sqlite: add patch for CVE-2022-46908

(cherry-picked from commit a7a2489afd1a5d30a33d5673bcc46d700b224f32 on the staging-22.11 branch)
2022-12-13 20:48:02 +00:00 · 2022-12-13 20:48:02 +00:00 · e07df68f1e
commit e07df68f1e
parent 70253b9015
2 changed files with 29 additions and 0 deletions
--- a/pkgs/development/libraries/sqlite/3.39.4-autoconf-CVE-2022-46908.patch
+++ b/pkgs/development/libraries/sqlite/3.39.4-autoconf-CVE-2022-46908.patch
@ -0,0 +1,25 @@
+adapted for preprocessed source files from upstream
+https://sqlite.org/src/vpatch?from=a60e56627fc0ef88&to=cefc032473ac5ad2
+
+diff --git a/shell.c b/shell.c
+index e66ae08..d423278 100644
+--- a/shell.c
+++ b/shell.c
+@@ -12921,7 +12921,7 @@ static int safeModeAuth(
+     "zipfile",
+     "zipfile_cds",
+   };
+-  UNUSED_PARAMETER(zA2);
+  UNUSED_PARAMETER(zA1);
+   UNUSED_PARAMETER(zA3);
+   UNUSED_PARAMETER(zA4);
+   switch( op ){
+@@ -12936,7 +12936,7 @@ static int safeModeAuth(
+     case SQLITE_FUNCTION: {
+       int i;
+       for(i=0; i<ArraySize(azProhibitedFunctions); i++){
+-        if( sqlite3_stricmp(zA1, azProhibitedFunctions[i])==0 ){
+        if( sqlite3_stricmp(zA2, azProhibitedFunctions[i])==0 ){
+           failIfSafeMode(p, "cannot use the %s() function in safe mode",
+                          azProhibitedFunctions[i]);
+         }
--- a/pkgs/development/libraries/sqlite/default.nix
+++ b/pkgs/development/libraries/sqlite/default.nix
@ -26,6 +26,10 @@ stdenv.mkDerivation rec {
    sha256 = "sha256-AzNVIHbScAx1NSJW6Rx4v1zWJJFYm6DGmu0KgYaJgOc=";
  };

+  patches = [
+    ./3.39.4-autoconf-CVE-2022-46908.patch
+  ];
+
  outputs = [ "bin" "dev" "out" ];
  separateDebugInfo = stdenv.isLinux;