Bug#972115: buster-pu: package sqlite3/3.27.2-3+deb10u1

[GCS]

On Sat, Oct 24, 2020 at 8:51 PM Adam D. Barratt
 wrote:
> Control: tags -1 + confirmed
>
> On Mon, 2020-10-12 at 22:50 +0200, Moritz Muehlenhoff wrote:
> > A number of security fixes in sqlite, which don't warrant a DSA.
[...]
> Please go ahead.
 Thanks, uploaded.

Cheers,
Laszlo/GCS

Bug#972115: buster-pu: package sqlite3/3.27.2-3+deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Mon, 2020-10-12 at 22:50 +0200, Moritz Muehlenhoff wrote:
> A number of security fixes in sqlite, which don't warrant a DSA.
> This has been tested on a Buster system (along with validating
> included test cases that issues are correctly fixed).

Please go ahead.

Regards,

Adam

Bug#972115: buster-pu: package sqlite3/3.27.2-3+deb10u1

[GCS]

On Mon, Oct 12, 2020 at 10:54 PM Moritz Muehlenhoff  wrote:
> A number of security fixes in sqlite, which don't warrant a DSA.
> This has been tested on a Buster system (along with validating
> included test cases that issues are correctly fixed).
 I don't know if it counts, but being the original maintainer and I do
second the work of Moritz.
My time is limited nowadays, but I did a quick check and the proposed
update is correct. Please let it enter Buster.

Thanks Moritz,
Laszlo/GCS

Bug#972115: buster-pu: package sqlite3/3.27.2-3+deb10u1

[Moritz Muehlenhoff]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: g...@debian.org

A number of security fixes in sqlite, which don't warrant a DSA.
This has been tested on a Buster system (along with validating
included test cases that issues are correctly fixed).

Cheers,
Moritz
diff -Nru sqlite3-3.27.2/debian/changelog sqlite3-3.27.2/debian/changelog
--- sqlite3-3.27.2/debian/changelog 2019-06-01 17:38:52.0 +0200
+++ sqlite3-3.27.2/debian/changelog 2020-10-05 22:53:55.0 +0200
@@ -1,3 +1,18 @@
+sqlite3 (3.27.2-3+deb10u1) buster; urgency=medium
+
+  * CVE-2019-19923
+  * CVE-2019-19925
+  * CVE-2019-19959
+  * CVE-2019-20218
+  * CVE-2020-13434
+  * CVE-2020-13435
+  * CVE-2020-13630
+  * CVE-2020-13632
+  * CVE-2020-15358
+  * CVE-2019-16168
+
+ -- Moritz Mühlenhoff   Mon, 05 Oct 2020 22:53:55 +0200
+
 sqlite3 (3.27.2-3) unstable; urgency=high
 
   * Backport security related patches:
diff -Nru sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch 
sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch
--- sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch  1970-01-01 
01:00:00.0 +0100
+++ sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch  2020-10-05 
22:53:55.0 +0200
@@ -0,0 +1,66 @@
+From 725dd72400872da94dcfb6af48128905b93d57fe Mon Sep 17 00:00:00 2001
+From: drh 
+Date: Thu, 15 Aug 2019 14:35:45 +
+Subject: [PATCH] Ensure that the optional "sz=N" parameter that can be
+ manually added to the end of an sqlite_stat1 entry does not have an N value
+ that is too small. Ticket [e4598ecbdd18bd82]
+
+FossilOrigin-Name: 
98357d8c1263920b33a3648ef9214a63c99728bafa7a8d3dd6a1241b2303fd42
+---
+ src/analyze.c  |  4 +++-
+ src/where.c|  1 +
+ test/analyzeC.test | 14 ++
+ 5 files changed, 28 insertions(+), 11 deletions(-)
+
+diff --git a/src/analyze.c b/src/analyze.c
+index 31fb6f5b5..1904b9be0 100644
+--- a/src/analyze.c
 b/src/analyze.c
+@@ -1450,7 +1450,9 @@ static void decodeIntArray(
+   if( sqlite3_strglob("unordered*", z)==0 ){
+ pIndex->bUnordered = 1;
+   }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){
+-pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3));
++int sz = sqlite3Atoi(z+3);
++if( sz<2 ) sz = 2;
++pIndex->szIdxRow = sqlite3LogEst(sz);
+   }else if( sqlite3_strglob("noskipscan*", z)==0 ){
+ pIndex->noSkipScan = 1;
+   }
+diff --git a/src/where.c b/src/where.c
+index 65c92863a..a37a810a2 100644
+--- a/src/where.c
 b/src/where.c
+@@ -2670,6 +2670,7 @@ static int whereLoopAddBtreeIndex(
+ ** it to pNew->rRun, which is currently set to the cost of the index
+ ** seek only. Then, if this is a non-covering index, add the cost of
+ ** visiting the rows in the main table.  */
++assert( pSrc->pTab->szTabRow>0 );
+ rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;
+ pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx);
+ if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){
+diff --git a/test/analyzeC.test b/test/analyzeC.test
+index 02faa9c7e..2a0a89781 100644
+--- a/test/analyzeC.test
 b/test/analyzeC.test
+@@ -132,6 +132,20 @@ do_execsql_test 4.3 {
+   SELECT count(a) FROM t1;
+ } {/.*INDEX t1ca.*/}
+ 
++# 2019-08-15.
++# Ticket https://www.sqlite.org/src/tktview/e4598ecbdd18bd82945f602901
++# The sz=N parameter in the sqlite_stat1 table needs to have a value of
++# 2 or more to avoid a division by zero in the query planner.
++#
++do_execsql_test 4.4 {
++  DROP TABLE IF EXISTS t44;
++  CREATE TABLE t44(a PRIMARY KEY);
++  INSERT INTO sqlite_stat1 VALUES('t44',null,'sz=0');
++  ANALYZE sqlite_master;
++  SELECT 0 FROM t44 WHERE a IN(1,2,3);
++} {}
++
++
+ 
+ # The sz=NNN parameter works even if there is other extraneous text
+ # in the sqlite_stat1.stat column.
diff -Nru sqlite3-3.27.2/debian/patches/CVE-2019-19923.patch 
sqlite3-3.27.2/debian/patches/CVE-2019-19923.patch
--- sqlite3-3.27.2/debian/patches/CVE-2019-19923.patch  1970-01-01 
01:00:00.0 +0100
+++ sqlite3-3.27.2/debian/patches/CVE-2019-19923.patch  2020-10-02 
16:43:04.0 +0200
@@ -0,0 +1,62 @@
+From 396afe6f6aa90a31303c183e11b2b2d4b7956b35 Mon Sep 17 00:00:00 2001
+From: drh 
+Date: Wed, 18 Dec 2019 20:51:58 +
+Subject: [PATCH] Continue to back away from the LEFT JOIN optimization of
+ check-in [41c27bc0ff1d3135] by disallowing query flattening if the outer
+ query is DISTINCT.  Without this fix, if an index scan is run on the table
+ within the view on the right-hand side of the LEFT JOIN, stale result
+ registers might be accessed yielding incorrect results, and/or an
+ OP_IfNullRow opcode might be invoked on the un-opened table, resulting in a
+ NULL-pointer dereference.  This problem was found by the Yongheng and Rui
+ fuzzer.
+
+FossilOrigin-Name: 
862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e
+---
+ src/select.c   |  8 ++--
+ test/join.test |