pool/sqlite3
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- bsc#1150137, CVE-2019-16168, sqlite3-CVE-2019-16168.patch:

Browse Source 
Improper validation of qlite_stat1 sz field leads to division by
  zero.

OBS-URL: https://build.opensuse.org/package/show/server:database/sqlite3?expand=0&rev=231
This commit is contained in:
Reinhard Max 2019-09-10 15:21:46 +00:00 committed by Git OBS Bridge
parent 756d8b5bef
commit a68ee4aeaf
3 changed files with 55 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
sqlite3-CVE-2019-16168.patch Normal file
View File

@ -0,0 +1,46 @@
--- src/analyze.c.orig
+++ src/analyze.c
@@ -1497,7 +1497,9 @@ static void decodeIntArray(
if( sqlite3_strglob("unordered*", z)==0 ){
pIndex->bUnordered = 1;
}else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){
- pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3));
+ int sz = sqlite3Atoi(z+3);
+ if( sz<2 ) sz = 2;
+ pIndex->szIdxRow = sqlite3LogEst(sz);
}else if( sqlite3_strglob("noskipscan*", z)==0 ){
pIndex->noSkipScan = 1;
}
--- src/where.c.orig
+++ src/where.c
@@ -2668,6 +2668,7 @@ static int whereLoopAddBtreeIndex(
** it to pNew->rRun, which is currently set to the cost of the index
** seek only. Then, if this is a non-covering index, add the cost of
** visiting the rows in the main table. */
+ assert( pSrc->pTab->szTabRow>0 );
rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;
pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx);
if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){
--- test/analyzeC.test.orig
+++ test/analyzeC.test
@@ -132,6 +132,20 @@ do_execsql_test 4.3 {
SELECT count(a) FROM t1;
} {/.*INDEX t1ca.*/}
+# 2019-08-15.
+# Ticket https://www.sqlite.org/src/tktview/e4598ecbdd18bd82945f602901
+# The sz=N parameter in the sqlite_stat1 table needs to have a value of
+# 2 or more to avoid a division by zero in the query planner.
+#
+do_execsql_test 4.4 {
+ DROP TABLE IF EXISTS t44;
+ CREATE TABLE t44(a PRIMARY KEY);
+ INSERT INTO sqlite_stat1 VALUES('t44',null,'sz=0');
+ ANALYZE sqlite_master;
+ SELECT 0 FROM t44 WHERE a IN(1,2,3);
+} {}
+
+
# The sz=NNN parameter works even if there is other extraneous text
# in the sqlite_stat1.stat column.

7
sqlite3.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Sep 10 15:17:35 UTC 2019 - Reinhard Max <max@suse.com>
- bsc#1150137, CVE-2019-16168, sqlite3-CVE-2019-16168.patch:
Improper validation of qlite_stat1 sz field leads to division by
zero.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jul 11 08:59:55 UTC 2019 - Ismail Dönmez <idonmez@suse.com> Thu Jul 11 08:59:55 UTC 2019 - Ismail Dönmez <idonmez@suse.com>

2
sqlite3.spec
View File

@ -28,6 +28,7 @@ URL: http://www.sqlite.org/
Source0: http://www.sqlite.org/2019/sqlite-src-%{tarversion}.zip Source0: http://www.sqlite.org/2019/sqlite-src-%{tarversion}.zip
Source1: baselibs.conf Source1: baselibs.conf
Source2: http://www.sqlite.org/2019/sqlite-doc-%{tarversion}.zip Source2: http://www.sqlite.org/2019/sqlite-doc-%{tarversion}.zip
Patch0: sqlite3-CVE-2019-16168.patch
BuildRequires: automake BuildRequires: automake
BuildRequires: libtool BuildRequires: libtool
BuildRequires: pkgconfig BuildRequires: pkgconfig
@ -103,6 +104,7 @@ other documentation found on sqlite.org. The files can be found in
%prep %prep
%setup -q -n sqlite-src-%{tarversion} -a2 %setup -q -n sqlite-src-%{tarversion} -a2
%patch0
rm -v sqlite-doc-%{tarversion}/releaselog/current.html rm -v sqlite-doc-%{tarversion}/releaselog/current.html
ln -sv `echo %{version} | sed "s/\./_/g"`.html sqlite-doc-%{tarversion}/releaselog/current.html ln -sv `echo %{version} | sed "s/\./_/g"`.html sqlite-doc-%{tarversion}/releaselog/current.html
find -type f -name sqlite.css~ -delete find -type f -name sqlite.css~ -delete