Add patch to sqlite to resolve CVE-2022-46908 (#4442)

* Patch sqlite CVE-2022-46908
2022-12-14 09:24:43 -08:00 · 2022-12-14 09:24:43 -08:00 · 2b05df40f2
--- a/SPECS/sqlite/CVE-2022-46908.patch
+++ b/SPECS/sqlite/CVE-2022-46908.patch
@ -0,0 +1,35 @@
+From 7052d3ee4076f7f69902d32d4947765e41e6e0eb Mon Sep 17 00:00:00 2001
+From: Daniel McIlvaney <damcilva@microsoft.com>
+Date: Tue, 13 Dec 2022 20:00:29 -0800
+Subject: [PATCH] Rework patch cefc032473ac5ad2 to apply to released sources.
+
+Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>
+---
+ shell.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/shell.c b/shell.c
+index e66ae08..d423278 100644
+--- a/shell.c
+++ b/shell.c
+@@ -12921,7 +12921,7 @@ static int safeModeAuth(
+     "zipfile",
+     "zipfile_cds",
+   };
+-  UNUSED_PARAMETER(zA2);
+  UNUSED_PARAMETER(zA1);
+   UNUSED_PARAMETER(zA3);
+   UNUSED_PARAMETER(zA4);
+   switch( op ){
+@@ -12936,7 +12936,7 @@ static int safeModeAuth(
+     case SQLITE_FUNCTION: {
+       int i;
+       for(i=0; i<ArraySize(azProhibitedFunctions); i++){
+-        if( sqlite3_stricmp(zA1, azProhibitedFunctions[i])==0 ){
+        if( sqlite3_stricmp(zA2, azProhibitedFunctions[i])==0 ){
+           failIfSafeMode(p, "cannot use the %s() function in safe mode",
+                          azProhibitedFunctions[i]);
+         }
+-- 
+2.17.1
+
--- a/SPECS/sqlite/sqlite.spec
+++ b/SPECS/sqlite/sqlite.spec
@ -2,7 +2,7 @@
 Summary:        A portable, high level programming interface to various calling conventions
 Name:           sqlite
 Version:        3.39.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        Public Domain
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -11,6 +11,7 @@ URL:            https://www.sqlite.org
 Source0:        https://www.sqlite.org/2022/%{name}-autoconf-%{sourcever}.tar.gz
 # CVE-2015-3717 applies to versions shipped in iOS and OS X
 Patch0:         CVE-2015-3717.nopatch
+Patch1:         CVE-2022-46908.patch
 Requires:       sqlite-libs = %{version}-%{release}
 Provides:       sqlite3

@ -81,6 +82,9 @@ make %{?_smp_mflags} check
 %{_libdir}/libsqlite3.so.0.8.6

 %changelog
+* Tue Dec 13 2022 Daniel McIlvaney <damcilva@microsoft.com> - 3.39.2-2
+- Address CVE-2022-46908
+
 * Tue Aug 16 2022 Muhammad Falak <mwani@microsoft.com> - 3.39.2-1
 - Bump version to address CVE-2022-35737

--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@ -84,9 +84,9 @@ bison-3.7.6-1.cm2.aarch64.rpm
 popt-1.18-1.cm2.aarch64.rpm
 popt-devel-1.18-1.cm2.aarch64.rpm
 popt-lang-1.18-1.cm2.aarch64.rpm
-sqlite-3.39.2-1.cm2.aarch64.rpm
-sqlite-devel-3.39.2-1.cm2.aarch64.rpm
-sqlite-libs-3.39.2-1.cm2.aarch64.rpm
+sqlite-3.39.2-2.cm2.aarch64.rpm
+sqlite-devel-3.39.2-2.cm2.aarch64.rpm
+sqlite-libs-3.39.2-2.cm2.aarch64.rpm
 elfutils-0.186-1.cm2.aarch64.rpm
 elfutils-default-yama-scope-0.186-1.cm2.noarch.rpm
 elfutils-devel-0.186-1.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@ -84,9 +84,9 @@ bison-3.7.6-1.cm2.x86_64.rpm
 popt-1.18-1.cm2.x86_64.rpm
 popt-devel-1.18-1.cm2.x86_64.rpm
 popt-lang-1.18-1.cm2.x86_64.rpm
-sqlite-3.39.2-1.cm2.x86_64.rpm
-sqlite-devel-3.39.2-1.cm2.x86_64.rpm
-sqlite-libs-3.39.2-1.cm2.x86_64.rpm
+sqlite-3.39.2-2.cm2.x86_64.rpm
+sqlite-devel-3.39.2-2.cm2.x86_64.rpm
+sqlite-libs-3.39.2-2.cm2.x86_64.rpm
 elfutils-0.186-1.cm2.x86_64.rpm
 elfutils-default-yama-scope-0.186-1.cm2.noarch.rpm
 elfutils-devel-0.186-1.cm2.x86_64.rpm
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@ -539,10 +539,10 @@ sed-lang-4.8-2.cm2.aarch64.rpm
 slang-2.3.2-4.cm2.aarch64.rpm
 slang-debuginfo-2.3.2-4.cm2.aarch64.rpm
 slang-devel-2.3.2-4.cm2.aarch64.rpm
-sqlite-3.39.2-1.cm2.aarch64.rpm
-sqlite-debuginfo-3.39.2-1.cm2.aarch64.rpm
-sqlite-devel-3.39.2-1.cm2.aarch64.rpm
-sqlite-libs-3.39.2-1.cm2.aarch64.rpm
+sqlite-3.39.2-2.cm2.aarch64.rpm
+sqlite-debuginfo-3.39.2-2.cm2.aarch64.rpm
+sqlite-devel-3.39.2-2.cm2.aarch64.rpm
+sqlite-libs-3.39.2-2.cm2.aarch64.rpm
 swig-4.0.2-3.cm2.aarch64.rpm
 swig-debuginfo-4.0.2-3.cm2.aarch64.rpm
 systemd-bootstrap-250.3-8.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@ -539,10 +539,10 @@ sed-lang-4.8-2.cm2.x86_64.rpm
 slang-2.3.2-4.cm2.x86_64.rpm
 slang-debuginfo-2.3.2-4.cm2.x86_64.rpm
 slang-devel-2.3.2-4.cm2.x86_64.rpm
-sqlite-3.39.2-1.cm2.x86_64.rpm
-sqlite-debuginfo-3.39.2-1.cm2.x86_64.rpm
-sqlite-devel-3.39.2-1.cm2.x86_64.rpm
-sqlite-libs-3.39.2-1.cm2.x86_64.rpm
+sqlite-3.39.2-2.cm2.x86_64.rpm
+sqlite-debuginfo-3.39.2-2.cm2.x86_64.rpm
+sqlite-devel-3.39.2-2.cm2.x86_64.rpm
+sqlite-libs-3.39.2-2.cm2.x86_64.rpm
 swig-4.0.2-3.cm2.x86_64.rpm
 swig-debuginfo-4.0.2-3.cm2.x86_64.rpm
 systemd-bootstrap-250.3-8.cm2.x86_64.rpm