Overview

File _patchinfo of Package patchinfo.25853

<patchinfo incident="25853">
  <issue tracker="cve" id="2022-35737"/>
  <issue tracker="cve" id="2021-36690"/>
  <issue tracker="bnc" id="1201783">VUL-0: CVE-2022-35737: sqlite3: multiple fixes</issue>
  <issue tracker="bnc" id="1195773">VUL-0: tcl: embedded sqlite version means that security fixes are not addressed</issue>
  <issue tracker="bnc" id="1189802">VUL-1: CVE-2021-36690: sqlite2,sqlite3: segmentation fault vulnerability in SQLite sqlite3 3.36.0 via the idxGetTableInfo function, in which a crafted SQL query can cause a denial of service</issue>
  <packager>rmax</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for sqlite3</summary>
  <description>This update for sqlite3 fixes the following issues:

Security issues fixed:

- CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
- CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
  
- Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).

sqlite3 was update to 3.39.3:

* Use a statement journal on DML statement affecting two or more
  database rows if the statement makes use of a SQL functions
  that might abort.
* Use a mutex to protect the PRAGMA temp_store_directory and
  PRAGMA data_store_directory statements, even though they are
  decremented and documented as not being threadsafe.

Update to 3.39.2:

* Fix a performance regression in the query planner associated
  with rearranging the order of FROM clause terms in the
  presences of a LEFT JOIN.
* Apply fixes for CVE-2022-35737, Chromium bugs 1343348 and
  1345947, forum post 3607259d3c, and other minor problems
  discovered by internal testing. [boo#1201783]

Update to 3.39.1:

* Fix an incorrect result from a query that uses a view that
  contains a compound SELECT in which only one arm contains a
  RIGHT JOIN and where the view is not the first FROM clause term
  of the query that contains the view
* Fix a long-standing problem with ALTER TABLE RENAME that can
  only arise if the sqlite3_limit(SQLITE_LIMIT_SQL_LENGTH) is set
  to a very small value.
* Fix a long-standing problem in FTS3 that can only arise when
  compiled with the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time
  option.
* Fix the initial-prefix optimization for the REGEXP extension so
  that it works correctly even if the prefix contains characters
  that require a 3-byte UTF8 encoding.
* Enhance the sqlite_stmt virtual table so that it buffers all of
  its output. 

Update to 3.39.0:

* Add (long overdue) support for RIGHT and FULL OUTER JOIN
* Add new binary comparison operators IS NOT DISTINCT FROM and 
  IS DISTINCT FROM that are equivalent to IS and IS NOT, 
  respective, for compatibility with PostgreSQL and SQL standards
* Add a new return code (value "3") from the sqlite3_vtab_distinct()
  interface that indicates a query that has both DISTINCT and 
  ORDER BY clauses
* Added the sqlite3_db_name() interface
* The unix os interface resolves all symbolic links in database
  filenames to create a canonical name for the database before
  the file is opened
* Defer materializing views until the materialization is actually
  needed, thus avoiding unnecessary work if the materialization
  turns out to never be used
* The HAVING clause of a SELECT statement is now allowed on any
  aggregate query, even queries that do not have a GROUP BY
  clause
* Many microoptimizations collectively reduce CPU cycles by about
  2.3%. 

Update to 3.38.5:

* Fix a blunder in the CLI of the 3.38.4 release

Update to 3.38.4:

* fix a byte-code problem in the Bloom filter pull-down
  optimization added by release 3.38.0 in which an error in the
  byte code causes the byte code engine to enter an infinite loop
  when the pull-down optimization encounters a NULL key   

Update to 3.38.3:

* Fix a case of the query planner be overly aggressive with
  optimizing automatic-index and Bloom-filter construction,
  using inappropriate ON clause terms to restrict the size of the
  automatic-index or Bloom filter, and resulting in missing rows
  in the output.
* Other minor patches. See the timeline for details. 

Update to 3.38.2:

* Fix a problem with the Bloom filter optimization that might
  cause an incorrect answer when doing a LEFT JOIN with a WHERE
  clause constraint that says that one of the columns on the
  right table of the LEFT JOIN is NULL.
* Other minor patches.

