] sqlite3: CVE fix
On 10/14/19 1:22 PM, [email protected] wrote: > From: Shubham Agrawal <[email protected]> > > CVE:CVE-2019-161680 Does not match patch name. > Status: Backport > > whitelist as changes already there due to previous patches in upstream > CVE:CVE-2018-20346 > Status: Backported > > Sign off: Shubham [email protected] This need to be fixed in Master then Warrior. > --- > .../sqlite/files/CVE-2019-16168.patch | 37 > ++++++++++++++++++++++ > meta/recipes-support/sqlite/sqlite3_3.23.1.bb | 1 + > 2 files changed, 38 insertions(+) > create mode 100644 meta/recipes-support/sqlite/files/CVE-2019-16168.patch > > diff --git a/meta/recipes-support/sqlite/files/CVE-2019-16168.patch > b/meta/recipes-support/sqlite/files/CVE-2019-16168.patch > new file mode 100644 > index 0000000..d8e93c0 > --- /dev/null > +++ b/meta/recipes-support/sqlite/files/CVE-2019-16168.patch > @@ -0,0 +1,37 @@ > +From fc8bb8d6ae2d4cd024546e9e7bbab115427c3f41 Mon Sep 17 00:00:00 2001 > +From: Shubham Agrawal <[email protected]> > +Date: Fri, 11 Oct 2019 20:20:18 +0000 > +Subject: [PATCH] sqlite3 CVE: CVE-2019-16168 Status: backported Sign off: > + Shubham Agrawal<[email protected]> > +Reply-To: [email protected] > + Add this kind of information into the patch itself. CVE:CVE-2018-20346 Status: Backported Sign off: Shubham [email protected] See https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpatchwork.openembedded.org%2Fpatch%2F165800%2F&data=02%7C01%7Cshuagr%40microsoft.com%7C2b40d2950423482e77a208d75188e3f1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637067520688841480&sdata=B%2BzLPIEwjhdwGwpu2uJ0vXPqEscX0nWR18scu4oHSp8%3D&reserved=0 as an example > +--- > + sqlite3.c | 5 ++++- > + 1 file changed, 4 insertions(+), 1 deletion(-) > + > +diff --git a/sqlite3.c b/sqlite3.c > +index 0f71a44..c480e53 100644 > +--- a/sqlite3.c > ++++ b/sqlite3.c > +@@ -101836,7 +101836,9 @@ static void decodeIntArray( > + if( sqlite3_strglob("unordered*", z)==0 ){ > + pIndex->bUnordered = 1; > + }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){ > +- pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3)); > ++ int sz = sqlite3Atoi(z+3); > ++ if( sz<2 ) sz = 2; > ++ pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(sz)); > + }else if( sqlite3_strglob("noskipscan*", z)==0 ){ > + pIndex->noSkipScan = 1; > + } > +@@ -137151,6 +137153,7 @@ static int whereLoopAddBtreeIndex( > + ** it to pNew->rRun, which is currently set to the cost of the index > + ** seek only. Then, if this is a non-covering index, add the cost of > + ** visiting the rows in the main table. */ > ++ assert( pSrc->pTab->szTabRow>0 ); > + rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow; > + pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx); > + if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){ > +-- > +2.7.4 > + > diff --git a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb > b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb > index 7df61cd..e2e9b50 100644 > --- a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb > +++ b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb > @@ -8,6 +8,7 @@ SRC_URI = "\ > file://CVE-2018-20505.patch \ > file://CVE-2018-20506.patch \ > file://CVE-2019-8457.patch \ > + file://CVE-2019-16168.patch \ > " > SRC_URI[md5sum] = "99a51b40a66872872a91c92f6d0134fa" > SRC_URI[sha256sum] = > "92842b283e5e744eff5da29ed3c69391de7368fccc4d0ee6bf62490ce555ef25" -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
