Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: g...@debian.org
A number of security fixes in sqlite, which don't warrant a DSA.
This has been tested on a Buster system (along with validating
included test cases that issues are correctly fixed).
Cheers,
Moritz
diff -Nru sqlite3-3.27.2/debian/changelog sqlite3-3.27.2/debian/changelog
--- sqlite3-3.27.2/debian/changelog 2019-06-01 17:38:52.000000000 +0200
+++ sqlite3-3.27.2/debian/changelog 2020-10-05 22:53:55.000000000 +0200
@@ -1,3 +1,18 @@
+sqlite3 (3.27.2-3+deb10u1) buster; urgency=medium
+
+ * CVE-2019-19923
+ * CVE-2019-19925
+ * CVE-2019-19959
+ * CVE-2019-20218
+ * CVE-2020-13434
+ * CVE-2020-13435
+ * CVE-2020-13630
+ * CVE-2020-13632
+ * CVE-2020-15358
+ * CVE-2019-16168
+
+ -- Moritz Mühlenhoff <j...@debian.org> Mon, 05 Oct 2020 22:53:55 +0200
+
sqlite3 (3.27.2-3) unstable; urgency=high
* Backport security related patches:
diff -Nru sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch
sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch
--- sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch 1970-01-01
01:00:00.000000000 +0100
+++ sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch 2020-10-05
22:53:55.000000000 +0200
@@ -0,0 +1,66 @@
+From 725dd72400872da94dcfb6af48128905b93d57fe Mon Sep 17 00:00:00 2001
+From: drh <d...@noemail.net>
+Date: Thu, 15 Aug 2019 14:35:45 +0000
+Subject: [PATCH] Ensure that the optional "sz=N" parameter that can be
+ manually added to the end of an sqlite_stat1 entry does not have an N value
+ that is too small. Ticket [e4598ecbdd18bd82]
+
+FossilOrigin-Name:
98357d8c1263920b33a3648ef9214a63c99728bafa7a8d3dd6a1241b2303fd42
+---
+ src/analyze.c | 4 +++-
+ src/where.c | 1 +
+ test/analyzeC.test | 14 ++++++++++++++
+ 5 files changed, 28 insertions(+), 11 deletions(-)
+
+diff --git a/src/analyze.c b/src/analyze.c
+index 31fb6f5b5..1904b9be0 100644
+--- a/src/analyze.c
++++ b/src/analyze.c
+@@ -1450,7 +1450,9 @@ static void decodeIntArray(
+ if( sqlite3_strglob("unordered*", z)==0 ){
+ pIndex->bUnordered = 1;
+ }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){
+- pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3));
++ int sz = sqlite3Atoi(z+3);
++ if( sz<2 ) sz = 2;
++ pIndex->szIdxRow = sqlite3LogEst(sz);
+ }else if( sqlite3_strglob("noskipscan*", z)==0 ){
+ pIndex->noSkipScan = 1;
+ }
+diff --git a/src/where.c b/src/where.c
+index 65c92863a..a37a810a2 100644
+--- a/src/where.c
++++ b/src/where.c
+@@ -2670,6 +2670,7 @@ static int whereLoopAddBtreeIndex(
+ ** it to pNew->rRun, which is currently set to the cost of the index
+ ** seek only. Then, if this is a non-covering index, add the cost of
+ ** visiting the rows in the main table. */
++ assert( pSrc->pTab->szTabRow>0 );
+ rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;
+ pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx);
+ if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){
+diff --git a/test/analyzeC.test b/test/analyzeC.test
+index 02faa9c7e..2a0a89781 100644
+--- a/test/analyzeC.test
++++ b/test/analyzeC.test
+@@ -132,6 +132,20 @@ do_execsql_test 4.3 {
+ SELECT count(a) FROM t1;
+ } {/.*INDEX t1ca.*/}
+
++# 2019-08-15.
++# Ticket https://www.sqlite.org/src/tktview/e4598ecbdd18bd82945f602901
++# The sz=N parameter in the sqlite_stat1 table needs to have a value of
++# 2 or more to avoid a division by zero in the query planner.
++#
++do_execsql_test 4.4 {
++ DROP TABLE IF EXISTS t44;
++ CREATE TABLE t44(a PRIMARY KEY);
++ INSERT INTO sqlite_stat1 VALUES('t44',null,'sz=0');
++ ANALYZE sqlite_master;
++ SELECT 0 FROM t44 WHERE a IN(1,2,3);
++} {}
++
++
+
+ # The sz=NNN parameter works even if there is other extraneous text
+ # in the sqlite_stat1.stat column.
diff -Nru sqlite3-3.27.2/debian/patches/CVE-2019-19923.patch
sqlite3-3.27.2/debian/patches/CVE-2019-19923.patch
--- sqlite3-3.27.2/debian/patches/CVE-2019-19923.patch 1970-01-01
01:00:00.000000000 +0100
+++ sqlite3-3.27.2/debian/patches/CVE-2019-19923.patch 2020-10-02
16:43:04.000000000 +0200
@@ -0,0 +1,62 @@
+From 396afe6f6aa90a31303c183e11b2b2d4b7956b35 Mon Sep 17 00:00:00 2001
+From: drh <d...@noemail.net>
+Date: Wed, 18 Dec 2019 20:51:58 +0000
+Subject: [PATCH] Continue to back away from the LEFT JOIN optimization of
+ check-in [41c27bc0ff1d3135] by disallowing query flattening if the outer
+ query is DISTINCT. Without this fix, if an index scan is run on the table
+ within the view on the right-hand side of the LEFT JOIN, stale result
+ registers might be accessed yielding incorrect results, and/or an
+ OP_IfNullRow opcode might be invoked on the un-opened table, resulting in a
+ NULL-pointer dereference. This problem was found by the Yongheng and Rui
+ fuzzer.
