[thud][PATCH v2] sqlite3: CVE fix

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [thud][PATCH v2] sqlite3: CVE fix
@ 2019-10-15 16:26 shuagr97
  2019-10-15 16:32 ` ✗ patchtest: failure for sqlite3: CVE fix (rev2) Patchwork
  0 siblings, 1 reply; 2+ messages in thread
From: shuagr97 @ 2019-10-15 16:26 UTC (permalink / raw)
  To: openembedded-core

From: Shubham Agrawal <shuagr@microsoft.com>

CVE:CVE-2019-16168
Status: Backport

whitelist as changes already there due to previous patches in upstream
CVE:CVE-2018-20346
Status: Backported

Sign off: Shubham Agrawaslshuagr@microsoft.com
---
 .../sqlite/files/CVE-2019-16168.patch              | 37 ++++++++++++++++++++++
 meta/recipes-support/sqlite/sqlite3_3.23.1.bb      |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-support/sqlite/files/CVE-2019-16168.patch

diff --git a/meta/recipes-support/sqlite/files/CVE-2019-16168.patch b/meta/recipes-support/sqlite/files/CVE-2019-16168.patch
new file mode 100644
index 0000000..d8e93c0
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2019-16168.patch
@@ -0,0 +1,37 @@
+From fc8bb8d6ae2d4cd024546e9e7bbab115427c3f41 Mon Sep 17 00:00:00 2001
+From: Shubham Agrawal <shuagr@microsoft.com>
+Date: Fri, 11 Oct 2019 20:20:18 +0000
+Subject: [PATCH] sqlite3 CVE: CVE-2019-16168 Status: backported Sign off:
+ Shubham Agrawal<shuagr@microsoft.com>
+Reply-To: shuagr@microsoft.com
+
+---
+ sqlite3.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 0f71a44..c480e53 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -101836,7 +101836,9 @@ static void decodeIntArray(
+       if( sqlite3_strglob("unordered*", z)==0 ){
+         pIndex->bUnordered = 1;
+       }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){
+-        pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3));
++        int sz = sqlite3Atoi(z+3);
++        if( sz<2 ) sz = 2;
++        pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(sz));
+       }else if( sqlite3_strglob("noskipscan*", z)==0 ){
+         pIndex->noSkipScan = 1;
+       }
+@@ -137151,6 +137153,7 @@ static int whereLoopAddBtreeIndex(
+     ** it to pNew->rRun, which is currently set to the cost of the index
+     ** seek only. Then, if this is a non-covering index, add the cost of
+     ** visiting the rows in the main table.  */
++    assert( pSrc->pTab->szTabRow>0 );
+     rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;
+     pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx);
+     if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){
+-- 
+2.7.4
+
diff --git a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
index 7df61cd..e2e9b50 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
@@ -8,6 +8,7 @@ SRC_URI = "\
   file://CVE-2018-20505.patch \
   file://CVE-2018-20506.patch \
   file://CVE-2019-8457.patch \
+  file://CVE-2019-16168.patch \
   "
 SRC_URI[md5sum] = "99a51b40a66872872a91c92f6d0134fa"
 SRC_URI[sha256sum] = "92842b283e5e744eff5da29ed3c69391de7368fccc4d0ee6bf62490ce555ef25"
-- 
2.7.4



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* ✗ patchtest: failure for sqlite3: CVE fix (rev2)
  2019-10-15 16:26 [thud][PATCH v2] sqlite3: CVE fix shuagr97
@ 2019-10-15 16:32 ` Patchwork
  0 siblings, 0 replies; 2+ messages in thread
From: Patchwork @ 2019-10-15 16:32 UTC (permalink / raw)
  To: shuagr97; +Cc: openembedded-core

== Series Details ==

Series: sqlite3: CVE fix (rev2)
Revision: 2
URL   : https://patchwork.openembedded.org/series/20461/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Patch            [thud,v2] sqlite3: CVE fix
 Issue             Patch is missing Signed-off-by [test_signed_off_by_presence] 
  Suggested fix    Sign off the patch (either manually or with "git commit --amend -s")

* Patch            [thud,v2] sqlite3: CVE fix
 Issue             Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format] 
  Suggested fix    Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"

* Issue             A patch file has been added, but does not have a Signed-off-by tag [test_signed_off_by_presence] 
  Suggested fix    Sign off the added patch file (meta/recipes-support/sqlite/files/CVE-2019-16168.patch)

* Issue             Added patch file is missing Upstream-Status in the header [test_upstream_status_presence_format] 
  Suggested fix    Add Upstream-Status: <Valid status> to the header of meta/recipes-support/sqlite/files/CVE-2019-16168.patch
  Standard format  Upstream-Status: <Valid status>
  Valid status     Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where]



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2019-10-15 16:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-10-15 16:26 [thud][PATCH v2] sqlite3: CVE fix shuagr97
2019-10-15 16:32 ` ✗ patchtest: failure for sqlite3: CVE fix (rev2) Patchwork

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox