!34 [sync] PR-31: [Resolving] CVE-2021-20227

From: @openeuler-sync-bot
Reviewed-by: @bzhaoop
Signed-off-by: @bzhaoop

0001-CVE-2023-7104.patch

@@ -1,45 +0,0 @@
-it From a756d158b3e55831975feb45b753ba499d2adeda Mon Sep 17 00:00:00 2001
-From: mazhao <mazhao12@huawei.com>
-Date: Wed, 3 Jan 2024 12:00:45 +0800
-Subject: [PATCH] Fix a buffer overread in the sessions extension that could
- occur when processing a corrupt changeset.
-
-Signed-off-by: mazhao <mazhao12@huawei.com>
----
- ext/session/sqlite3session.c | 18 +++++++++++-------
- 1 file changed, 11 insertions(+), 7 deletions(-)
-
-diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
-index a892804..72ad427 100644
---- a/ext/session/sqlite3session.c
-+++ b/ext/session/sqlite3session.c
-@@ -3050,15 +3050,19 @@ static int sessionReadRecord(
-         }
-       }
-       if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
--        sqlite3_int64 v = sessionGetI64(aVal);
--        if( eType==SQLITE_INTEGER ){
--          sqlite3VdbeMemSetInt64(apOut[i], v);
-+        if( (pIn->nData-pIn->iNext)<8 ){
-+          rc = SQLITE_CORRUPT_BKPT;
-         }else{
--          double d;
--          memcpy(&d, &v, 8);
--          sqlite3VdbeMemSetDouble(apOut[i], d);
-+          sqlite3_int64 v = sessionGetI64(aVal);
-+          if( eType==SQLITE_INTEGER ){
-+            sqlite3VdbeMemSetInt64(apOut[i], v);
-+          }else{
-+            double d;
-+            memcpy(&d, &v, 8);
-+            sqlite3VdbeMemSetDouble(apOut[i], d);
-+          }
-+          pIn->iNext += 8;
-         }
--        pIn->iNext += 8;
-       }
-     }
-   }
--- 
-2.34.1
-

0001-sqlite-no-malloc-usable-size.patch

@@ -0,0 +1,24 @@
+diff -up sqlite-src-3120200/configure.ac.malloc_usable_size sqlite-src-3120200/configure.ac
+--- sqlite-src-3120200/configure.ac.malloc_usable_size	2016-04-25 09:46:48.134690570 +0200
++++ sqlite-src-3120200/configure.ac	2016-04-25 09:48:41.622637181 +0200
+@@ -108,7 +108,7 @@ AC_CHECK_HEADERS([sys/types.h stdlib.h s
+ #########
+ # Figure out whether or not we have these functions
+ #
+-AC_CHECK_FUNCS([fdatasync gmtime_r isnan localtime_r localtime_s malloc_usable_size strchrnul usleep utime pread pread64 pwrite pwrite64])
++AC_CHECK_FUNCS([fdatasync gmtime_r isnan localtime_r localtime_s strchrnul usleep utime pread pread64 pwrite pwrite64])
+ 
+ #########
+ # By default, we use the amalgamation (this may be changed below...)
+diff -up sqlite-src-3120200/configure.malloc_usable_size sqlite-src-3120200/configure
+--- sqlite-src-3120200/configure.malloc_usable_size	2016-04-25 09:47:12.594679063 +0200
++++ sqlite-src-3120200/configure	2016-04-25 09:49:28.684615042 +0200
+@@ -10275,7 +10275,7 @@ done
+ #########
+ # Figure out whether or not we have these functions
+ #
+-for ac_func in fdatasync gmtime_r isnan localtime_r localtime_s malloc_usable_size strchrnul usleep utime pread pread64 pwrite pwrite64
++for ac_func in fdatasync gmtime_r isnan localtime_r localtime_s strchrnul usleep utime pread pread64 pwrite pwrite64
+ do :
+   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"

