diff mbox series

sqlite3: upgrade 3.48.0 -> 3.50.4

Message ID 20250903222658.3929743-1-peter.marko@siemens.com
State Under Review
Headers show
Series sqlite3: upgrade 3.48.0 -> 3.50.4 | expand

Commit Message

Marko, Peter Sept. 3, 2025, 10:26 p.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

Handle CVE-2025-3277, CVE-2025-29087 and CVE-2025-29088.

This update includes major change in how it is built.
Instead of autotools, autosetup is used.

Autosetup (https://msteveb.github.io/autosetup/) claims to be
* Replacement for autoconf in many situations
However it also claims NOT to
* Intended to replace all possible uses of autoconf
This means that some autoconf features are not available.

Recipe changes:
* stop inheriting autotools and define B, do_configure and do_install
* depend on zlib unconditionally, autoconf cannot be preconfigured in
  similar way as autotools
* update packageconfig options to match new syntax
* libedit is detected with ncurses linking options (as seen in
  do_configure log)
* backport rpaths fix
* define soname to avoid file-rdeps QA error due to wrong library name
* add hack to rewrite native binaries as native installation will strip
  them unconditionally
* clean B for do_configure as the new Makefiles do not seem to properly
  retrigger build if configuration changes

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-support/sqlite/sqlite3.inc       | 41 ++++++++++---
 ...rpath-configure-script-flag-to-addre.patch | 57 +++++++++++++++++++
 .../{sqlite3_3.48.0.bb => sqlite3_3.50.4.bb}  |  3 +-
 3 files changed, 93 insertions(+), 8 deletions(-)
 create mode 100644 meta/recipes-support/sqlite/sqlite3/0001-Add-the-disable-rpath-configure-script-flag-to-addre.patch
 rename meta/recipes-support/sqlite/{sqlite3_3.48.0.bb => sqlite3_3.50.4.bb} (53%)

Comments

patchtest@automation.yoctoproject.org Sept. 3, 2025, 10:31 p.m. UTC | #1 
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch /home/patchtest/share/mboxes/sqlite3-upgrade-3.48.0---3.50.4.patch

FAIL: test CVE tag format: Missing or incorrectly formatted CVE tag in patch file. Correct or include the CVE tag in the patch with format: "CVE: CVE-YYYY-XXXX" (test_patch.TestPatch.test_cve_tag_format)

PASS: pretest src uri left files (test_metadata.TestMetadata.pretest_src_uri_left_files)
PASS: test CVE check ignore (test_metadata.TestMetadata.test_cve_check_ignore)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
PASS: test lic files chksum modified not mentioned (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test src uri left files (test_metadata.TestMetadata.test_src_uri_left_files)
PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)

SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!
Ross Burton Sept. 9, 2025, 11:22 a.m. UTC | #2 
On 3 Sep 2025, at 23:26, Peter Marko via lists.openembedded.org <peter.marko=siemens.com@lists.openembedded.org> wrote:
> * depend on zlib unconditionally, autoconf cannot be preconfigured in
>  similar way as autotools

We discussed this in the patch review call yesterday, and there’s apprehension about having zlib as an indirect dependency on pseudo: more early build dependencies, more moving pieces.  Would it be possible to add an option to make this configurable?

> * define soname to avoid file-rdeps QA error due to wrong library name

This is a bug upstream, right?

> * add hack to rewrite native binaries as native installation will strip
>  them unconditionally

That’s definitely a bug in either upstream autosetup or sqlite.  Have you looked at autosetup to know if its a bug there, or in the use of it by sqlite?

Thanks,
Ross
Ross Burton Sept. 9, 2025, 1:05 p.m. UTC | #3 
On 9 Sep 2025, at 12:22, Ross Burton <Ross.Burton@arm.com> wrote:
>> * add hack to rewrite native binaries as native installation will strip
>> them unconditionally
> 
> That’s definitely a bug in either upstream autosetup or sqlite.  Have you looked at autosetup to know if its a bug there, or in the use of it by sqlite?

Actually… are you sure about this?

