From 34ce86204aa66c3b4d47fe5556628767e33cb7b4 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Mon, 6 Nov 2023 10:31:26 +0800 Subject: [PATCH] Fix CVE-2023-32697 --- CVE-2023-32697.patch | 36 ++++++++++++++++++++++++++++++++++++ sqlite-jdbc.spec | 7 ++++++- 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-32697.patch diff --git a/CVE-2023-32697.patch b/CVE-2023-32697.patch new file mode 100644 index 0000000..33a7617 --- /dev/null +++ b/CVE-2023-32697.patch @@ -0,0 +1,36 @@ +From edb4b8adc2447bc04e05b9b908195a4bc7926242 Mon Sep 17 00:00:00 2001 +From: Gauthier Roebroeck +Date: Fri, 19 May 2023 18:37:29 +0800 +Subject: [PATCH] fix: use random UUID for external resources + +Refer: +https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242 + +--- + src/main/java/org/sqlite/core/CoreConnection.java | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/main/java/org/sqlite/core/CoreConnection.java b/src/main/java/org/sqlite/core/CoreConnection.java +index 026bee4..51c870e 100644 +--- a/src/main/java/org/sqlite/core/CoreConnection.java ++++ b/src/main/java/org/sqlite/core/CoreConnection.java +@@ -15,6 +15,7 @@ import java.util.Map; + import java.util.Properties; + import java.util.Set; + import java.util.TreeSet; ++import java.util.UUID; + + import org.sqlite.date.FastDateFormat; + +@@ -238,7 +239,7 @@ public abstract class CoreConnection { + } + + String tempFolder = new File(System.getProperty("java.io.tmpdir")).getAbsolutePath(); +- String dbFileName = String.format("sqlite-jdbc-tmp-%d.db", resourceAddr.hashCode()); ++ String dbFileName = String.format("sqlite-jdbc-tmp-%s.db", UUID.randomUUID()); + File dbFile = new File(tempFolder, dbFileName); + + if (dbFile.exists()) { +-- +2.33.0 + diff --git a/sqlite-jdbc.spec b/sqlite-jdbc.spec index 94bb79b..2dbdac4 100644 --- a/sqlite-jdbc.spec +++ b/sqlite-jdbc.spec @@ -1,12 +1,13 @@ %global debug_package %nil Name: sqlite-jdbc Version: 3.15.1 -Release: 1 +Release: 2 Summary: SQLite JDBC library License: ASL 2.0 and BSD and ISC URL: https://github.com/xerial/sqlite-jdbc Source0: https://github.com/xerial/sqlite-jdbc/archive/%{version}/sqlite-jdbc-%{version}.tar.gz Patch0: sqlite-jdbc-3.15.1-build.patch +Patch1: CVE-2023-32697.patch BuildRequires: gcc maven-local mvn(junit:junit) mvn(org.apache.felix:maven-bundle-plugin) BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin) BuildRequires: mvn(org.sonatype.oss:oss-parent:pom:) sqlite-devel @@ -38,6 +39,7 @@ rm -r src/test/java/org/sqlite/SQLiteDataSourceTest.java sed -i '/SQLiteDataSourceTest/d' src/test/java/org/sqlite/AllTests.java %endif %patch0 -p1 +%patch1 -p1 %pom_add_plugin org.apache.maven.plugins:maven-antrun-plugin:1.7 . ' @@ -98,5 +100,8 @@ LDFLAGS="${LDFLAGS:-%__global_ldflags}"; export LDFLAGS; %license LICENSE* NOTICE %changelog +* Mon Nov 06 2023 wangkai <13474090681@163.com> - 3.15.1-2 +- Fix CVE-2023-32697 + * Mon Aug 3 2020 Jeffery.Gao - 3.15.1-1 - Package init