+
+FossilOrigin-Name:
862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e
+---
+ src/select.c | 8 ++++++--
+ test/join.test | 13 +++++++++++++
+ 4 files changed, 27 insertions(+), 10 deletions(-)
+
+--- sqlite3-3.27.2.orig/src/select.c
++++ sqlite3-3.27.2/src/select.c
+@@ -3576,6 +3576,7 @@ static void substSelect(
+ ** (3b) the FROM clause of the subquery may not contain a virtual
+ ** table and
+ ** (3c) the outer query may not be an aggregate.
++** (3d) the outer query may not be DISTINCT.
+ **
+ ** (4) The subquery can not be DISTINCT.
+ **
+@@ -3772,8 +3773,11 @@ static int flattenSubquery(
+ */
+ if( (pSubitem->fg.jointype & JT_OUTER)!=0 ){
+ isLeftJoin = 1;
+- if( pSubSrc->nSrc>1 || isAgg || IsVirtual(pSubSrc->a[0].pTab) ){
+- /* (3a) (3c) (3b) */
++ if( pSubSrc->nSrc>1 /* (3a) */
++ || isAgg /* (3b) */
++ || IsVirtual(pSubSrc->a[0].pTab) /* (3c) */
++ || (p->selFlags & SF_Distinct)!=0 /* (3d) */
++ ){
+ return 0;
+ }
+ }
+--- sqlite3-3.27.2.orig/test/join.test
++++ sqlite3-3.27.2/test/join.test
+@@ -864,4 +864,17 @@ do_execsql_test join-16.100 {
+ WHERE (b IS NOT NULL)=0;
+ } {1 {}}
+
++# 2019-12-18 problem with a LEFT JOIN where the RHS is a view.
++# Detected by Yongheng and Rui.
++# Follows from the optimization attempt of check-in 41c27bc0ff1d3135
++# on 2017-04-18
++#
++reset_db
++do_execsql_test join-22.10 {
++ CREATE TABLE t0(a, b);
++ CREATE INDEX t0a ON t0(a);
++ INSERT INTO t0 VALUES(10,10),(10,11),(10,12);
++ SELECT DISTINCT c FROM t0 LEFT JOIN (SELECT a+1 AS c FROM t0) ORDER BY c ;
++} {11}
++
+ finish_test
diff -Nru sqlite3-3.27.2/debian/patches/CVE-2019-19925.patch
sqlite3-3.27.2/debian/patches/CVE-2019-19925.patch
--- sqlite3-3.27.2/debian/patches/CVE-2019-19925.patch 1970-01-01
01:00:00.000000000 +0100
+++ sqlite3-3.27.2/debian/patches/CVE-2019-19925.patch 2020-10-02
16:51:44.000000000 +0200
@@ -0,0 +1,44 @@
+From 54d501092d88c0cf89bec4279951f548fb0b8618 Mon Sep 17 00:00:00 2001
+From: drh <d...@noemail.net>
+Date: Thu, 19 Dec 2019 15:15:40 +0000
+Subject: [PATCH] Fix the zipfile extension so that INSERT works even if the
+ pathname of the file being inserted is a NULL. Bug discovered by the
+ Yongheng and Rui fuzzer.
+
+FossilOrigin-Name:
a80f84b511231204658304226de3e075a55afc2e3f39ac063716f7a57f585c06
+---
+ ext/misc/zipfile.c | 1 +
+ test/zipfile.test | 14 ++++++++++++++
+ 4 files changed, 23 insertions(+), 8 deletions(-)
+
+--- sqlite3-3.27.2.orig/ext/misc/zipfile.c
++++ sqlite3-3.27.2/ext/misc/zipfile.c
+@@ -1618,6 +1618,7 @@ static int zipfileUpdate(
+
+ if( rc==SQLITE_OK ){
+ zPath = (const char*)sqlite3_value_text(apVal[2]);
++ if( zPath==0 ) zPath = "";
+ nPath = (int)strlen(zPath);
+ mTime = zipfileGetTime(apVal[4]);
+ }
+--- sqlite3-3.27.2.orig/test/zipfile.test
++++ sqlite3-3.27.2/test/zipfile.test
+@@ -795,4 +795,18 @@ if {$tcl_platform(platform)!="windows"}
+ } {. ./x1.txt ./x2.txt}
+ }
+
++# 2019-12-18 Yongheng and Rui fuzzer
++#
++do_execsql_test 13.10 {
++ DROP TABLE IF EXISTS t0;
++ DROP TABLE IF EXISTS t1;
++ CREATE TABLE t0(a,b,c,d,e,f,g);
++ REPLACE INTO t0(c,b,f) VALUES(10,10,10);
++ CREATE VIRTUAL TABLE t1 USING zipfile('h.zip');
++ REPLACE INTO t1 SELECT * FROM t0;
++ SELECT quote(name),quote(mode),quote(mtime),quote(sz),quote(rawdata),
++ quote(data),quote(method) FROM t1;
++} {'' 10 10 2 X'3130' X'3130' 0}
++
++
+ finish_test
diff -Nru sqlite3-3.27.2/debian/patches/CVE-2019-19959.patch
sqlite3-3.27.2/debian/patches/CVE-2019-19959.patch
--- sqlite3-3.27.2/debian/patches/CVE-2019-19959.patch 1970-01-01
01:00:00.000000000 +0100
+++ sqlite3-3.27.2/debian/patches/CVE-2019-19959.patch 2020-10-02
16:53:23.000000000 +0200
@@ -0,0 +1,67 @@
+From 1e490c4ca6b43a9cf8637d695907888349f69bec Mon Sep 17 00:00:00 2001
+From: drh <d...@noemail.net>
+Date: Mon, 23 Dec 2019 21:11:15 +0000
+Subject: [PATCH] Test case for the zipfile-extension bug fix of the previous
+ check-in.