I just deleted your hack, the do_install log for sqlite3-native shows it using ‘install’ without -s, and the binaries are not stripped in the image/ directory:

$ file libsqlite3.so.3.50.4
libsqlite3.so.3.50.4: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=6e8d2ef793a5acf927116f8ffa4b29bcbe3934a2, not stripped

(my builder is arm64, this isn’t a cross-compile)

Ross
Khem Raj Sept. 10, 2025, 6:32 a.m. UTC | #4 
I am observing another issue with this upgrade. proj-native fails to
build, it depends on cmake-native and sqlite3-native
see - https://errors.yoctoproject.org/Errors/Details/882201/

proj also fails ( for target ) - see -
https://errors.yoctoproject.org/Errors/Details/882203/

On Tue, Sep 9, 2025 at 6:05 AM Ross Burton via lists.openembedded.org
<ross.burton=arm.com@lists.openembedded.org> wrote:
>
> On 9 Sep 2025, at 12:22, Ross Burton <Ross.Burton@arm.com> wrote:
> >> * add hack to rewrite native binaries as native installation will strip
> >> them unconditionally
> >
> > That’s definitely a bug in either upstream autosetup or sqlite.  Have you looked at autosetup to know if its a bug there, or in the use of it by sqlite?
>
> Actually… are you sure about this?
>
> I just deleted your hack, the do_install log for sqlite3-native shows it using ‘install’ without -s, and the binaries are not stripped in the image/ directory:
>
> $ file libsqlite3.so.3.50.4
> libsqlite3.so.3.50.4: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=6e8d2ef793a5acf927116f8ffa4b29bcbe3934a2, not stripped
>
> (my builder is arm64, this isn’t a cross-compile)
>
> Ross
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#223110): https://lists.openembedded.org/g/openembedded-core/message/223110
> Mute This Topic: https://lists.openembedded.org/mt/115054818/1997914
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Marko, Peter Sept. 17, 2025, 11:41 a.m. UTC | #5 
> -----Original Message-----
> From: Ross Burton <Ross.Burton@arm.com>
> Sent: Tuesday, September 9, 2025 13:23
> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][PATCH] sqlite3: upgrade 3.48.0 -> 3.50.4
> 
> On 3 Sep 2025, at 23:26, Peter Marko via lists.openembedded.org
> <peter.marko=siemens.com@lists.openembedded.org> wrote:
> > * depend on zlib unconditionally, autoconf cannot be preconfigured in
> >  similar way as autotools
> 
> We discussed this in the patch review call yesterday, and there’s apprehension
> about having zlib as an indirect dependency on pseudo: more early build
> dependencies, more moving pieces.  Would it be possible to add an option to
> make this configurable?

I can try to send a patch upstream.
But I'm not sure about if it will be accepted.
This was not sqlite feature also before, we we just hacking autotools to drop it.

> 
> > * define soname to avoid file-rdeps QA error due to wrong library name
> 
> This is a bug upstream, right?

I don't think so. Sqlite under autosetup has "none" sa default soname.
Not sure why, but this option is marked to exist "for packagers", so our recipe.
At least it was in the first respin (3.49.x), I will check the default in 3.50.x before sending next patch respin.

> 
> > * add hack to rewrite native binaries as native installation will strip
> >  them unconditionally
> 
> That’s definitely a bug in either upstream autosetup or sqlite.  Have you looked at
> autosetup to know if its a bug there, or in the use of it by sqlite?

Answered in the other email.
I'll remove this in next respin.

> 
> Thanks,
> Ross
Marko, Peter Sept. 17, 2025, 11:41 a.m. UTC | #6 
You're correct.
This is a rest-over from first respin (upgrade to 3.49.1).
When the MR was idle for some time, 3.50.x does not seem to have the strip anymore.
So I'll remove it from the next respin.

Peter

> -----Original Message-----
> From: Ross Burton <Ross.Burton@arm.com>
> Sent: Tuesday, September 9, 2025 15:05
> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][PATCH] sqlite3: upgrade 3.48.0 -> 3.50.4
> 
> On 9 Sep 2025, at 12:22, Ross Burton <Ross.Burton@arm.com> wrote:
> >> * add hack to rewrite native binaries as native installation will strip
> >> them unconditionally
> >
> > That’s definitely a bug in either upstream autosetup or sqlite.  Have you looked
> at autosetup to know if its a bug there, or in the use of it by sqlite?
> 
> Actually… are you sure about this?
> 
> I just deleted your hack, the do_install log for sqlite3-native shows it using ‘install’
> without -s, and the binaries are not stripped in the image/ directory:
> 
> $ file libsqlite3.so.3.50.4
> libsqlite3.so.3.50.4: ELF 64-bit LSB shared object, ARM aarch64, version 1
> (SYSV), dynamically linked,
> BuildID[sha1]=6e8d2ef793a5acf927116f8ffa4b29bcbe3934a2, not stripped
> 
> (my builder is arm64, this isn’t a cross-compile)
> 
> Ross
Marko, Peter Sept. 17, 2025, 11:41 a.m. UTC | #7 
> -----Original Message-----
> From: Khem Raj <raj.khem@gmail.com>
> Sent: Wednesday, September 10, 2025 8:33
> To: ross.burton@arm.com
> Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>;
> openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][PATCH] sqlite3: upgrade 3.48.0 -> 3.50.4
> 
> I am observing another issue with this upgrade. proj-native fails to
> build, it depends on cmake-native and sqlite3-native
> see - https://errors.yoctoproject.org/Errors/Details/882201/
> 
> proj also fails ( for target ) - see -
> https://errors.yoctoproject.org/Errors/Details/882203/

I was expecting some failures, so having only one looks good.
I'll check this failure on next respin.

