packages/sqlite-jdbc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!4 Fix CVE-2023-32697

Browse Source 
From: @wk333 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia
This commit is contained in:
openeuler-ci-bot 2023-11-06 02:48:33 +00:00 committed by Gitee
commit 0ef2b2e565
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 42 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
CVE-2023-32697.patch Normal file
View File

@ -0,0 +1,36 @@
From edb4b8adc2447bc04e05b9b908195a4bc7926242 Mon Sep 17 00:00:00 2001
From: Gauthier Roebroeck <gauthier.roebroeck@gmail.com>
Date: Fri, 19 May 2023 18:37:29 +0800
Subject: [PATCH] fix: use random UUID for external resources
Refer:
https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242
---
src/main/java/org/sqlite/core/CoreConnection.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/main/java/org/sqlite/core/CoreConnection.java b/src/main/java/org/sqlite/core/CoreConnection.java
index 026bee4..51c870e 100644
--- a/src/main/java/org/sqlite/core/CoreConnection.java
+++ b/src/main/java/org/sqlite/core/CoreConnection.java
@@ -15,6 +15,7 @@ import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.TreeSet;
+import java.util.UUID;
import org.sqlite.date.FastDateFormat;
@@ -238,7 +239,7 @@ public abstract class CoreConnection {
}
String tempFolder = new File(System.getProperty("java.io.tmpdir")).getAbsolutePath();
- String dbFileName = String.format("sqlite-jdbc-tmp-%d.db", resourceAddr.hashCode());
+ String dbFileName = String.format("sqlite-jdbc-tmp-%s.db", UUID.randomUUID());
File dbFile = new File(tempFolder, dbFileName);
if (dbFile.exists()) {
--
2.33.0

7
sqlite-jdbc.spec
View File

@ -1,12 +1,13 @@
%global debug_package %nil %global debug_package %nil
Name: sqlite-jdbc Name: sqlite-jdbc
Version: 3.15.1 Version: 3.15.1
Release: 1 Release: 2
Summary: SQLite JDBC library Summary: SQLite JDBC library
License: ASL 2.0 and BSD and ISC License: ASL 2.0 and BSD and ISC
URL: https://github.com/xerial/sqlite-jdbc URL: https://github.com/xerial/sqlite-jdbc
Source0: https://github.com/xerial/sqlite-jdbc/archive/%{version}/sqlite-jdbc-%{version}.tar.gz Source0: https://github.com/xerial/sqlite-jdbc/archive/%{version}/sqlite-jdbc-%{version}.tar.gz
Patch0: sqlite-jdbc-3.15.1-build.patch Patch0: sqlite-jdbc-3.15.1-build.patch
Patch1: CVE-2023-32697.patch
BuildRequires: gcc maven-local mvn(junit:junit) mvn(org.apache.felix:maven-bundle-plugin) BuildRequires: gcc maven-local mvn(junit:junit) mvn(org.apache.felix:maven-bundle-plugin)
BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin) BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin)
BuildRequires: mvn(org.sonatype.oss:oss-parent:pom:) sqlite-devel BuildRequires: mvn(org.sonatype.oss:oss-parent:pom:) sqlite-devel
@ -38,6 +39,7 @@ rm -r src/test/java/org/sqlite/SQLiteDataSourceTest.java
sed -i '/SQLiteDataSourceTest/d' src/test/java/org/sqlite/AllTests.java sed -i '/SQLiteDataSourceTest/d' src/test/java/org/sqlite/AllTests.java
%endif %endif
%patch0 -p1 %patch0 -p1
%patch1 -p1
%pom_add_plugin org.apache.maven.plugins:maven-antrun-plugin:1.7 . ' %pom_add_plugin org.apache.maven.plugins:maven-antrun-plugin:1.7 . '
<dependencies> <dependencies>
<dependency> <dependency>
@ -98,5 +100,8 @@ LDFLAGS="${LDFLAGS:-%__global_ldflags}"; export LDFLAGS;
%license LICENSE* NOTICE %license LICENSE* NOTICE
%changelog %changelog
* Mon Nov 06 2023 wangkai <13474090681@163.com> - 3.15.1-2
- Fix CVE-2023-32697
* Mon Aug 3 2020 Jeffery.Gao <gaojianxing@huawei.com> - 3.15.1-1 * Mon Aug 3 2020 Jeffery.Gao <gaojianxing@huawei.com> - 3.15.1-1
- Package init - Package init