0002-remove-fail-testcase-in-no-free-fd-situation.patch

@@ -0,0 +1,66 @@
+From defded46ea50037500590122d847ba6a7cb96110 Mon Sep 17 00:00:00 2001
+From: eulerstorage <eulerstoragemt@huawei.com>
+Date: Sat, 11 Jan 2020 11:33:54 +0800
+Subject: [PATCH] remove fail testcase in no free fd situation
+
+Remove testcase 1.1.1, 1.1.2 and 1.1.3, since it can not success in
+some situation if there is no enough fd resource.
+---
+ test/oserror.test | 27 ---------------------------
+ 1 file changed, 27 deletions(-)
+
+diff --git a/test/oserror.test b/test/oserror.test
+index a51301c..d46218f 100644
+--- a/test/oserror.test
++++ b/test/oserror.test
+@@ -40,47 +40,6 @@ proc do_re_test {tn script expression} {
+   
+ }
+ 
+-#--------------------------------------------------------------------------
+-# Tests oserror-1.* test failures in the open() system call.
+-#
+-
+-# Test a failure in open() due to too many files. 
+-#
+-# The xOpen() method of the unix VFS calls getcwd() as well as open().
+-# Although this does not appear to be documented in the man page, on OSX
+-# a call to getcwd() may fail if there are no free file descriptors. So
+-# an error may be reported for either open() or getcwd() here.
+-#
+-if {![clang_sanitize_address]} {
+-  unset -nocomplain rc
+-  unset -nocomplain nOpen
+-  set nOpen 20000
+-  do_test 1.1.1 {
+-    set ::log [list]
+-    set ::rc [catch {
+-      for {set i 0} {$i < $::nOpen} {incr i} { sqlite3 dbh_$i test.db -readonly 1 }
+-    } msg]
+-    if {$::rc==0} {
+-      # Some system (ex: Debian) are able to create 20000+ file descriptiors
+-      # such systems will not fail here
+-      set x ok
+-    } elseif {$::rc==1 && $msg=="unable to open database file"} {
+-      set x ok
+-    } else {
+-      set x [list $::rc $msg]
+-    }
+-  } {ok}
+-  do_test 1.1.2 {
+-    catch { for {set i 0} {$i < $::nOpen} {incr i} { dbh_$i close } }
+-  } $::rc
+-  if {$rc} {
+-    do_re_test 1.1.3 { 
+-      lindex $::log 0 
+-    } {^os_unix.c:\d+: \(\d+\) (open|getcwd)\(.*test.db\) - }
+-  }
+-}
+-
+-
+ # Test a failure in open() due to the path being a directory.
+ #
+ do_test 1.2.1 {
+-- 
+1.8.3.1
+