> 
> On Tue, Sep 9, 2025 at 6:05 AM Ross Burton via lists.openembedded.org
> <ross.burton=arm.com@lists.openembedded.org> wrote:
> >
> > On 9 Sep 2025, at 12:22, Ross Burton <Ross.Burton@arm.com> wrote:
> > >> * add hack to rewrite native binaries as native installation will strip
> > >> them unconditionally
> > >
> > > That’s definitely a bug in either upstream autosetup or sqlite.  Have you looked
> at autosetup to know if its a bug there, or in the use of it by sqlite?
> >
> > Actually… are you sure about this?
> >
> > I just deleted your hack, the do_install log for sqlite3-native shows it using
> ‘install’ without -s, and the binaries are not stripped in the image/ directory:
> >
> > $ file libsqlite3.so.3.50.4
> > libsqlite3.so.3.50.4: ELF 64-bit LSB shared object, ARM aarch64, version 1
> (SYSV), dynamically linked,
> BuildID[sha1]=6e8d2ef793a5acf927116f8ffa4b29bcbe3934a2, not stripped
> >
> > (my builder is arm64, this isn’t a cross-compile)
> >
> > Ross
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#223110): https://lists.openembedded.org/g/openembedded-
> core/message/223110
> > Mute This Topic: https://lists.openembedded.org/mt/115054818/1997914
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
> [raj.khem@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
diff mbox series

Patch

diff --git a/meta/recipes-support/sqlite/sqlite3.inc b/meta/recipes-support/sqlite/sqlite3.inc
index 28a33282ae1..0415ec0098e 100644
--- a/meta/recipes-support/sqlite/sqlite3.inc
+++ b/meta/recipes-support/sqlite/sqlite3.inc
@@ -14,34 +14,37 @@  def sqlite_download_version(d):
 SQLITE_PV = "${@sqlite_download_version(d)}"
 
 S = "${UNPACKDIR}/sqlite-autoconf-${SQLITE_PV}"
+B = "${WORKDIR}/build"
 
 UPSTREAM_CHECK_URI = "http://www.sqlite.org/"
 UPSTREAM_CHECK_REGEX = "releaselog/(?P<pver>(\d+[\.\-_]*)+)\.html"
 
 CVE_PRODUCT = "sqlite"
 
-inherit autotools pkgconfig siteinfo
+inherit pkgconfig siteinfo
+
+# zlib is autodetected and gets to sysroots as transitive dependency, make this deterministic
+DEPENDS = "zlib"
 
 # enable those which are enabled by default in configure
 PACKAGECONFIG ?= "fts4 fts5 rtree dyn_ext"
 PACKAGECONFIG:class-native ?= "fts4 fts5 rtree dyn_ext"
 
-PACKAGECONFIG[editline] = "--enable-editline,--disable-editline,libedit"
-PACKAGECONFIG[readline] = "--enable-readline,--disable-readline,readline ncurses"
+PACKAGECONFIG[editline] = "--enable-editline --with-readline-header=${includedir}/editline/readline.h,--disable-editline,libedit ncurses"
+PACKAGECONFIG[readline] = "--enable-readline --with-readline-header=${includedir}/readline/readline.h,--disable-readline,readline ncurses"
 PACKAGECONFIG[fts3] = "--enable-fts3,--disable-fts3"
 PACKAGECONFIG[fts4] = "--enable-fts4,--disable-fts4"
 PACKAGECONFIG[fts5] = "--enable-fts5,--disable-fts5"
 PACKAGECONFIG[rtree] = "--enable-rtree,--disable-rtree"
 PACKAGECONFIG[session] = "--enable-session,--disable-session"
-PACKAGECONFIG[dyn_ext] = "--enable-dynamic-extensions,--disable-dynamic-extensions"
-PACKAGECONFIG[zlib] = ",,zlib"
-
-CACHED_CONFIGUREVARS += "${@bb.utils.contains('PACKAGECONFIG', 'zlib', '', 'ac_cv_search_deflate=no',d)}"
+PACKAGECONFIG[dyn_ext] = "--enable-load-extension,--disable-load-extension"
 
 EXTRA_OECONF = " \
     --enable-shared \
     --enable-threadsafe \
     --disable-static-shell \
+    --disable-rpath \
+    --soname=legacy \
 "
 
 # pread() is in POSIX.1-2001 so any reasonable system must surely support it
@@ -65,4 +68,28 @@  FILES:lib${BPN}-staticdev = "${libdir}/lib*.a"
 