+
+FossilOrigin-Name:
bc8bfc7fcdf33f6855584e10e9260073430517ff3268cf0c7988dcc4cd785391
+---
+ test/zipfile.test | 12 ++++++++++++
+ 3 files changed, 19 insertions(+), 7 deletions(-)
+
+From d8f2d46cbc9925e034a68aaaf60aad788d9373c1 Mon Sep 17 00:00:00 2001
+From: drh <d...@noemail.net>
+Date: Mon, 23 Dec 2019 21:04:33 +0000
+Subject: [PATCH] Fix the zipfile() function in the zipfile extension so that
+ it is able to deal with goofy filenames that contain embedded zeros.
+
+FossilOrigin-Name:
cc0fb00a128fd0773db5ff7891f7aa577a3671d570166d2cbb30df922344adcf
+---
+ ext/misc/zipfile.c | 4 ++--
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+
+--- sqlite3-3.27.2.orig/ext/misc/zipfile.c
++++ sqlite3-3.27.2/ext/misc/zipfile.c
+@@ -1632,7 +1632,7 @@ static int zipfileUpdate(
+ zFree = sqlite3_mprintf("%s/", zPath);
+ if( zFree==0 ){ rc = SQLITE_NOMEM; }
+ zPath = (const char*)zFree;
+- nPath++;
++ nPath = (int)strlen(zPath);
+ }
+ }
+
+@@ -2033,11 +2033,11 @@ void zipfileStep(sqlite3_context *pCtx,
+ }else{
+ if( zName[nName-1]!='/' ){
+ zName = zFree = sqlite3_mprintf("%s/", zName);
+- nName++;
+ if( zName==0 ){
+ rc = SQLITE_NOMEM;
+ goto zipfile_step_out;
+ }
++ nName = (int)strlen(zName);
+ }else{
+ while( nName>1 && zName[nName-2]=='/' ) nName--;
+ }
+--- sqlite3-3.27.2.orig/test/zipfile.test
++++ sqlite3-3.27.2/test/zipfile.test
+@@ -808,5 +808,17 @@ do_execsql_test 13.10 {
+ quote(data),quote(method) FROM t1;
+ } {'' 10 10 2 X'3130' X'3130' 0}
+
++# 2019-12-23 Yongheng and Rui fuzzer
++# Run using valgrind to see the problem.
++#
++do_execsql_test 14.10 {
++ DROP TABLE t1;
++ CREATE TABLE t1(x char);
++ INSERT INTO t1(x) VALUES('1');
++ INSERT INTO t1(x) SELECT zipfile(x, 'xyz') FROM t1;
++ INSERT INTO t1(x) SELECT zipfile(x, 'uvw') FROM t1;
++ SELECT count(*) FROM t1;
++ PRAGMA integrity_check;
++} {3 ok}
+
+ finish_test
diff -Nru sqlite3-3.27.2/debian/patches/CVE-2019-20218.patch
sqlite3-3.27.2/debian/patches/CVE-2019-20218.patch
--- sqlite3-3.27.2/debian/patches/CVE-2019-20218.patch 1970-01-01
01:00:00.000000000 +0100
+++ sqlite3-3.27.2/debian/patches/CVE-2019-20218.patch 2020-10-05
22:53:55.000000000 +0200
@@ -0,0 +1,97 @@
+From a6c1a71cde082e09750465d5675699062922e387 Mon Sep 17 00:00:00 2001
+From: dan <d...@noemail.net>
+Date: Fri, 27 Dec 2019 20:54:42 +0000
+Subject: [PATCH] Do not attempt to unwind the WITH stack in the Parse object
+ following an error. This fixes a separate case to [de6e6d68].
+
+From 46a31cdf6b7c1197e01627f91af601479cd99940 Mon Sep 17 00:00:00 2001
+From: drh <d...@noemail.net>
+Date: Sat, 9 Nov 2019 14:38:58 +0000
+Subject: [PATCH] Make sure the WITH stack in the Parse object is disabled
+ following an error.
+
+diff -Naur sqlite3-3.27.2.orig/src/select.c sqlite3-3.27.2/src/select.c
+--- sqlite3-3.27.2.orig/src/select.c 2019-02-25 17:31:57.000000000 +0100
++++ sqlite3-3.27.2/src/select.c 2020-10-07 14:15:03.938758886 +0200
+@@ -4642,6 +4642,9 @@
+ With *pWith; /* WITH clause that pCte belongs to */
+
+ assert( pFrom->pTab==0 );
++ if( pParse->nErr ){
++ return SQLITE_ERROR;
++ }
+
+ pCte = searchWith(pParse->pWith, pFrom, &pWith);
+ if( pCte ){
+@@ -4911,7 +4914,7 @@
+
+ /* Process NATURAL keywords, and ON and USING clauses of joins.