CVE-2021-20227.patch

@@ -0,0 +1,69 @@
+Index: sqlite-src-3320300/src/select.c
+==================================================================
+--- sqlite-src-3320300/src/select.c
++++ sqlite-src-3320300/src/select.c
+@@ -5613,11 +5613,13 @@
+ ** within the HAVING expression with a constant "1".
+ */
+ static int havingToWhereExprCb(Walker *pWalker, Expr *pExpr){
+   if( pExpr->op!=TK_AND ){
+     Select *pS = pWalker->u.pSelect;
+-    if( sqlite3ExprIsConstantOrGroupBy(pWalker->pParse, pExpr, pS->pGroupBy) ){
++    if( sqlite3ExprIsConstantOrGroupBy(pWalker->pParse, pExpr, pS->pGroupBy) 
++     && ExprAlwaysFalse(pExpr)==0
++    ){
+       sqlite3 *db = pWalker->pParse->db;
+       Expr *pNew = sqlite3Expr(db, TK_INTEGER, "1");
+       if( pNew ){
+         Expr *pWhere = pS->pWhere;
+         SWAP(Expr, *pNew, *pExpr);
+
+Index: sqlite-src-3320300/test/having.test
+==================================================================
+--- sqlite-src-3320300/test/having.test
++++ sqlite-src-3320300/test/having.test
+@@ -63,12 +63,12 @@
+     "SELECT a, sum(b) FROM t1 WHERE a=2 GROUP BY a HAVING sum(b)>5"
+ 
+   3 "SELECT a, sum(b) FROM t1 GROUP BY a COLLATE binary HAVING a=2"
+     "SELECT a, sum(b) FROM t1 WHERE a=2 GROUP BY a COLLATE binary"
+ 
+-  5 "SELECT a, sum(b) FROM t1 GROUP BY a COLLATE binary HAVING 0"
+-    "SELECT a, sum(b) FROM t1 WHERE 0 GROUP BY a COLLATE binary"
++  5 "SELECT a, sum(b) FROM t1 GROUP BY a COLLATE binary HAVING 1"
++    "SELECT a, sum(b) FROM t1 WHERE 1 GROUP BY a COLLATE binary"
+ 
+   6 "SELECT count(*) FROM t1,t2 WHERE a=c GROUP BY b, d HAVING b=d"
+     "SELECT count(*) FROM t1,t2 WHERE a=c AND b=d GROUP BY b, d"
+ 
+   7 {
+@@ -151,8 +151,28 @@
+ #
+ set ::nondeter_ret 0
+ do_execsql_test 4.3 {
+   SELECT a, sum(b) FROM t3 WHERE nondeter(a) GROUP BY a
+ } {1 4 2 2}
++
++#-------------------------------------------------------------------------
++reset_db
++do_execsql_test 5.0 {
++  CREATE TABLE t1(a, b);
++  CREATE TABLE t2(x, y);
++  INSERT INTO t1 VALUES('a', 'b');
++}
++
++# The WHERE clause (a=2), uses an aggregate column from the outer query.
++# If the HAVING term (0) is moved into the WHERE clause in this case,
++# SQLite would at one point optimize (a=2 AND 0) to simply (0). Which
++# is logically correct, but happened to cause problems in aggregate
++# processing for the outer query. This test case verifies that those 
++# problems are no longer present.
++do_execsql_test 5.1 {
++  SELECT min(b), (
++    SELECT x FROM t2 WHERE a=2 GROUP BY y HAVING 0
++  ) FROM t1;
++} {b {}}
+ 
+ 
+ finish_test
+

sqlite.spec

@@ -1,21 +1,23 @@
 %bcond_without check
 
-%global extver 3420000
+%global extver 3320300
 %global tcl_version 8.6
 %global tcl_sitearch %{_libdir}/tcl%{tcl_version}
 
 Name:    sqlite
-Version: 3.42.0
-Release: 2
+Version: 3.32.3
+Release: 3
 Summary: Embeded SQL database
 License: Public Domain
 URL:     http://www.sqlite.org/
 
-Source0: https://www.sqlite.org/2023/sqlite-src-%{extver}.zip
-Source1: http://www.sqlite.org/2023/sqlite-doc-%{extver}.zip
-Source2: https://www.sqlite.org/2023/sqlite-autoconf-%{extver}.tar.gz
+Source0: http://www.sqlite.org/2020/sqlite-src-%{extver}.zip
+Source1: http://www.sqlite.org/2020/sqlite-doc-%{extver}.zip
+Source2: https://www.sqlite.org/2020/sqlite-autoconf-%{extver}.tar.gz
 
-Patch1: 0001-CVE-2023-7104.patch
+Patch1: 0001-sqlite-no-malloc-usable-size.patch
+Patch2: 0002-remove-fail-testcase-in-no-free-fd-situation.patch
+Patch3: CVE-2021-20227.patch
 
 BuildRequires: gcc autoconf tcl tcl-devel
 BuildRequires: ncurses-devel readline-devel glibc-devel
@@ -59,12 +61,14 @@ This contains man files and HTML files for the using of sqlite.
 #autosetup will fail because of 2 zip files
 %setup -q -a1 -n %{name}-src-%{extver}
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 rm -f %{name}-doc-%{extver}/sqlite.css~ || :
 
