237037 – SQLITE : convience copy in digiKam core [patch]

Bug 237037 - SQLITE : convience copy in digiKam core [patch]

Summary: SQLITE : convience copy in digiKam core [patch]

Status:	RESOLVED FIXED

Alias:	None

Product:	digikam
Classification:	Applications
Component:	Database-Sqlite (show other bugs)
Version:	1.2.0
Platform:	unspecified Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Digikam Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-05-09 23:54 UTC by Mark Purcell
Modified:	2017-07-25 10:51 UTC (History)
CC List:	4 users (show)

See Also:
Latest Commit:	http://commits.kde.org/digikam/0addce7f2ebdccd76b3291a45e0019ed45069e7e
Version Fixed In:	3.1.0
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Purcell 2010-05-09 23:54:13 UTC

Version:           1.2.0 (using 4.4.3 (KDE 4.4.3), Debian packages)
Compiler:          cc
OS:                Linux (x86_64) release 2.6.32-5-amd64

With Cmake, digikam no longer checks for a system version of sqlite (original
report http://bugs.kde.org/show_bug.cgi?id=160966#c65)

It would be good for digikam during build to check and see if there is a system 
installed sqlite library of the correct version and build/ link against that, 
rather than the internal copy of that lib.

By doing this system resources are saved by linking to shared libs and security
issues/ bugs in libs only need to be fixed in one location rather than all the
applications which may or may not embed copies.

Find attached half the patch to check for an installed sqlite, the patch fails during linking with libdigikamdatabase.

Mark

--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -187,6 +187,11 @@ MACRO_BOOL_TO_01(GLIB2_FOUND HAVE_GLIB2)
 MACRO_OPTIONAL_FIND_PACKAGE(Lqr-1)
 MACRO_BOOL_TO_01(LQR-1_FOUND USE_EXT_LIBLQR-1)
 
+MACRO_OPTIONAL_FIND_PACKAGE(Sqlite)
+MACRO_BOOL_TO_01(SQLITE_FOUND USE_EXT_SQLITE)
+PKG_CHECK_MODULES(Sqlite sqlite3>=3.5.9)
+
+
 MACRO_BOOL_TO_01(ENABLE_THUMBS_DB USE_THUMBS_DB)
 
 IF (${KDE_VERSION} VERSION_GREATER "4.2.70")
@@ -301,6 +306,12 @@ ELSE(GLIB2_FOUND)
     MESSAGE(STATUS "")
 ENDIF(GLIB2_FOUND)
 
+IF(SQLITE_FOUND)
+    MESSAGE(STATUS " libsqlite library found ................. YES (optional)")
+ELSE(SQLITE_FOUND)
+    MESSAGE(STATUS " libsqlite library found ................. NO (optional - internal version used instead)")
+    ENDIF(SQLITE_FOUND)
+
 IF(DOXYGEN_FOUND)
     MESSAGE(STATUS " Doxygen found............................ YES (optional)")
 ELSE(DOXYGEN_FOUND)
@@ -961,40 +972,55 @@ IF(DIGIKAM_CAN_BE_COMPILED)
         ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/libpgf/WaveletTransform.cpp
        )
 
-    SET(libsqlite2_SRCS
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/attach.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/auth.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/btree.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/btree_rb.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/build.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/copy.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/date.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/delete.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/encode.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/expr.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/func.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/hash.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/insert.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/main.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/opcodes.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/os.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/pager.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/parse.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/pragma.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/printf.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/random.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/select.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/shell.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/table.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/tokenize.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/trigger.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/update.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/util.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/vacuum.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/vdbe.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/vdbeaux.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/where.c
-       )
+    # =================================================================================================
+    # Sqlite library rules
+
+    IF(SQLITE_FOUND)
+
+            INCLUDE_DIRECTORIES(${SQLITE_INCLUDE_DIRS})
+            SET(sqlite_LIBS ${SQLITE_LIBRARIES})
+
+    ELSE(SQLITE_FOUND)
+
+            INCLUDE_DIRECTORIES(${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty)
+            INCLUDE_DIRECTORIES(${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2)
+
+            SET(libsqlite2_SRCS
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/attach.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/auth.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/btree.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/btree_rb.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/build.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/copy.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/date.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/delete.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/encode.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/expr.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/func.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/hash.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/insert.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/main.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/opcodes.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/os.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/pager.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/parse.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/pragma.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/printf.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/random.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/select.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/shell.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/table.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/tokenize.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/trigger.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/update.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/util.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/vacuum.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/vdbe.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/vdbeaux.c
+                ${CMAKE_CURRENT_SOURCE_DIR}/libs/3rdparty/sqlite2/where.c
+            )
+
+    ENDIF(SQLITE_FOUND)
 