+ */
+- if( db->mallocFailed || sqliteProcessJoin(pParse, p) ){
++ if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){
+ return WRC_Abort;
+ }
+
+diff -Naur sqlite3-3.27.2.orig/src/util.c sqlite3-3.27.2/src/util.c
+--- sqlite3-3.27.2.orig/src/util.c 2020-10-07 14:01:30.000000000 +0200
++++ sqlite3-3.27.2/src/util.c 2020-10-07 14:15:03.938758886 +0200
+@@ -222,6 +222,7 @@
+ sqlite3DbFree(db, pParse->zErrMsg);
+ pParse->zErrMsg = zMsg;
+ pParse->rc = SQLITE_ERROR;
++ pParse->pWith = 0;
+ }
+ }
+
+diff -Naur sqlite3-3.27.2.orig/test/altertab3.test
sqlite3-3.27.2/test/altertab3.test
+--- sqlite3-3.27.2.orig/test/altertab3.test 2020-10-07 14:01:30.000000000
+0200
++++ sqlite3-3.27.2/test/altertab3.test 2020-10-07 14:14:48.427575673 +0200
+@@ -112,6 +112,28 @@
+ SELECT * FROM sqlite_master WHERE type='table' AND name!='t1';
+ } {table t3 t3 3 {CREATE TABLE t3(e, f)}}
+
++#------------------------------------------------------------------------
++#
++reset_db
++do_execsql_test 23.1 {
++ CREATE TABLE v0 (a);
++ CREATE VIEW v2 (v3) AS
++ WITH x1 AS (SELECT * FROM v2)
++ SELECT v3 AS x, v3 AS y FROM v2;
++}
++
++do_catchsql_test 23.2 {
++ SELECT * FROM v2
++} {1 {view v2 is circularly defined}}
++
++db close
++sqlite3 db test.db
++
++do_catchsql_test 23.3 {
++ ALTER TABLE v0 RENAME TO t3 ;
++} {1 {error in view v2: view v2 is circularly defined}}
++
++
+ finish_test
+
+
+diff -Naur sqlite3-3.27.2.orig/test/with3.test sqlite3-3.27.2/test/with3.test
+--- sqlite3-3.27.2.orig/test/with3.test 2019-02-25 17:31:57.000000000
+0100
++++ sqlite3-3.27.2/test/with3.test 2020-10-07 14:15:03.938758886 +0200
+@@ -30,7 +30,15 @@
+ SELECT 5 FROM t0 UNION SELECT 8 FROM m
+ )
+ SELECT * FROM i;
+-} {1 {no such table: m}}
++} {1 {no such table: t0}}
++
++# 2019-11-09 dbfuzzcheck find
++do_catchsql_test 1.1 {
++ CREATE VIEW v1(x,y) AS
++ WITH t1(a,b) AS (VALUES(1,2))
++ SELECT * FROM nosuchtable JOIN t1;
++ SELECT * FROM v1;
++} {1 {no such table: main.nosuchtable}}
+
+ # Additional test cases that came out of the work to
+ # fix for Kostya's problem.
diff -Nru sqlite3-3.27.2/debian/patches/CVE-2020-13434.patch
sqlite3-3.27.2/debian/patches/CVE-2020-13434.patch
--- sqlite3-3.27.2/debian/patches/CVE-2020-13434.patch 1970-01-01
01:00:00.000000000 +0100
+++ sqlite3-3.27.2/debian/patches/CVE-2020-13434.patch 2020-10-02
17:14:16.000000000 +0200
@@ -0,0 +1,54 @@
+From dd6c33d372f3b83f4fe57904c2bd5ebba5c38018 Mon Sep 17 00:00:00 2001
+From: drh <d...@noemail.net>
+Date: Sat, 23 May 2020 19:58:07 +0000
+Subject: [PATCH] Limit the "precision" of floating-point to text conversions
+ in the printf() function to 100,000,000. Fix for ticket [23439ea582241138].
+
+FossilOrigin-Name:
d08d3405878d394e08e5d3af281246edfbd81ca74cc8d16458808591512fb93d
+---
+ src/printf.c | 12 ++++++++++++
+ test/printf.test | 7 +++++++
+ 4 files changed, 27 insertions(+), 8 deletions(-)
+
+--- sqlite3-3.27.2.orig/src/printf.c
++++ sqlite3-3.27.2/src/printf.c
+@@ -187,6 +187,13 @@ static char *printfTempBuf(sqlite3_str *
+ #define etBUFSIZE SQLITE_PRINT_BUF_SIZE /* Size of the output buffer */
+
+ /*
++** Hard limit on the precision of floating-point conversions.
++*/
++#ifndef SQLITE_PRINTF_PRECISION_LIMIT
++# define SQLITE_FP_PRECISION_LIMIT 100000000
++#endif
++
++/*
+ ** Render a string given by "fmt" into the StrAccum object.
+ */
+ void sqlite3_str_vappendf(
+@@ -507,6 +514,11 @@ void sqlite3_str_vappendf(
+ length = 0;
+ #else
+ if( precision<0 ) precision = 6; /* Set default precision */
++#ifdef SQLITE_FP_PRECISION_LIMIT
++ if( precision>SQLITE_FP_PRECISION_LIMIT ){
++ precision = SQLITE_FP_PRECISION_LIMIT;
++ }
++#endif
+ if( realvalue<0.0 ){
+ realvalue = -realvalue;
+ prefix = '-';
+--- sqlite3-3.27.2.orig/test/printf.test
++++ sqlite3-3.27.2/test/printf.test
+@@ -3777,4 +3777,11 @@ foreach ::iRepeat {0 1} {
+ }
+ }
+
++# 2020-05-23
++# ticket 23439ea582241138
++#
++do_execsql_test printf-16.1 {
++ SELECT printf('%.*g',2147483647,0.01);
++} {0.01}
++
+ finish_test
diff -Nru sqlite3-3.27.2/debian/patches/CVE-2020-13435.patch
sqlite3-3.27.2/debian/patches/CVE-2020-13435.patch
--- sqlite3-3.27.2/debian/patches/CVE-2020-13435.patch 1970-01-01
01:00:00.000000000 +0100
+++ sqlite3-3.27.2/debian/patches/CVE-2020-13435.patch 2020-10-05
22:53:55.000000000 +0200
@@ -0,0 +1,239 @@
+From e40cc16b472071f553700c7208394e6cf73d5688 Mon Sep 17 00:00:00 2001
+From: drh <d...@noemail.net>
+Date: Sun, 24 May 2020 03:01:36 +0000
+Subject: [PATCH] Move some utility Walker callbacks into the walker.c source
+ file, as they seem to belong there better.
+
+FossilOrigin-Name:
dac438236f7c5419d4e7e094e8b3f19f83cd3b1a18bc8acb14aee90d4514fa3c
+---
+ src/expr.c | 13 ++-----------
+ src/select.c | 23 -----------------------
+ src/sqliteInt.h | 3 +++
+ src/walker.c | 37 +++++++++++++++++++++++++++++++++++++
+ 6 files changed, 52 insertions(+), 44 deletions(-)
+
+
+From c37577bb2dfb602a5cdbba8322a01b548c34c185 Mon Sep 17 00:00:00 2001
+From: drh <d...@noemail.net>
+Date: Sun, 24 May 2020 03:38:37 +0000
+Subject: [PATCH] When rewriting a query for window functions, if the rewrite
+ changes the depth of TK_AGG_FUNCTION nodes, be sure to adjust the Expr.op2
+ field appropriately. Fix for ticket [7a5279a25c57adf1]
+
+FossilOrigin-Name:
ad7bb70af9bb68d192137188bb2528f1e9e43ad164c925174ca1dafc9e1f5339
+---
+
+ src/resolve.c | 2 ++
+ src/window.c | 23 +++++++++++++++++++++++
+ 5 files changed, 50 insertions(+), 9 deletions(-)
+
+
+From 0934d640456bb168a8888ae388643c5160afe501 Mon Sep 17 00:00:00 2001
+From: drh <d...@noemail.net>
+Date: Mon, 25 May 2020 15:19:52 +0000
+Subject: [PATCH] Defensive code that tries to prevent a recurrence of problems
+ like the one described in ticket [7a5279a25c57adf1]
+
+FossilOrigin-Name:
572105de1d44bca4f18c99d373458889163611384eebbc9659474874ee1701f4
+---
+ src/expr.c | 10 ++++++++--
+ 3 files changed, 15 insertions(+), 9 deletions(-)
+
+
+--- sqlite3-3.27.2.orig/src/expr.c
++++ sqlite3-3.27.2/src/expr.c
+@@ -3456,7 +3456,10 @@ expr_code_doover:
+ switch( op ){
+ case TK_AGG_COLUMN: {
+ AggInfo *pAggInfo = pExpr->pAggInfo;
+- struct AggInfo_col *pCol = &pAggInfo->aCol[pExpr->iAgg];
++ struct AggInfo_col *pCol;
++ assert( pAggInfo!=0 );
++ assert( pExpr->iAgg>=0 && pExpr->iAgg<pAggInfo->nColumn );
++ pCol = &pAggInfo->aCol[pExpr->iAgg];
+ if( !pAggInfo->directMode ){
+ assert( pCol->iMem>0 );
+ return pCol->iMem;
+@@ -3695,7 +3698,10 @@ expr_code_doover:
+ }
+ case TK_AGG_FUNCTION: {
+ AggInfo *pInfo = pExpr->pAggInfo;
+- if( pInfo==0 ){
++ if( pInfo==0
++ || NEVER(pExpr->iAgg<0)
++ || NEVER(pExpr->iAgg>=pInfo->nFunc)
++ ){
+ assert( !ExprHasProperty(pExpr, EP_IntValue) );
+ sqlite3ErrorMsg(pParse, "misuse of aggregate: %s()", pExpr->u.zToken);
+ }else{
+@@ -5318,15 +5324,6 @@ static int analyzeAggregate(Walker *pWal
+ }
+ return WRC_Continue;
+ }
+-static int analyzeAggregatesInSelect(Walker *pWalker, Select *pSelect){
+- UNUSED_PARAMETER(pSelect);
+- pWalker->walkerDepth++;
+- return WRC_Continue;
+-}
+-static void analyzeAggregatesInSelectEnd(Walker *pWalker, Select *pSelect){
+- UNUSED_PARAMETER(pSelect);
+- pWalker->walkerDepth--;
+-}
+
+ /*
+ ** Analyze the pExpr expression looking for aggregate functions and
+@@ -5340,8 +5337,8 @@ static void analyzeAggregatesInSelectEnd
+ void sqlite3ExprAnalyzeAggregates(NameContext *pNC, Expr *pExpr){
+ Walker w;
+ w.xExprCallback = analyzeAggregate;
+- w.xSelectCallback = analyzeAggregatesInSelect;
+- w.xSelectCallback2 = analyzeAggregatesInSelectEnd;
++ w.xSelectCallback = sqlite3WalkerDepthIncrease;
++ w.xSelectCallback2 = sqlite3WalkerDepthDecrease;
+ w.walkerDepth = 0;
+ w.u.pNC = pNC;
+ w.pParse = 0;
+--- sqlite3-3.27.2.orig/src/resolve.c
++++ sqlite3-3.27.2/src/resolve.c
+@@ -24,6 +24,8 @@
+ **
+ ** incrAggFunctionDepth(pExpr,n) is the main routine. incrAggDepth(..)
+ ** is a helper function - a callback for the tree walker.
++**
++** See also the sqlite3WindowExtraAggFuncDepth() routine in window.c
+ */
+ static int incrAggDepth(Walker *pWalker, Expr *pExpr){
+ if( pExpr->op==TK_AGG_FUNCTION ) pExpr->op2 += pWalker->u.n;
+--- sqlite3-3.27.2.orig/src/select.c
++++ sqlite3-3.27.2/src/select.c
+@@ -5091,29 +5091,6 @@ static int selectExpander(Walker *pWalke
+ return WRC_Continue;
+ }
+
+-/*
+-** No-op routine for the parse-tree walker.
+-**
+-** When this routine is the Walker.xExprCallback then expression trees
+-** are walked without any actions being taken at each node. Presumably,
+-** when this routine is used for Walker.xExprCallback then
+-** Walker.xSelectCallback is set to do something useful for every
+-** subquery in the parser tree.
