aboutsummaryrefslogtreecommitdiffstats
path: root/main
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2019-12-17 15:17:36 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2019-12-17 15:48:25 +0000
commitac7d137df26a657916670802f270e36d52b9cdf8 (patch)
tree742d0d6bd9ade6646cc28d5c8d9369584d648ea0 /main
parent64bd4efee3d96f4ad333d07b0fabc16320dd2f29 (diff)
downloadaports-ac7d137df26a.tar.gz
aports-ac7d137df26a.tar.bz2
aports-ac7d137df26a.tar.xz
main/sqlite: security fixes (CVE-2019-19242, CVE-2019-19244)
fixes #11015
Diffstat (limited to 'main')
-rw-r--r--main/sqlite/APKBUILD13
-rw-r--r--main/sqlite/CVE-2019-19242.patch18
-rw-r--r--main/sqlite/CVE-2019-19244.patch12
3 files changed, 41 insertions, 2 deletions
diff --git a/main/sqlite/APKBUILD b/main/sqlite/APKBUILD
index 36d27d5dd3..4fa92a78e1 100644
--- a/main/sqlite/APKBUILD
+++ b/main/sqlite/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Ɓukasz Jendrysik <scadu@yandex.com>
pkgname=sqlite
pkgver=3.25.3
-pkgrel=2
+pkgrel=3
pkgdesc="C library that implements an SQL database engine"
url="http://www.sqlite.org"
arch="all"
@@ -33,8 +33,15 @@ source="http://www.sqlite.org/2018/$pkgname-autoconf-$_ver.tar.gz
license.txt
CVE-2019-8457.patch
CVE-2019-16168.patch
+ CVE-2019-19242.patch
+ CVE-2019-19244.patch
"
+# secfixes:
+# 3.25.3-r3:
+# - CVE-2019-19242
+# - CVE-2019-19242
+
# additional CFLAGS to set
_amalgamation="-DSQLITE_ENABLE_FTS4 \
-DSQLITE_ENABLE_FTS3_PARENTHESIS \
@@ -98,4 +105,6 @@ libs() {
sha512sums="5bc501d15367e097f4070185974b0c3a8246c06b205fb2258ed18870ff3fbf120ac5e0ba031a6744af89f7659206e28e7de2f0367bdb190b8412e453b43de4ba sqlite-autoconf-3250300.tar.gz
5bde14bec5bf18cc686b8b90a8b2324c8c6600bca1ae56431a795bb34b8b5ae85527143f3b5f0c845c776bce60eaa537624104cefc3a47b3820d43083f40c6e9 license.txt
ab795b18d5426ff9ccad20f413de4f46fce7b532ebbf72dfbafc7db2d2e46453541abe992535c7aea598ec69c8557b477008e58299e3426afd2e8ab458c859e4 CVE-2019-8457.patch
-19eb036e0d03543127a9ed67155522952cb7f3ce9da81ee49fba14a1c0bfc2cd0c86acab1b47b794043cac033959d861dce7ec97fca2293cb146a7ee1b83b8fa CVE-2019-16168.patch"
+19eb036e0d03543127a9ed67155522952cb7f3ce9da81ee49fba14a1c0bfc2cd0c86acab1b47b794043cac033959d861dce7ec97fca2293cb146a7ee1b83b8fa CVE-2019-16168.patch
+7fc69d4d9f38b1142d86d3061a4d0168c3eebda5771e07d71a127121d7770f436e361f3e1f11f9a037b2ce9687092c9e2c808719e6b45125b9d953c636f3f6ec CVE-2019-19242.patch
+e7982014a62b4fa465918fd65384cec406ea09598f3e0511eb2b68f618983b2f29a932267397aff9b88b97367dc8e05c4074fa8e276e3f4294ac019df498a724 CVE-2019-19244.patch"
diff --git a/main/sqlite/CVE-2019-19242.patch b/main/sqlite/CVE-2019-19242.patch
new file mode 100644
index 0000000000..d4e9fab4f6
--- /dev/null
+++ b/main/sqlite/CVE-2019-19242.patch
@@ -0,0 +1,18 @@
+diff --git a/sqlite3.c b/sqlite3.c
+index c607252..968ffb0 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -99174,7 +99174,12 @@ expr_code_doover:
+ ** constant.
+ */
+ int iReg = sqlite3ExprCodeTarget(pParse, pExpr->pLeft,target);
+- int aff = sqlite3TableColumnAffinity(pExpr->pTab, pExpr->iColumn);
++ int aff;
++ if( pExpr->pTab ){
++ aff = sqlite3TableColumnAffinity(pExpr->pTab, pExpr->iColumn);
++ }else{
++ aff = pExpr->affinity;
++ }
+ if( aff!=SQLITE_AFF_BLOB ){
+ static const char zAff[] = "B\000C\000D\000E";
+ assert( SQLITE_AFF_BLOB=='A' );
diff --git a/main/sqlite/CVE-2019-19244.patch b/main/sqlite/CVE-2019-19244.patch
new file mode 100644
index 0000000000..3d4e2df8e2
--- /dev/null
+++ b/main/sqlite/CVE-2019-19244.patch
@@ -0,0 +1,12 @@
+diff --git a/sqlite3.c b/sqlite3.c
+index 8fd740b..bd647ca 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -131679,6 +131679,7 @@ SQLITE_PRIVATE int sqlite3Select(
+ */
+ if( (p->selFlags & (SF_Distinct|SF_Aggregate))==SF_Distinct
+ && sqlite3ExprListCompare(sSort.pOrderBy, pEList, -1)==0
++ && p->pWin==0
+ ){
+ p->selFlags &= ~SF_Distinct;
+ pGroupBy = p->pGroupBy = sqlite3ExprListDup(db, pEList, 0);