summaryrefslogtreecommitdiffstats
path: root/package/sqlite/0002-CVE-2017-15286.patch
diff options
context:
space:
mode:
Diffstat (limited to 'package/sqlite/0002-CVE-2017-15286.patch')
-rw-r--r--package/sqlite/0002-CVE-2017-15286.patch28
1 files changed, 28 insertions, 0 deletions
diff --git a/package/sqlite/0002-CVE-2017-15286.patch b/package/sqlite/0002-CVE-2017-15286.patch
new file mode 100644
index 0000000000..681e9d0604
--- /dev/null
+++ b/package/sqlite/0002-CVE-2017-15286.patch
@@ -0,0 +1,28 @@
+Fix CVE-2017-15286
+
+SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in shell.c
+because it fails to consider certain cases where
+`sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never
+initialized.
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878680
+
+Upstream commit: http://www.sqlite.org/src/info/5d0ceb8dcdef92cd
+
+Index: src/shell.c
+==================================================================
+--- src/shell.c
++++ src/shell.c
+@@ -3807,10 +3807,11 @@
+ isIPK = 0;
+ }
+ }
+ }
+ sqlite3_finalize(pStmt);
++ if( azCol==0 ) return 0;
+ azCol[0] = 0;
+ azCol[nCol+1] = 0;
+
+ /* The decision of whether or not a rowid really needs to be preserved
+ ** is tricky. We never need to preserve a rowid for a WITHOUT ROWID table
+
OpenPOWER on IntegriCloud