+-*/
+-int sqlite3ExprWalkNoop(Walker *NotUsed, Expr *NotUsed2){
+- UNUSED_PARAMETER2(NotUsed, NotUsed2);
+- return WRC_Continue;
+-}
+-
+-/*
+-** No-op routine for the parse-tree walker for SELECT statements.
+-** subquery in the parser tree.
+-*/
+-int sqlite3SelectWalkNoop(Walker *NotUsed, Select *NotUsed2){
+- UNUSED_PARAMETER2(NotUsed, NotUsed2);
+- return WRC_Continue;
+-}
+-
+ #if SQLITE_DEBUG
+ /*
+ ** Always assert. This xSelectCallback2 implementation proves that the
+--- sqlite3-3.27.2.orig/src/sqliteInt.h
++++ sqlite3-3.27.2/src/sqliteInt.h
+@@ -3497,6 +3497,9 @@ int sqlite3WalkSelectFrom(Walker*, Selec
+ int sqlite3ExprWalkNoop(Walker*, Expr*);
+ int sqlite3SelectWalkNoop(Walker*, Select*);
+ int sqlite3SelectWalkFail(Walker*, Select*);
++int sqlite3WalkerDepthIncrease(Walker*,Select*);
++void sqlite3WalkerDepthDecrease(Walker*,Select*);
++
+ #ifdef SQLITE_DEBUG
+ void sqlite3SelectWalkAssert2(Walker*, Select*);
+ #endif
+--- sqlite3-3.27.2.orig/src/walker.c
++++ sqlite3-3.27.2/src/walker.c
+@@ -188,3 +188,40 @@ int sqlite3WalkSelect(Walker *pWalker, S
+ }while( p!=0 );
+ return WRC_Continue;
+ }
++
++/* Increase the walkerDepth when entering a subquery, and
++** descrease when leaving the subquery.
++*/
++int sqlite3WalkerDepthIncrease(Walker *pWalker, Select *pSelect){
++ UNUSED_PARAMETER(pSelect);
++ pWalker->walkerDepth++;
++ return WRC_Continue;
++}
++void sqlite3WalkerDepthDecrease(Walker *pWalker, Select *pSelect){
++ UNUSED_PARAMETER(pSelect);
++ pWalker->walkerDepth--;
++}
++
++
++/*
++** No-op routine for the parse-tree walker.
++**
++** When this routine is the Walker.xExprCallback then expression trees
++** are walked without any actions being taken at each node. Presumably,
++** when this routine is used for Walker.xExprCallback then
++** Walker.xSelectCallback is set to do something useful for every
++** subquery in the parser tree.
++*/
++int sqlite3ExprWalkNoop(Walker *NotUsed, Expr *NotUsed2){
++ UNUSED_PARAMETER2(NotUsed, NotUsed2);
++ return WRC_Continue;
++}
++
++/*
++** No-op routine for the parse-tree walker for SELECT statements.
++** subquery in the parser tree.
++*/
++int sqlite3SelectWalkNoop(Walker *NotUsed, Select *NotUsed2){
++ UNUSED_PARAMETER2(NotUsed, NotUsed2);
++ return WRC_Continue;
++}
+--- sqlite3-3.27.2.orig/src/window.c
++++ sqlite3-3.27.2/src/window.c
+@@ -738,6 +738,23 @@ static ExprList *exprListAppendList(
+ }
+
+ /*
++** When rewriting a query, if the new subquery in the FROM clause
++** contains TK_AGG_FUNCTION nodes that refer to an outer query,
++** then we have to increase the Expr->op2 values of those nodes
++** due to the extra subquery layer that was added.
++**
++** See also the incrAggDepth() routine in resolve.c
++*/
++static int sqlite3WindowExtraAggFuncDepth(Walker *pWalker, Expr *pExpr){
++ if( pExpr->op==TK_AGG_FUNCTION
++ && pExpr->op2>=pWalker->walkerDepth
++ ){
++ pExpr->op2++;
++ }
++ return WRC_Continue;
++}
++
++/*
+ ** If the SELECT statement passed as the second argument does not invoke
+ ** any SQL window functions, this function is a no-op. Otherwise, it
+ ** rewrites the SELECT statement so that window function xStep functions
+@@ -825,6 +842,7 @@ int sqlite3WindowRewrite(Parse *pParse,
+ );
+ p->pSrc = sqlite3SrcListAppend(pParse, 0, 0, 0);
+ if( p->pSrc ){
++ Walker w;
+ p->pSrc->a[0].pSelect = pSub;
+ sqlite3SrcListAssignCursors(pParse, p->pSrc);
+ if( sqlite3ExpandSubquery(pParse, &p->pSrc->a[0]) ){
+@@ -833,6 +851,11 @@ int sqlite3WindowRewrite(Parse *pParse,
+ pSub->selFlags |= SF_Expanded;
+ p->selFlags &= ~SF_Aggregate;
+ sqlite3SelectPrep(pParse, pSub, 0);
++ memset(&w, 0, sizeof(w));
++ w.xExprCallback = sqlite3WindowExtraAggFuncDepth;
++ w.xSelectCallback = sqlite3WalkerDepthIncrease;
++ w.xSelectCallback2 = sqlite3WalkerDepthDecrease;
++ sqlite3WalkSelect(&w, pSub);
+ }
+
+ sqlite3VdbeAddOp2(v, OP_OpenEphemeral, pMWin->iEphCsr, pSublist->nExpr);
diff -Nru sqlite3-3.27.2/debian/patches/CVE-2020-13630.patch
sqlite3-3.27.2/debian/patches/CVE-2020-13630.patch
--- sqlite3-3.27.2/debian/patches/CVE-2020-13630.patch 1970-01-01
01:00:00.000000000 +0100
+++ sqlite3-3.27.2/debian/patches/CVE-2020-13630.patch 2020-10-02
17:28:13.000000000 +0200
@@ -0,0 +1,20 @@
+From becd68ba0dac41904aa817d96a67fb4685734b41 Mon Sep 17 00:00:00 2001
+From: dan <d...@noemail.net>
+Date: Sat, 16 May 2020 17:26:58 +0000
+Subject: [PATCH] Fix a use-after-free bug in the fts3 snippet() function.
