From 683ae700008df06ae4bae1f673b1e28e509bb918 Mon Sep 17 00:00:00 2001 From: Tom Callaway Date: Jan 09 2020 21:44:30 +0000 Subject: apply upstream fix for CVE-2019-19926 (bz1789441) --- diff --git a/sqlite-3.30.1-CVE-2019-19926.patch b/sqlite-3.30.1-CVE-2019-19926.patch new file mode 100644 index 0000000..d54f8a0 --- /dev/null +++ b/sqlite-3.30.1-CVE-2019-19926.patch @@ -0,0 +1,11 @@ +diff -up sqlite-src-3300100/src/select.c.CVE-2019-19926 sqlite-src-3300100/src/select.c +--- sqlite-src-3300100/src/select.c.CVE-2019-19926 2020-01-09 16:20:12.809275851 -0500 ++++ sqlite-src-3300100/src/select.c 2020-01-09 16:20:55.935523511 -0500 +@@ -2805,6 +2805,7 @@ static int multiSelect( + } + #endif + } ++ if( pParse->nErr ) goto multi_select_end; + + /* Compute collating sequences used by + ** temporary tables needed to implement the compound select. diff --git a/sqlite.spec b/sqlite.spec index 39db309..d936041 100644 --- a/sqlite.spec +++ b/sqlite.spec @@ -10,7 +10,7 @@ Summary: Library that implements an embeddable SQL database engine Name: sqlite Version: %{rpmver} -Release: 1%{?dist} +Release: 2%{?dist} License: Public Domain URL: http://www.sqlite.org/ @@ -29,6 +29,9 @@ Patch3: sqlite-3.8.0-percentile-test.patch Patch4: sqlite-3.16-datetest-2.2c.patch # Modify sync2.test to pass with DIRSYNC turned off Patch5: sqlite-3.18.0-sync2-dirsync.patch +# Apply upstream fix for CVE-2019-19880 +# https://github.com/sqlite/sqlite/commit/8428b3b437569338a9d1e10c4cd8154acbe33089 +Patch6: sqlite-3.30.1-CVE-2019-19926.patch BuildRequires: gcc BuildRequires: ncurses-devel readline-devel glibc-devel @@ -125,6 +128,7 @@ This package contains the analysis program for %{name}. %patch4 -p1 %endif %patch5 -p1 +%patch6 -p1 # Remove backup-file rm -f %{name}-doc-%{docver}/sqlite.css~ || : @@ -229,6 +233,9 @@ make test %endif %changelog +* Thu Jan 9 2020 Tom Callaway - 3.30.1-2 +- apply upstream fix for CVE-2019-19926 (bz1789441) + * Mon Oct 14 2019 Petr Kubat - 3.30.1-1 - Updated to version 3.30.1 (https://sqlite.org/releaselog/3_30_1.html)