Bug 237037

Summary: SQLITE : convience copy in digiKam core [patch]
Product: [Applications] digikam Reporter: Mark Purcell <msp>
Component: Database-SqliteAssignee: Digikam Developers <digikam-bugs-null>
Status: RESOLVED FIXED    
Severity: normal CC: caulier.gilles, kde-bugs, pino, vivo75+kde
Priority: NOR    
Version: 1.2.0   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In: 3.1.0
Sentry Crash Report:

Description Mark Purcell 2010-05-09 23:54:13 UTC
Version:           1.2.0 (using 4.4.3 (KDE 4.4.3), Debian packages)
Compiler:          cc
OS:                Linux (x86_64) release 2.6.32-5-amd64

With Cmake, digikam no longer checks for a system version of sqlite (original
report http://bugs.kde.org/show_bug.cgi?id=160966#c65)

It would be good for digikam during build to check and see if there is a system 
installed sqlite library of the correct version and build/ link against that, 
rather than the internal copy of that lib.

By doing this system resources are saved by linking to shared libs and security
issues/ bugs in libs only need to be fixed in one location rather than all the
applications which may or may not embed copies.

Find attached half the patch to check for an installed sqlite, the patch fails during linking with libdigikamdatabase.

Mark

--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -187,6 +187,11 @@ MACRO_BOOL_TO_01(GLIB2_FOUND HAVE_GLIB2)
 MACRO_OPTIONAL_FIND_PACKAGE(Lqr-1)
 MACRO_BOOL_TO_01(LQR-1_FOUND USE_EXT_LIBLQR-1)
 
+MACRO_OPTIONAL_FIND_PACKAGE(Sqlite)
+MACRO_BOOL_TO_01(SQLITE_FOUND USE_EXT_SQLITE)
+PKG_CHECK_MODULES(Sqlite sqlite3>=3.5.9)
+
+
 MACRO_BOOL_TO_01(ENABLE_THUMBS_DB USE_THUMBS_DB)
 
 IF (${KDE_VERSION} VERSION_GREATER "4.2.70")
@@ -301,6 +306,12 @@ ELSE(GLIB2_FOUND)
     MESSAGE(STATUS "")
 ENDIF(GLIB2_FOUND)
 
+IF(SQLITE_FOUND)
+    MESSAGE(STATUS " libsqlite library found ................. YES (optional)")
+ELSE(SQLITE_FOUND)
+    MESSAGE(STATUS " libsqlite library found ................. NO (optional - internal version used instead)")
+    ENDIF(SQLITE_FOUND)
+
 IF(DOXYGEN_FOUND)
     MESSAGE(STATUS " Doxygen found............................ YES (optional)")
 ELSE(DOXYGEN_FOUND)
@@ -961,40 +972,55 @@ IF(DIGIKAM_CAN_BE_COMPILED)
         ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/libpgf/WaveletTransform.cpp
        )
 
-    SET(libsqlite2_SRCS
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/attach.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/auth.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/btree.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/btree_rb.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/build.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/copy.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/date.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/delete.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/encode.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/expr.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/func.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/hash.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/insert.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/main.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/opcodes.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/os.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/pager.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/parse.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/pragma.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/printf.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/random.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/select.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/shell.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/table.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/tokenize.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/trigger.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/update.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/util.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/vacuum.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/vdbe.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/vdbeaux.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/where.c
-       )
+    # =================================================================================================
+    # Sqlite library rules
+
+    IF(SQLITE_FOUND)
+
+            INCLUDE_DIRECTORIES(${SQLITE_INCLUDE_DIRS})
+            SET(sqlite_LIBS ${SQLITE_LIBRARIES})
+
+    ELSE(SQLITE_FOUND)
+
+            INCLUDE_DIRECTORIES(${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty)
+            INCLUDE_DIRECTORIES(${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2)
+
+            SET(libsqlite2_SRCS
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/attach.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/auth.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/btree.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/btree_rb.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/build.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/copy.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/date.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/delete.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/encode.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/expr.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/func.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/hash.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/insert.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/main.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/opcodes.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/os.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/pager.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/parse.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/pragma.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/printf.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/random.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/select.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/shell.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/table.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/tokenize.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/trigger.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/update.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/util.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/vacuum.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/vdbe.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/vdbeaux.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/where.c
+            )
+
+    ENDIF(SQLITE_FOUND)
 
