GitList

Browse code

sqlite: patched CVE-2023-7104

The upstream patch: https://sqlite.org/src/info/0e4e7a05c4204b47
is not directly applicable to the source that we are consuming because
Expected source: https://www.sqlite.org/src/tarball/sqlite.tar.gz?r=release
But we are consuming: https://sqlite.org/2022/sqlite-autoconf-%{sourcever}.tar.gz

So the patch had to be modified.
The upstream patch involves 2 code changes.

Change1: code change to mitigate the vulnerability - Implemented in our patch

Change2: test code - Not implemented in our patch as the required test code to be patched is not found in the source we are consuming

Change-Id: Ie02b8cb1a8ceaf305d3ab69a8d61994e2f333823
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/c/photon/+/23040
Tested-by: Shreenidhi Shedi <shreenidhi.shedi@broadcom.com>
Reviewed-by: Shreenidhi Shedi <shreenidhi.shedi@broadcom.com>

Srish Srinivasan authored on 2024/01/09 15:47:58
Showing 2 changed files

SPECS/sqlite/CVE-2023-7104.patch index 0000000..a799197
SPECS/sqlite/sqlite.spec index af7a86e..1c3d6b4 100644

SPECS/sqlite/CVE-2023-7104.patch

History View file @ ec2dcbc

                     new file mode 100644
@@ -0,0 +1,57 @@
                     +From 09f1652f36c5c4e8a6a640ce887f9ea0f48a7958 Mon Sep 17 00:00:00 2001
                     +From: dan <Dan Kennedy>
                     +Date: Thu, 7 Sep 2023 13:53:09 +0000
                     +Subject: [PATCH] Fix a buffer overread in the sessions extension that could
                     + occur when processing a corrupt changeset.
+                    +
                     +FossilOrigin-Name: 0e4e7a05c4204b47a324d67e18e76d2a98e26b2723d19d5c655ec9fd2e41f4b7
+                    +
                     +The upstream patch: https://sqlite.org/src/info/0e4e7a05c4204b47
                     +is not directly applicable to the source that we are consuming because
                     +Expected source: https://www.sqlite.org/src/tarball/sqlite.tar.gz?r=release
                     +But we are consuming: https://sqlite.org/2022/sqlite-autoconf-%{sourcever}.tar.gz
+                    +
                     +So the patch had to be modified.
                     +The upstream patch involves 2 code changes.
+                    +
                     +Change1: code change to mitigate the vulnerability - Implemented in our patch
                     +Change2: a test to check if the vulnerability still exists - Not implemented in our patch as the required test file to be patched is not found in the source we are consuming
+                    +
                     +Signed-off-by: Srish Srinivasan <ssrish@vmware.com>
                     +---
                     + sqlite3.c | 18 +++++++++++-------
                     + 1 file changed, 11 insertions(+), 7 deletions(-)
+                    +
                     +diff --git a/sqlite3.c b/sqlite3.c
                     +index eb8d7d5..c8a3002 100644
                     +--- a/sqlite3.c
                     +@@ -213481,15 +213481,19 @@ static int sessionReadRecord(
                     +         }
                     +       }
                     +       if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
                     +-        sqlite3_int64 v = sessionGetI64(aVal);
                     +-        if( eType==SQLITE_INTEGER ){
                     +-          sqlite3VdbeMemSetInt64(apOut[i], v);
                     ++        if( (pIn->nData-pIn->iNext)<8 ){
                     ++          rc = SQLITE_CORRUPT_BKPT;
                     +         }else{
                     +-          double d;
                     +-          memcpy(&d, &v, 8);
                     +-          sqlite3VdbeMemSetDouble(apOut[i], d);
                     ++          sqlite3_int64 v = sessionGetI64(aVal);
                     ++          if( eType==SQLITE_INTEGER ){
                     ++            sqlite3VdbeMemSetInt64(apOut[i], v);
                     ++          }else{
                     ++            double d;
                     ++            memcpy(&d, &v, 8);
                     ++            sqlite3VdbeMemSetDouble(apOut[i], d);
                     ++          }
                     ++          pIn->iNext += 8;
                     +         }
                     +-        pIn->iNext += 8;
                     +       }
                     +     }
                     +   }
                     +--
                     +2.35.6

SPECS/sqlite/sqlite.spec

History View file @ ec2dcbc

@@ -3,7 +3,7 @@
                      Summary:        A portable, high level programming interface to various calling conventions
                      Name:           sqlite
                      Version:        3.40.1
                     -Release:        1%{?dist}
                     +Release:        2%{?dist}
                      License:        Public Domain
                      URL:            http://www.sqlite.org
                      Group:          System Environment/GeneralLibraries
@@ -13,6 +13,8 @@ Distribution:   Photon
                      Source0: http://sqlite.org/2022/%{name}-autoconf-%{sourcever}.tar.gz
                      %define sha512 %{name}=50ff85b40b0017a73b52988843ec439358a8dde7d5d012a33ecfdaa67006697692f091a62d5f052f64e6fee84e27251864d331f63039a326ae4d5bf4a4dd5a91
                     +Patch0:         CVE-2023-7104.patch
+                    +
                      Obsoletes:      sqlite-autoconf
                      Obsoletes:      sqlite-devel <= 3.27.2-5
                      Requires:       sqlite-libs = %{version}-%{release}
@@ -93,6 +95,8 @@ rm -rf %{buildroot}/*
                      %{_libdir}/libsqlite3.so.0
                      %changelog
                     +* Tue Jan 09 2024 Srish Srinivasan <srish.srinivasan@broadcom.com> 3.40.1-2
                     +- Patched CVE-2023-7104
                      * Wed Jan 11 2023 Oliver Kurth <okurth@vmware.com> 3.40.1-1
                      - bump version to 3.40.1
                      * Wed Dec 21 2022 Shreenidhi Shedi <sshedi@vmware.com> 3.39.4-2