+
+FossilOrigin-Name:
0d69f76f0865f9626078bee087a22fb826407279e78cf9d5382e1c985c9f64a9
+---
+ ext/fts3/fts3.c | 1 +
+ 4 files changed, 23 insertions(+), 9 deletions(-)
+
+--- sqlite3-3.27.2.orig/ext/fts3/fts3.c
++++ sqlite3-3.27.2/ext/fts3/fts3.c
+@@ -5238,6 +5238,7 @@ static void fts3EvalNextRow(
+ fts3EvalNextRow(pCsr, pLeft, pRc);
+ }
+ }
++ pRight->bEof = pLeft->bEof = 1;
+ }
+ }
+ break;
diff -Nru sqlite3-3.27.2/debian/patches/CVE-2020-13632.patch
sqlite3-3.27.2/debian/patches/CVE-2020-13632.patch
--- sqlite3-3.27.2/debian/patches/CVE-2020-13632.patch 1970-01-01
01:00:00.000000000 +0100
+++ sqlite3-3.27.2/debian/patches/CVE-2020-13632.patch 2020-10-02
17:31:01.000000000 +0200
@@ -0,0 +1,63 @@
+From 219b8e7e7587df8669d96ce867cdd61ca1c05730 Mon Sep 17 00:00:00 2001
+From: drh <d...@noemail.net>
+Date: Thu, 14 May 2020 23:59:24 +0000
+Subject: [PATCH] Fix a null pointer deference that can occur on a strange
+ matchinfo() query.
+
+FossilOrigin-Name:
a4dd148928ea65bd4e1654dfacc3d8057d1f85b8c9939416991d50722e5a720e
+---
+ ext/fts3/fts3_snippet.c | 2 +-
+ test/fts3matchinfo2.test | 35 +++++++++++++++++++++++++++++++++++
+ 4 files changed, 44 insertions(+), 8 deletions(-)
+ create mode 100644 test/fts3matchinfo2.test
+
+
+--- sqlite3-3.27.2.orig/ext/fts3/fts3_snippet.c
++++ sqlite3-3.27.2/ext/fts3/fts3_snippet.c
+@@ -875,7 +875,7 @@ static int fts3ExprLHits(
+ iStart = pExpr->iPhrase * ((p->nCol + 31) / 32);
+ }
+
+- while( 1 ){
++ if( pIter ) while( 1 ){
+ int nHit = fts3ColumnlistCount(&pIter);
+ if( (pPhrase->iColumn>=pTab->nColumn || pPhrase->iColumn==iCol) ){
+ if( p->flag==FTS3_MATCHINFO_LHITS ){
+--- /dev/null
++++ sqlite3-3.27.2/test/fts3matchinfo2.test
+@@ -0,0 +1,35 @@
++# 2020-05-14
++#
++# The author disclaims copyright to this source code. In place of
++# a legal notice, here is a blessing:
++#
++# May you do good and not evil.
++# May you find forgiveness for yourself and forgive others.
++# May you share freely, never taking more than you give.
++#
++#***********************************************************************
++# This file implements regression tests for the FTS3 module. The focus
++# of this file is tables created with the "matchinfo=fts3" option.
++#
++
++set testdir [file dirname $argv0]
++source $testdir/tester.tcl
++
++# If SQLITE_ENABLE_FTS3 is not defined, omit this file.
++ifcapable !fts3 { finish_test ; return }
++
++set sqlite_fts3_enable_parentheses 1
++
++# Crash case found by cyg0810 at gmail.com 2020-05-14. Reported to
++# chromium (which is not vulnerable) who kindly referred it to us.
++#
++do_execsql_test 1.0 {
++ CREATE TABLE t_content(col0 INTEGER);
++ CREATE VIRTUAL TABLE t0 USING fts3(col0 INTEGER PRIMARY KEY,col1
VARCHAR(8),col2 BINARY,col3 BINARY);
++ INSERT INTO t0 VALUES (1, '1234','aaaa','bbbb');
++ SELECT hex(matchinfo(t0,'yxy')) FROM t0 WHERE t0 MATCH
x'2b0a312b0a312a312a2a0b5d0a0b0b0a312a0a0b0b0a312a0b310a392a0b0a27312a2a0b5d0a312a0b310a31315d0b310a312a316d2a0b313b15bceaa50a312a0b0a27312a2a0b5d0a312a0b310a312b0b2a310a312a0b2a0b2a0b2e5d0a0bff313336e34a2a312a0b0a3c310b0a0b4b4b0b4b2a4bec40322b2a0b310a0a312a0a0a0a0a0a0a0a0a0b310a312a2a2a0b5d0a0b0b0a312a0b310a312a0b0a4e4541530b310a5df5ced70a0a0a0a0a4f520a0a0a0a0a0a0a312a0b0a4e4541520b310a5d616161610a0a0a0a4f520a0a0a0a0a0a312b0a312a312a0a0a0a0a0a0a004a0b0a310b220a0b0a310a4a22310a0b0a7e6fe0e0e030e0e0e0e0e01176e02000e0e0e0e0e01131320226310a0b0a310a4a22310a0b0a310a766f8b8b4ee0e0300ae0090909090909090909090909090909090909090909090909090909090909090947aaaa540b09090909090909090909090909090909090909090909090909090909090909fae0e0f2f22164e0e0f273e07fefefef7d6dfafafafa6d6d6d6d';
++} {/000000.*0000000/}
++
++
++set sqlite_fts3_enable_parentheses 0
++finish_test
diff -Nru sqlite3-3.27.2/debian/patches/CVE-2020-15358.patch
sqlite3-3.27.2/debian/patches/CVE-2020-15358.patch
--- sqlite3-3.27.2/debian/patches/CVE-2020-15358.patch 1970-01-01
01:00:00.000000000 +0100
+++ sqlite3-3.27.2/debian/patches/CVE-2020-15358.patch 2020-10-02
17:48:46.000000000 +0200
@@ -0,0 +1,82 @@
+From b7cbf5c1b2a9e099eec176e1ebeb659427a20626 Mon Sep 17 00:00:00 2001
+From: drh <d...@noemail.net>
+Date: Mon, 15 Jun 2020 13:51:34 +0000
+Subject: [PATCH] Fix a defect in the query-flattener optimization identified
+ by ticket [8f157e8010b22af0].