-%build
-
 autoconf
+
+%build
 export CFLAGS="$RPM_OPT_FLAGS $RPM_LD_FLAGS -DSQLITE_ENABLE_COLUMN_METADATA=1 \
                -DSQLITE_DISABLE_DIRSYNC=1 -DSQLITE_ENABLE_FTS3=3 \
                -DSQLITE_ENABLE_RTREE=1 -DSQLITE_SECURE_DELETE=1 \
@@ -105,10 +109,6 @@ export MALLOC_CHECK_=3
 %else
 rm test/csv01.test
 %endif
-%ifarch loongarch64
-rm -rf test/thread1.test
-rm -rf test/thread2.test
-%endif
 
 make test
 %endif # with check
@@ -133,60 +133,12 @@ make test
 %{_mandir}/man*/*
 
 %changelog
-* Wed Sep 4 2024 wangmian <wangmian19@h-partners.com> - 3.42.0-2
-- sync the CVE-2023-7104 from 2203
+* Mon Apr 26 2021 bzhaoop<bzhaojyathousandy@gmail.com> - 3.32.3-3
+- Fix CVE-2021-20227
 
-* Tue Feb 27 2024 Zheng Zhenyu <zheng.zhenyu@outlook.com> - 3.42.0-1
-- Bump version to fix CVE-2024-0232
-
-* Wed Jan 3 2024 mazhao <mazhao12@huawei.com> - 3.37.2-7
-- fix the CVE-2023-7104
-
-* Mon Aug 7 2023 zhuwentao <zhuwentao5@huawei.com> - 3.37.2-6
-- fix the CVE-2023-36191
-
-* Fri Jan 13 2023 Wenlong Zhang<zhangwenlong@loongson.cn> - 3.37.2-5
-- remove fail testcase for loongarch
-
-* Wed Dec 14 2022 zhuwentao <zhuwentao5@huawei.com> - 3.37.2-4
-- fix the CVE-2022-46908
-
-* Wed Sep 14 2022 zhuwentao <zhuwentao5@huawei.com> - 3.37.2-3
-- fix build problem
-
-* Mon Sep 5 2022 zhuwentao <zhuwentao5@huawei.com> - 3.37.2-2
-- fix integer overflow on gigabyte string
-
-* Mon Aug 29 2022 zhuwentao <zhuwentao5@huawei.com> - 3.37.2-1
-- update to 3.37.2
-
-* Tue Aug 16 2022 liusirui <liusirui@huawei.com> - 3.36.0-3
-- fix the CVE-2022-35737.
-
-* Sat Nov 27 2021 wbq_sky <wangbingquan@huawei.com> - 3.36.0-2
-- fix the CVE-2021-36690.
-
-* Fri Nov 25 2021 wbq_sky <wangbingquan@huawei.com> - 3.36.0-1
-- update to 3.36.0.
-
-* Fri Sep 26 2021 wbq_sky <wangbingquan@huawei.com> - 3.34.0-4
-- fix the uninitialized value used in pattern match.
-
-* Fri Sep 3 2021 wbq_sky <wangbingquan@huawei.com> - 3.34.0-3
-- fix the null reference in the tigger statement.
-
-* Fri Sep 3 2021 wbq_sky <wangbingquan@huawei.com> - 3.34.0-2
-- fix the infinite loop problem in the trim function while the pattern is well formed.
-
-* Thu Jan 14 2021 yanglongkang <yanglongkang@huawei.com> - 3.34.0-1
-- update package to 3.34.0
-
-* Thu Sep 3 2020 lihaotian<lihaotian9@huawei.com> - 3.32.3-3
+* Thu Sep 2 2020 lihaotian<lihaotian9@huawei.com> - 3.32.3-2
 - update source0 url
 
-* Tue Jul 21 2020 jixinjie <jixinjie@huawei.com> - 3.32.3-2
-- update yaml file
-
 * Tue Jul 21 2020 jixinjie <jixinjie@huawei.com> - 3.32.3-1
 - update package to 3.32.3