     SET(libhaar_SRCS
         ${CMAKE_CURRENT_SOURCE_DIR}/libs/database/haar/haar.cpp
--- a/digikam/CMakeLists.txt
+++ b/digikam/CMakeLists.txt
@@ -240,6 +240,7 @@ TARGET_LINK_LIBRARIES(digikamdatabase
                       ${QT_QTCORE_LIBRARY}
                       ${QT_QTGUI_LIBRARY}
                       ${QT_QTSQL_LIBRARY}
+                      ${sqlite_LIBS}
                      )
 
 SET_TARGET_PROPERTIES(digikamdatabase PROPERTIES VERSION 1.0.0 SOVERSION 1 )

Comment 1 caulier.gilles 2010-05-10 12:42:01 UTC

Note, it's SQlite2 code which is hosted in digiKam core, not SQlite3. This last one is used to run digiKam.

SQlite2 is used only to backport old DB files generated with older digiKam version.

Gilles Caulier

Comment 2 Mark Purcell 2011-08-06 05:47:33 UTC

Gilles,

This issue remains with digikam 2.0.0.

Mark


E: digikam: embedded-library usr/lib/libdigikamdatabase.so.2.0.0: sqlite
N: 
N:    The given ELF object appears to have been statically linked to a
N:    library. Doing this is strongly discouraged due to the extra work needed
N:    by the security team to fix all the extra embedded copies or trigger the
N:    package rebuilds, as appropriate.
N:    
N:    If the package uses a modified version of the given library it is highly
N:    recommended to coordinate with the library's maintainer to include the
N:    changes on the system version of the library.
N:    
N:    Refer to Debian Policy Manual section 4.13 (Convenience copies of code)
N:    for details.
N:    
N:    Severity: serious, Certainty: possible
N:    
N:    Check: binaries, Type: binary, udeb
N:

Comment 3 caulier.gilles 2011-08-06 08:38:31 UTC

Mark,

Francesco Riosa work on a separated branch from git where we have already discuted to drop sqlite 2.0 source code from digiKam core.

Gilles Caulier

Comment 4 Francesco Riosa 2011-08-06 22:19:41 UTC

yep, I've not pushed this furter because after removing the sources the difference in lines of code and compile time was very small.

commit 3179bdd7a0e84d66cde45f302793b4a01de05d15
Author: Francesco Riosa <francesco+kde@pnpitalia.it>
Date:   Wed Jun 29 18:49:06 2011 +0200

    Remove support for sqlite2 DigiKam < 0.9

branch sql/2.0

P.S. this is in no way a security threath, to trigger the execution of the sqlite 2.0 code you should be able to modify files with user privileges.
Having that privileges much more damage is possible than exploiting digikam

Comment 5 caulier.gilles 2011-12-15 08:29:10 UTC

Francesco,

This removing sqlite 2.0 source code from digiKam core is a subject to discut at genoa coding sprint...

Gilles Caulier

Comment 6 caulier.gilles 2013-02-23 13:37:07 UTC

Francesco,

Do you manage this entry ? sqlite2 must be dropped from digiKam core...

Gilles Caulier

Comment 7 Pino Toscano 2013-02-23 13:40:19 UTC

(In reply to comment #6)
> Do you manage this entry ? sqlite2 must be dropped from digiKam core...

See https://git.reviewboard.kde.org/r/109110/ I just opened.

Comment 8 Pino Toscano 2013-02-23 13:52:43 UTC

Git commit 0addce7f2ebdccd76b3291a45e0019ed45069e7e by Pino Toscano.
Committed on 23/02/2013 at 14:20.
Pushed by pino into branch 'master'.

Find and external SQLite v2 for digiKam DB 0.7 conversion

Instead of rely on an internal copy of SQLite v2, search for an external version of it;
if not found, disable the import/conversion of old databases from v0.7, failing directly with an error message.

REVIEW: 109110

M  +17   -38   CMakeLists.txt
A  +62   -0    cmake/modules/FindSqlite2.cmake
M  +8    -8    digikam/CMakeLists.txt
M  +3    -0    digikam/utils/config-digikam.h.cmake
M  +6    -1    libs/database/schemaupdater.cpp

http://commits.kde.org/digikam/0addce7f2ebdccd76b3291a45e0019ed45069e7e