- bsc#1150137, CVE-2019-16168, sqlite3-CVE-2019-16168.patch:

Improper validation of qlite_stat1 sz field leads to division by zero. OBS-URL: https://build.opensuse.org/package/show/server:database/sqlite3?expand=0&rev=231
2019-09-10 15:21:46 +00:00 · 2019-09-10 15:21:46 +00:00 · a68ee4aeaf
commit a68ee4aeaf
parent 756d8b5bef
3 changed files with 55 additions and 0 deletions
--- a/sqlite3-CVE-2019-16168.patch
+++ b/sqlite3-CVE-2019-16168.patch
@ -0,0 +1,46 @@
+--- src/analyze.c.orig
+++ src/analyze.c
+@@ -1497,7 +1497,9 @@ static void decodeIntArray(
+       if( sqlite3_strglob("unordered*", z)==0 ){
+         pIndex->bUnordered = 1;
+       }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){
+-        pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3));
+        int sz = sqlite3Atoi(z+3);
+        if( sz<2 ) sz = 2;
+        pIndex->szIdxRow = sqlite3LogEst(sz);
+       }else if( sqlite3_strglob("noskipscan*", z)==0 ){
+         pIndex->noSkipScan = 1;
+       }
+--- src/where.c.orig
+++ src/where.c
+@@ -2668,6 +2668,7 @@ static int whereLoopAddBtreeIndex(
+     ** it to pNew->rRun, which is currently set to the cost of the index
+     ** seek only. Then, if this is a non-covering index, add the cost of
+     ** visiting the rows in the main table.  */
+    assert( pSrc->pTab->szTabRow>0 );
+     rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;
+     pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx);
+     if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){
+--- test/analyzeC.test.orig
+++ test/analyzeC.test
+@@ -132,6 +132,20 @@ do_execsql_test 4.3 {
+   SELECT count(a) FROM t1;
+ } {/.*INDEX t1ca.*/}
+ 
+# 2019-08-15.
+# Ticket https://www.sqlite.org/src/tktview/e4598ecbdd18bd82945f602901
+# The sz=N parameter in the sqlite_stat1 table needs to have a value of
+# 2 or more to avoid a division by zero in the query planner.
+#
+do_execsql_test 4.4 {
+  DROP TABLE IF EXISTS t44;
+  CREATE TABLE t44(a PRIMARY KEY);
+  INSERT INTO sqlite_stat1 VALUES('t44',null,'sz=0');
+  ANALYZE sqlite_master;
+  SELECT 0 FROM t44 WHERE a IN(1,2,3);
+} {}
+
+
+ 
+ # The sz=NNN parameter works even if there is other extraneous text
+ # in the sqlite_stat1.stat column.
--- a/sqlite3.changes
+++ b/sqlite3.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Sep 10 15:17:35 UTC 2019 - Reinhard Max <max@suse.com>
+
+- bsc#1150137, CVE-2019-16168, sqlite3-CVE-2019-16168.patch:
+  Improper validation of qlite_stat1 sz field leads to division by
+  zero.
+
 -------------------------------------------------------------------
 Thu Jul 11 08:59:55 UTC 2019 - Ismail Dönmez <idonmez@suse.com>

--- a/sqlite3.spec
+++ b/sqlite3.spec
@ -28,6 +28,7 @@ URL:            http://www.sqlite.org/
 Source0:        http://www.sqlite.org/2019/sqlite-src-%{tarversion}.zip
 Source1:        baselibs.conf
 Source2:        http://www.sqlite.org/2019/sqlite-doc-%{tarversion}.zip
+Patch0:         sqlite3-CVE-2019-16168.patch
 BuildRequires:  automake
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
@ -103,6 +104,7 @@ other documentation found on sqlite.org. The files can be found in

 %prep
 %setup -q -n sqlite-src-%{tarversion} -a2
+%patch0
 rm -v sqlite-doc-%{tarversion}/releaselog/current.html
 ln -sv `echo %{version} | sed "s/\./_/g"`.html sqlite-doc-%{tarversion}/releaselog/current.html
 find -type f -name sqlite.css~ -delete