+
+FossilOrigin-Name:
10fa79d00f8091e5748c245f4cae5b5f499a5f8db20da741c130e05a21ede443
+---
+ src/select.c | 7 +++----
+ src/sqliteInt.h | 1 +
+ test/selectA.test | 21 +++++++++++++++++++++
+ 5 files changed, 34 insertions(+), 12 deletions(-)
+
+--- sqlite3-3.27.2.orig/src/select.c
++++ sqlite3-3.27.2/src/select.c
+@@ -2689,9 +2689,7 @@ static int multiSelect(
+ selectOpName(p->op)));
+ rc = sqlite3Select(pParse, p, &uniondest);
+ testcase( rc!=SQLITE_OK );
+- /* Query flattening in sqlite3Select() might refill p->pOrderBy.
+- ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak.
*/
+- sqlite3ExprListDelete(db, p->pOrderBy);
++ assert( p->pOrderBy==0 );
+ pDelete = p->pPrior;
+ p->pPrior = pPrior;
+ p->pOrderBy = 0;
+@@ -4011,7 +4009,7 @@ static int flattenSubquery(
+ ** We look at every expression in the outer query and every place we see
+ ** "a" we substitute "x*3" and every place we see "b" we substitute
"y+10".
+ */
+- if( pSub->pOrderBy ){
++ if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){
+ /* At this point, any non-zero iOrderByCol values indicate that the
+ ** ORDER BY column expression is identical to the iOrderByCol'th
+ ** expression returned by SELECT statement pSub. Since these values
+@@ -5618,6 +5616,7 @@ int sqlite3Select(
+ sqlite3ExprListDelete(db, p->pOrderBy);
+ p->pOrderBy = 0;
+ p->selFlags &= ~SF_Distinct;
++ p->selFlags |= SF_NoopOrderBy;
+ }
+ sqlite3SelectPrep(pParse, p, 0);
+ if( pParse->nErr || db->mallocFailed ){
+--- sqlite3-3.27.2.orig/src/sqliteInt.h
++++ sqlite3-3.27.2/src/sqliteInt.h
+@@ -2884,6 +2884,7 @@ struct Select {
+ #define SF_Converted 0x10000 /* By convertCompoundSelectToSubquery() */
+ #define SF_IncludeHidden 0x20000 /* Include hidden columns in output */
+ #define SF_ComplexResult 0x40000 /* Result contains subquery or function */
++#define SF_NoopOrderBy 0x0400000 /* ORDER BY is ignored for this query */
+
+ /*
+ ** The results of a SELECT can be distributed in several ways, as defined
+--- sqlite3-3.27.2.orig/test/selectA.test
++++ sqlite3-3.27.2/test/selectA.test
+@@ -1446,5 +1446,26 @@ do_execsql_test 6.1 {
+ SELECT * FROM (SELECT a FROM t1 UNION SELECT b FROM t2) WHERE a=a;
+ } {12345}
+
++# 2020-06-15 ticket 8f157e8010b22af0
++#
++reset_db
++do_execsql_test 7.1 {
++ CREATE TABLE t1(c1); INSERT INTO t1
VALUES(12),(123),(1234),(NULL),('abc');
++ CREATE TABLE t2(c2); INSERT INTO t2 VALUES(44),(55),(123);
++ CREATE TABLE t3(c3,c4); INSERT INTO t3 VALUES(66,1),(123,2),(77,3);
++ CREATE VIEW t4 AS SELECT c3 FROM t3;
++ CREATE VIEW t5 AS SELECT c3 FROM t3 ORDER BY c4;
++}
++do_execsql_test 7.2 {
++ SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t4) AND
c1=123;
++} {123 123}
++do_execsql_test 7.3 {
++ SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t5) AND
c1=123;
++} {123 123}
++do_execsql_test 7.4 {
++ CREATE TABLE a(b);
++ CREATE VIEW c(d) AS SELECT b FROM a ORDER BY b;
++ SELECT sum(d) OVER( PARTITION BY(SELECT 0 FROM c JOIN a WHERE b =(SELECT b
INTERSECT SELECT d FROM c) AND b = 123)) FROM c;
++} {}
+
+ finish_test
diff -Nru sqlite3-3.27.2/debian/patches/series
sqlite3-3.27.2/debian/patches/series
--- sqlite3-3.27.2/debian/patches/series 2019-06-01 17:38:52.000000000
+0200
+++ sqlite3-3.27.2/debian/patches/series 2020-10-05 22:53:55.000000000
+0200
@@ -14,3 +14,13 @@
46-probably_CVE-2019-5018.patch
47-probably_CVE-2019-5827_part1.patch
48-probably_CVE-2019-5827_part2.patch
+CVE-2019-19923.patch
+CVE-2019-19925.patch
+CVE-2019-19959.patch
+CVE-2019-20218.patch
+CVE-2020-13434.patch
+CVE-2020-13435.patch
+CVE-2020-13630.patch
+CVE-2020-13632.patch
+CVE-2020-15358.patch
+CVE-2019-16168.patch