- Package the Tcl bindings here again so that we only ship one copy
of SQLite (bsc#1195773).

Update to 3.38.1:

* Fix problems with the new Bloom filter optimization that might
  cause some obscure queries to get an incorrect answer.
* Fix the localtime modifier of the date and time functions so
  that it preserves fractional seconds.
* Fix the sqlite_offset SQL function so that it works correctly
  even in corner cases such as when the argument is a virtual
  column or the column of a view.
* Fix row value IN operator constraints on virtual tables so that
  they work correctly even if the virtual table implementation
  relies on bytecode to filter rows that do not satisfy the
  constraint.
* Other minor fixes to assert() statements, test cases, and
  documentation. See the source code timeline for details.

Update to 3.38.0

* Add the -> and ->> operators for easier processing of JSON
* The JSON functions are now built-ins
* Enhancements to date and time functions
* Rename the printf() SQL function to format() for better
  compatibility, with alias for backwards compatibility.
* Add the sqlite3_error_offset() interface for helping localize
  an SQL error to a specific character in the input SQL text 
* Enhance the interface to virtual tables 
* CLI columnar output modes are enhanced to correctly handle tabs
  and newlines embedded in text, and add options like "--wrap N",
  "--wordwrap on", and "--quote" to the columnar output modes.
* Query planner enhancements using a Bloom filter to speed up 
  large analytic queries, and a balanced merge tree to evaluate
  UNION or UNION ALL compound SELECT statements that have an
  ORDER BY clause.
* The ALTER TABLE statement is changed to silently ignores
  entries in the sqlite_schema table that do not parse when
  PRAGMA writable_schema=ON

Update to 3.37.2:

* Fix a bug introduced in version 3.35.0 (2021-03-12) that can
  cause database corruption if a SAVEPOINT is rolled back while
  in PRAGMA temp_store=MEMORY mode, and other changes are made,
  and then the outer transaction commits
* Fix a long-standing problem with ON DELETE CASCADE and ON 
  UPDATE CASCADE in which a cache of the bytecode used to
  implement the cascading change was not being reset following a
  local DDL change

Update to 3.37.1:

* Fix a bug introduced by the UPSERT enhancements of version
  3.35.0 that can cause incorrect byte-code to be generated for
  some obscure but valid SQL, possibly resulting in a NULL-
  pointer dereference.
* Fix an OOB read that can occur in FTS5 when reading corrupt
  database files.
* Improved robustness of the --safe option in the CLI.
* Other minor fixes to assert() statements and test cases. 

Update to 3.37.0:

* STRICT tables provide a prescriptive style of data type
  management, for developers who prefer that kind of thing.
* When adding columns that contain a CHECK constraint or a
  generated column containing a NOT NULL constraint, the
  ALTER TABLE ADD COLUMN now checks new constraints against
  preexisting rows in the database and will only proceed if no
  constraints are violated.
* Added the PRAGMA table_list statement.
* Add the .connection command, allowing the CLI to keep multiple
  database connections open at the same time.
* Add the --safe command-line option that disables dot-commands
  and SQL statements that might cause side-effects that extend
  beyond the single database file named on the command-line.
* CLI: Performance improvements when reading SQL statements that
  span many lines.
* Added the sqlite3_autovacuum_pages() interface.
* The sqlite3_deserialize() does not and has never worked
  for the TEMP database. That limitation is now noted in the
  documentation.
* The query planner now omits ORDER BY clauses on subqueries and
  views if removing those clauses does not change the semantics
  of the query.
* The generate_series table-valued function extension is modified
  so that the first parameter ("START") is now required. This is
  done as a way to demonstrate how to write table-valued
  functions with required parameters. The legacy behavior is
  available using the -DZERO_ARGUMENT_GENERATE_SERIES
  compile-time option.
* Added new sqlite3_changes64() and sqlite3_total_changes64()
  interfaces.
* Added the SQLITE_OPEN_EXRESCODE flag option to sqlite3_open_v2().
* Use less memory to hold the database schema.
* bsc#1189802, CVE-2021-36690: Fix an issue with the SQLite Expert
  extension when a column has no collating sequence.
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places