Update SQLite to version 3.32.0 to mitigate a security vulnerability.
This mitigates CVE-2020-11656
https://nvd.nist.gov/vuln/detail/CVE-2020-11656
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
In other news:
- adds ABI_VERSION
- prefers INSTALL_DATA over CP
- removes gratuitous trailing slashes
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Forum user portuquesa raised a topic (see [1]) about being unable to use
Asterisk on his armeb xscale device. We narrowed it down to sqlite3.
Asterisk was unable to insert a simple table into its db.
In short, sqlite3 assumes little endian for every ARM device. This
worked OK for 4 Byte bit (unaligned) access. But once upstream (back in
2015) added a function which accesses 2 Bytes (see [2]) this failed for
some (if not all) ARM big endian devices. ARM CPUs are bi-endian for 4
Byte reads but not for 2 Byte reads.
This patch fixes the problem by setting the endianness adequately for
ARM targets, for both 32 bit and 64 bit varieties. The patch was applied
upstream (see [3]).
[1] https://forum.openwrt.org/t/solved-asterisk13-or-15-sqlite3-database-problem/36856
[2] 329428e208
[3] https://www.sqlite.org/src/info/b7aad929619f7043
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Pull request #9033 showed that there are problems with builds where
thread-safe mode is disabled. The binaries still reference functions
from libpthread. This commit removes the thread-safe choice for now.
Once this is addressed upstream the choice can be added back.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This commit:
- adds support for parallel builds (the possibilities of building parts
of sqlite3 in parellel are limited, but there is no downside)
- adds a CVE/CPE ID
- Removes useless "=1" from -D[EFINES]
- Adds --disable-debug (default anyway, just makes it explicit), put
--disable-static-shell up top to sort the list alphabetically
- Saves one INSTALL_DIR line in the end
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
sqlite3 can use libedit, readline or disable command-line editing
support altogether. This commit adds a choice to menuselect.
The default is changed from readline to libedit, as the latter is
upstream's first choice and is also a bit smaller than readline.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Adds (most) configure switches to menuselect. The defaults are _not_
changed, meaning the default configuration itself remains the same.
This enables changing the configuration through menuselect and adds
flags that other packages may use.
Config.in is renamed to Config-lib.in in anticipation of a future commit
where the cli tool package also gets a file to source.
The variables also get a prefix change from SQLITE to SQLITE3 in case
there will be a new major release in the future that may coexist with
sqlite3.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Set platform specfic flags to avoid sqlite using built-in variants
Remove CONFIGURE_VARS, already properly set by toolchain
Change order of TARGET_CFLAGS to match upstream documentation
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Defaulting to -fPIC is a bad idea, especially for executables (here:
sqlite3-cli). In short, there are certain security implications as well
as overhead/performance penalties. Details see:
https://wiki.gentoo.org/wiki/Project:Hardened/Position_Independent_Code_internals
The configure script is able to detect the need for PIC and adds the
flag when needed anyway (when compiling the library).
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
A remote code execution vuln has been found in sqlite. Infos available
here:
https://blade.tencent.com/magellan/index_en.html
sqlite 3.26.0 contains the fix.
This commit also changes source URL to https.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
The sqlite3 binary was linked against the static library of libsqlite3.
It now uses the .so library of the libsqlite3 package. This dropped size
of the sqlite3 binary from 652k to 91k.
Signed-off-by: Gaëtan Buchetet <bubuche.pub@free.fr>
The full-text search engine version 3 (FTS3) and R*Tree (RTREE) modules are
enabled by default in sqlite3; add config options which allow to disable these
sqlite lib modules.
Disabling FTS3 reduces the so file with 475KB while disabling RTREE reduces
the so file with 121KB on x86 architecture.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Build depends refer to source package names, not binary package names.
In many cases, PKG_BUILD_DEPENDS simply duplicated runtime dependencies of
a source package's binary packages; as the corresponding source packages
are implicitly added as bulid dependencies, PKG_BUILD_DEPENDS can simply be
dropped in these cases. In the other cases, *_BUILD_DEPENDS is fixed to
refer to the correct source package name.
Dependency of mysql-server is adjusted from libncursesw to libncurses
(as libncursesw is a virtual package provided by libncurses), so the build
dependency on ncurses is emitted unconditionally.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Update to 3.16.0
Add following optimizations:
HAVE_ISNAN
HAVE_MALLOC_USABLE_SIZE
Link: https://www.sqlite.org/compile.html
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
sqlite3 can now use editline or readline,
most package use readline, and we were using it,
so continue using readline and disable editline
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
Jan Pavlinec
Sebastian Kemper
Robert Marko
Josip Kelečić
Eneas U de Queiroz
Daniel Engberg
Rosen Penev
Gaëtan Buchetet
Hans Dedecker
Matthias Schiffer
Ian Leonard
Etienne Champetier
Etienne CHAMPETIER
Daniel Golle
Christoph König
Etienne CHAMPETIER