[dunfell] sqlite3: Backport fix for CVE-2023-7104

Message ID	20240119022524.4293-1-vanusuri@mvista.com
State	Accepted
Delegated to:	Steve Sakoman
Headers	show Return-Path: <vanusuri@mvista.com> ip: 209.85.210.174, mailfrom: vanusuri@mvista.com) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri <vanusuri@mvista.com> Subject: [OE-core][dunfell][PATCH] sqlite3: Backport fix for CVE-2023-7104 Date: Fri, 19 Jan 2024 07:55:24 +0530 Message-Id: <20240119022524.4293-1-vanusuri@mvista.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[dunfell] sqlite3: Backport fix for CVE-2023-7104 \| expand [dunfell] sqlite3: Backport fix for CVE-2023-7104

Message ID

20240119022524.4293-1-vanusuri@mvista.com

State

Accepted

Delegated to:

Steve Sakoman

Headers

From: vanusuri@mvista.com
To: openembedded-core@lists.openembedded.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [OE-core][dunfell][PATCH] sqlite3: Backport fix for CVE-2023-7104
Date: Fri, 19 Jan 2024 07:55:24 +0530
Message-Id: <20240119022524.4293-1-vanusuri@mvista.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[dunfell] sqlite3: Backport fix for CVE-2023-7104 | expand

Commit Message

Vijay Anusuri Jan. 19, 2024, 2:25 a.m. UTC

From: Vijay Anusuri <vanusuri@mvista.com>

Backport https://sqlite.org/src/info/0e4e7a05c4204b47

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../sqlite/files/CVE-2023-7104.patch          | 46 +++++++++++++++++++
 meta/recipes-support/sqlite/sqlite3_3.31.1.bb |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 meta/recipes-support/sqlite/files/CVE-2023-7104.patch

diff --git a/meta/recipes-support/sqlite/files/CVE-2023-7104.patch b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch
new file mode 100644
index 0000000000..01ff29ff5e
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch
@@ -0,0 +1,46 @@ 
+From eab426c5fba69d2c77023939f72b4ad446834e3c Mon Sep 17 00:00:00 2001
+From: dan <Dan Kennedy>
+Date: Thu, 7 Sep 2023 13:53:09 +0000
+Subject: [PATCH] Fix a buffer overread in the sessions extension that could occur when processing a corrupt changeset.
+
+Upstream-Status: Backport [https://sqlite.org/src/info/0e4e7a05c4204b47]
+CVE: CVE-2023-7104
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ sqlite3.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 972ef18..c645ac8 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -203301,15 +203301,19 @@ static int sessionReadRecord(
+         }
+       }
+       if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
+-        sqlite3_int64 v = sessionGetI64(aVal);
+-        if( eType==SQLITE_INTEGER ){
+-          sqlite3VdbeMemSetInt64(apOut[i], v);
++	if( (pIn->nData-pIn->iNext)<8 ){
++	  rc = SQLITE_CORRUPT_BKPT;
+         }else{
+-          double d;
+-          memcpy(&d, &v, 8);
+-          sqlite3VdbeMemSetDouble(apOut[i], d);
++	  sqlite3_int64 v = sessionGetI64(aVal);
++	  if( eType==SQLITE_INTEGER ){
++	    sqlite3VdbeMemSetInt64(apOut[i], v);
++	  }else{
++	    double d;
++	    memcpy(&d, &v, 8);
++	    sqlite3VdbeMemSetDouble(apOut[i], d);
++	  }
++	  pIn->iNext += 8;
+         }
+-        pIn->iNext += 8;
+       }
+     }
+   }
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
index ef12ef0db2..0e7bcfa5a7 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -17,6 +17,7 @@  SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \
            file://CVE-2020-35525.patch \
            file://CVE-2020-35527.patch \
            file://CVE-2021-20223.patch \
+           file://CVE-2023-7104.patch \
            "
 SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
 SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"

[dunfell] sqlite3: Backport fix for CVE-2023-7104

Commit Message

Patch