     SET(libhaar_SRCS
         ${CMAKE_CURRENT_SOURCE_DIR}/libs/database/haar/haar.cpp
--- a/digikam/CMakeLists.txt
+++ b/digikam/CMakeLists.txt
@@ -240,6 +240,7 @@ TARGET_LINK_LIBRARIES(digikamdatabase
                       ${QT_QTCORE_LIBRARY}
                       ${QT_QTGUI_LIBRARY}
                       ${QT_QTSQL_LIBRARY}
+                      ${sqlite_LIBS}
                      )
 
 SET_TARGET_PROPERTIES(digikamdatabase PROPERTIES VERSION 1.0.0 SOVERSION 1 )
Comment 1 caulier.gilles 2010-05-10 12:42:01 UTC
Note, it's SQlite2 code which is hosted in digiKam core, not SQlite3. This last one is used to run digiKam.

SQlite2 is used only to backport old DB files generated with older digiKam version.

Gilles Caulier
Comment 2 Mark Purcell 2011-08-06 05:47:33 UTC
Gilles,

This issue remains with digikam 2.0.0.

Mark


E: digikam: embedded-library usr/lib/libdigikamdatabase.so.2.0.0: sqlite
N: 
N:    The given ELF object appears to have been statically linked to a
N:    library. Doing this is strongly discouraged due to the extra work needed
N:    by the security team to fix all the extra embedded copies or trigger the
N:    package rebuilds, as appropriate.
N:    
N:    If the package uses a modified version of the given library it is highly
N:    recommended to coordinate with the library's maintainer to include the
N:    changes on the system version of the library.
N:    
N:    Refer to Debian Policy Manual section 4.13 (Convenience copies of code)
N:    for details.
N:    
N:    Severity: serious, Certainty: possible
N:    
N:    Check: binaries, Type: binary, udeb
N:
Comment 3 caulier.gilles 2011-08-06 08:38:31 UTC
Mark,

Francesco Riosa work on a separated branch from git where we have already discuted to drop sqlite 2.0 source code from digiKam core.

Gilles Caulier
Comment 4 Francesco Riosa 2011-08-06 22:19:41 UTC
yep, I've not pushed this furter because after removing the sources the difference in lines of code and compile time was very small.

commit 3179bdd7a0e84d66cde45f302793b4a01de05d15
Author: Francesco Riosa <francesco+kde@pnpitalia.it>
Date:   Wed Jun 29 18:49:06 2011 +0200

    Remove support for sqlite2 DigiKam < 0.9

branch sql/2.0

P.S. this is in no way a security threath, to trigger the execution of the sqlite 2.0 code you should be able to modify files with user privileges.
Having that privileges much more damage is possible than exploiting digikam
Comment 5 caulier.gilles 2011-12-15 08:29:10 UTC
Francesco,

This removing sqlite 2.0 source code from digiKam core is a subject to discut at genoa coding sprint...

Gilles Caulier
Comment 6 caulier.gilles 2013-02-23 13:37:07 UTC
Francesco,

Do you manage this entry ? sqlite2 must be dropped from digiKam core...

Gilles Caulier
Comment 7 Pino Toscano 2013-02-23 13:40:19 UTC
(In reply to comment #6)
> Do you manage this entry ? sqlite2 must be dropped from digiKam core...

See https://git.reviewboard.kde.org/r/109110/ I just opened.
Comment 8 Pino Toscano 2013-02-23 13:52:43 UTC
Git commit 0addce7f2ebdccd76b3291a45e0019ed45069e7e by Pino Toscano.
Committed on 23/02/2013 at 14:20.
Pushed by pino into branch 'master'.

Find and external SQLite v2 for digiKam DB 0.7 conversion

Instead of rely on an internal copy of SQLite v2, search for an external version of it;
if not found, disable the import/conversion of old databases from v0.7, failing directly with an error message.

REVIEW: 109110

M  +17   -38   CMakeLists.txt
A  +62   -0    cmake/modules/FindSqlite2.cmake
M  +8    -8    digikam/CMakeLists.txt
M  +3    -0    digikam/utils/config-digikam.h.cmake
M  +6    -1    libs/database/schemaupdater.cpp

http://commits.kde.org/digikam/0addce7f2ebdccd76b3291a45e0019ed45069e7e