!4 Fix CVE-2023-32697

From: @wk333 Reviewed-by: @caodongxia Signed-off-by: @caodongxia
2023-11-06 02:48:33 +00:00 · 2023-11-06 02:48:33 +00:00 · 0ef2b2e565
commit 0ef2b2e565
parent 4fe1000114 34ce86204a
2 changed files with 42 additions and 1 deletions
--- a/CVE-2023-32697.patch
+++ b/CVE-2023-32697.patch
@ -0,0 +1,36 @@
+From edb4b8adc2447bc04e05b9b908195a4bc7926242 Mon Sep 17 00:00:00 2001
+From: Gauthier Roebroeck <gauthier.roebroeck@gmail.com>
+Date: Fri, 19 May 2023 18:37:29 +0800
+Subject: [PATCH] fix: use random UUID for external resources
+
+Refer:
+https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242
+
+---
+ src/main/java/org/sqlite/core/CoreConnection.java | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/java/org/sqlite/core/CoreConnection.java b/src/main/java/org/sqlite/core/CoreConnection.java
+index 026bee4..51c870e 100644
+--- a/src/main/java/org/sqlite/core/CoreConnection.java
+++ b/src/main/java/org/sqlite/core/CoreConnection.java
+@@ -15,6 +15,7 @@ import java.util.Map;
+ import java.util.Properties;
+ import java.util.Set;
+ import java.util.TreeSet;
+import java.util.UUID;
+ 
+ import org.sqlite.date.FastDateFormat;
+ 
+@@ -238,7 +239,7 @@ public abstract class CoreConnection {
+         }
+ 
+         String tempFolder = new File(System.getProperty("java.io.tmpdir")).getAbsolutePath();
+-        String dbFileName = String.format("sqlite-jdbc-tmp-%d.db", resourceAddr.hashCode());
+        String dbFileName = String.format("sqlite-jdbc-tmp-%s.db", UUID.randomUUID());
+         File dbFile = new File(tempFolder, dbFileName);
+ 
+         if (dbFile.exists()) {
+-- 
+2.33.0
+
--- a/sqlite-jdbc.spec
+++ b/sqlite-jdbc.spec
@ -1,12 +1,13 @@
 %global debug_package %nil
 Name:                sqlite-jdbc
 Version:             3.15.1
-Release:             1
+Release:             2
 Summary:             SQLite JDBC library
 License:             ASL 2.0 and BSD and ISC
 URL:                 https://github.com/xerial/sqlite-jdbc
 Source0:             https://github.com/xerial/sqlite-jdbc/archive/%{version}/sqlite-jdbc-%{version}.tar.gz
 Patch0:              sqlite-jdbc-3.15.1-build.patch
+Patch1:              CVE-2023-32697.patch
 BuildRequires:       gcc maven-local mvn(junit:junit) mvn(org.apache.felix:maven-bundle-plugin)
 BuildRequires:       mvn(org.apache.maven.plugins:maven-antrun-plugin)
 BuildRequires:       mvn(org.sonatype.oss:oss-parent:pom:) sqlite-devel
@ -38,6 +39,7 @@ rm -r src/test/java/org/sqlite/SQLiteDataSourceTest.java
 sed -i '/SQLiteDataSourceTest/d' src/test/java/org/sqlite/AllTests.java
 %endif
 %patch0 -p1
+%patch1 -p1
 %pom_add_plugin org.apache.maven.plugins:maven-antrun-plugin:1.7 . '
 <dependencies>
 <dependency>
@ -98,5 +100,8 @@ LDFLAGS="${LDFLAGS:-%__global_ldflags}"; export LDFLAGS;
 %license LICENSE* NOTICE

 %changelog
+* Mon Nov 06 2023 wangkai <13474090681@163.com> - 3.15.1-2
+- Fix CVE-2023-32697
+
 * Mon Aug 3 2020 Jeffery.Gao <gaojianxing@huawei.com> - 3.15.1-1
 - Package init