Attaching patch file also ________________________________ From: Virendra Kumar Thakur <[email protected]> Sent: Monday, September 19, 2022 7:40 PM To: [email protected] <[email protected]> Cc: [email protected] <[email protected]>; Virendra Kumar Thakur <[email protected]> Subject: [OE-Core][dunfell][PATCH 2/2] sqlite3: Fix CVE-2020-35527
From: Virendra Thakur <[email protected]> Add patch file to fix CVE-2020-35527 Reference: https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsecurity.debian.org%2Fdebian-security%2Fpool%2Fupdates%2Fmain%2Fs%2Fsqlite3%2Fsqlite3_3.27.2-3%2Bdeb10u2.debian.tar.xz&data=05%7C01%7CVirendra.Thakur%40kpit.com%7C137fc88ada814f8afb7c08da9a48cda1%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637991934731945883%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5JGYey8Gm0ngS09jsjZbdSrQOogBmVmRW3bivwvnmes%3D&reserved=0 Signed-off-by: Virendra Thakur <[email protected]> --- .../sqlite/files/CVE-2020-35527.patch | 22 +++++++++++++++++++ meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 + 2 files changed, 23 insertions(+) create mode 100644 meta/recipes-support/sqlite/files/CVE-2020-35527.patch diff --git a/meta/recipes-support/sqlite/files/CVE-2020-35527.patch b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch new file mode 100644 index 0000000000..d1dae389b0 --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch @@ -0,0 +1,22 @@ +From: dan <[email protected]> +Date: Mon, 26 Oct 2020 13:24:36 +0000 +Subject: [PATCH] Fix a problem with ALTER TABLE for views that have a nested + FROM clause. Ticket [f50af3e8a565776b]. + +Upstream-Status: Backport [https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsecurity.debian.org%2Fdebian-security%2Fpool%2Fupdates%2Fmain%2Fs%2Fsqlite3%2Fsqlite3_3.27.2-3%2Bdeb10u2.debian.tar.xz&data=05%7C01%7CVirendra.Thakur%40kpit.com%7C137fc88ada814f8afb7c08da9a48cda1%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637991934731945883%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5JGYey8Gm0ngS09jsjZbdSrQOogBmVmRW3bivwvnmes%3D&reserved=0] +CVE: CVE-2020-35527 +Signed-off-by: Virendra Thakur <[email protected]> +--- +Index: sqlite-autoconf-3310100/sqlite3.c +=================================================================== +--- sqlite-autoconf-3310100.orig/sqlite3.c ++++ sqlite-autoconf-3310100/sqlite3.c +@@ -133110,7 +133110,7 @@ static int selectExpander(Walker *pWalke + pNew = sqlite3ExprListAppend(pParse, pNew, pExpr); + sqlite3TokenInit(&sColname, zColname); + sqlite3ExprListSetName(pParse, pNew, &sColname, 0); +- if( pNew && (p->selFlags & SF_NestedFrom)!=0 ){ ++ if( pNew && (p->selFlags & SF_NestedFrom)!=0 && !IN_RENAME_OBJECT ){ + struct ExprList_item *pX = &pNew->a[pNew->nExpr-1]; + sqlite3DbFree(db, pX->zEName); + if( pSub ){ diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb index 48051593e4..d9e98c9120 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb @@ -15,6 +15,7 @@ SRC_URI = "https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.sqlite.org%2F2020%2Fsqlite-autoconf-%24&data=05%7C01%7CVirendra.Thakur%40kpit.com%7C137fc88ada814f8afb7c08da9a48cda1%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637991934731945883%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=n%2B8s1tL9NuC8%2BkcAIxrrK0LmWgsjC5J3fWagEcO2ks4%3D&reserved=0{SQLITE_PV}.tar.gz \ file://CVE-2020-13632.patch \ file://CVE-2022-35737.patch \ file://CVE-2020-35525.patch \ + file://CVE-2020-35527.patch \ " SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125" SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae" -- 2.17.1 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
From 465af95fc244581029963f2e8740791d6e4e9ff5 Mon Sep 17 00:00:00 2001 From: Virendra Thakur <[email protected]> Date: Thu, 15 Sep 2022 18:11:10 +0530 Subject: [PATCH] sqlite3: Fix CVE-2020-35527 Add patch file to fix CVE-2020-35527 Reference: http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz Signed-off-by: Virendra Thakur <[email protected]> --- .../sqlite/files/CVE-2020-35527.patch | 22 +++++++++++++++++++ meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 + 2 files changed, 23 insertions(+) create mode 100644 meta/recipes-support/sqlite/files/CVE-2020-35527.patch diff --git a/meta/recipes-support/sqlite/files/CVE-2020-35527.patch b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch new file mode 100644 index 0000000000..d1dae389b0 --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch @@ -0,0 +1,22 @@ +From: dan <[email protected]> +Date: Mon, 26 Oct 2020 13:24:36 +0000 +Subject: [PATCH] Fix a problem with ALTER TABLE for views that have a nested + FROM clause. Ticket [f50af3e8a565776b]. + +Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz] +CVE: CVE-2020-35527 +Signed-off-by: Virendra Thakur <[email protected]> +--- +Index: sqlite-autoconf-3310100/sqlite3.c +=================================================================== +--- sqlite-autoconf-3310100.orig/sqlite3.c ++++ sqlite-autoconf-3310100/sqlite3.c +@@ -133110,7 +133110,7 @@ static int selectExpander(Walker *pWalke + pNew = sqlite3ExprListAppend(pParse, pNew, pExpr); + sqlite3TokenInit(&sColname, zColname); + sqlite3ExprListSetName(pParse, pNew, &sColname, 0); +- if( pNew && (p->selFlags & SF_NestedFrom)!=0 ){ ++ if( pNew && (p->selFlags & SF_NestedFrom)!=0 && !IN_RENAME_OBJECT ){ + struct ExprList_item *pX = &pNew->a[pNew->nExpr-1]; + sqlite3DbFree(db, pX->zEName); + if( pSub ){ diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb index 48051593e4..d9e98c9120 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb @@ -15,6 +15,7 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \ file://CVE-2020-13632.patch \ file://CVE-2022-35737.patch \ file://CVE-2020-35525.patch \ + file://CVE-2020-35527.patch \ " SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125" SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae" -- 2.17.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#170862): https://lists.openembedded.org/g/openembedded-core/message/170862 Mute This Topic: https://lists.openembedded.org/mt/93781601/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