 AUTO_LIBNAME_PKGS = "${MLPREFIX}lib${BPN}"
 
+do_configure() {
+    ${S}/configure \
+        --build=${BUILD_SYS} \
+        --host=${TARGET_SYS} \
+        --prefix=${prefix} \
+        --bindir=${bindir} \
+        --libdir=${libdir} \
+        --includedir=${includedir} \
+        --mandir=${mandir} \
+        ${EXTRA_OECONF} \
+        ${PACKAGECONFIG_CONFARGS}
+}
+do_configure[cleandirs] = "${B}"
+
+do_install() {
+    oe_runmake DESTDIR=${D} install
+
+    # binaries are stripped during installation when not cross-compiling, take the unstripped ones instead
+    if [ "${BUILD_SYS}" = "${TARGET_SYS}" ]; then
+        install -m 0644 ${B}/sqlite3 ${D}${bindir}
+        install -m 0644 ${B}/libsqlite3.so ${D}${libdir}/libsqlite3.so.${PV}
+    fi
+}
+
 BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/sqlite/sqlite3/0001-Add-the-disable-rpath-configure-script-flag-to-addre.patch b/meta/recipes-support/sqlite/sqlite3/0001-Add-the-disable-rpath-configure-script-flag-to-addre.patch
new file mode 100644
index 00000000000..f1e93a1c9a7
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/0001-Add-the-disable-rpath-configure-script-flag-to-addre.patch
@@ -0,0 +1,57 @@ 
+From 87c807c6dd4df67328919fa28e89a06839e634fe Mon Sep 17 00:00:00 2001
+From: stephan <stephan@noemail.net>
+Date: Sun, 22 Jun 2025 22:48:11 +0000
+Subject: [PATCH] Add the --disable-rpath configure script flag to address
+ [forum:13cac3b56516f849 | forum post 13cac3b56516f849].
+
+FossilOrigin-Name: a59d9bb25e518f5d79f654615b92f6c50cfb704b5abee0f820912644b89366c5
+
+Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/87c807c6dd4df67328919fa28e89a06839e634fe]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ autosetup/sqlite-config.tcl | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/autosetup/sqlite-config.tcl b/autosetup/sqlite-config.tcl
+index bb81123204..4dd065095e 100644
+--- a/autosetup/sqlite-config.tcl
++++ b/autosetup/sqlite-config.tcl
+@@ -334,8 +334,8 @@ proc sqlite-configure {buildMode configScript} {
+           => {Link the sqlite3 shell app against the DLL instead of embedding sqlite3.c}
+       }
+       {canonical autoconf} {
+-        # A potential TODO without a current use case:
+-        #rpath=1 => {Disable use of the rpath linker flag}
++        rpath=1 => {Disable use of the rpath linker flag}
++
+         # soname: https://sqlite.org/src/forumpost/5a3b44f510df8ded
+         soname:=legacy
+           => {SONAME for libsqlite3.so. "none", or not using this flag, sets no
+@@ -2119,7 +2119,6 @@ proc sqlite-handle-tcl {} {
+ ########################################################################
+ # Handle the --enable/disable-rpath flag.
+ proc sqlite-handle-rpath {} {
+-  proj-check-rpath
+   # autosetup/cc-shared.tcl sets the rpath flag definition in
+   # [get-define SH_LINKRPATH], but it does so on a per-platform basis
+   # rather than as a compiler check. Though we should do a proper
+@@ -2128,12 +2127,13 @@ proc sqlite-handle-rpath {} {
+   # for which sqlite-env-is-unix-on-windows returns a non-empty
+   # string.
+ 
+-#  if {[proj-opt-truthy rpath]} {
+-#    proj-check-rpath
+-#  } else {
+-#    msg-result "Disabling use of rpath."
+-#    define LDFLAGS_RPATH ""
+-#  }
++  # https://sqlite.org/forum/forumpost/13cac3b56516f849
++  if {[proj-opt-truthy rpath]} {
++    proj-check-rpath
++  } else {
++    msg-result "Disabling use of rpath."
++    define LDFLAGS_RPATH ""
++  }
+ }
+ 
+ ########################################################################
diff --git a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb b/meta/recipes-support/sqlite/sqlite3_3.50.4.bb
similarity index 53%
rename from meta/recipes-support/sqlite/sqlite3_3.48.0.bb
rename to meta/recipes-support/sqlite/sqlite3_3.50.4.bb
index bd2ac6614d8..4d0a807e204 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.50.4.bb
@@ -4,5 +4,6 @@  LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66"
 
 SRC_URI = "http://www.sqlite.org/2025/sqlite-autoconf-${SQLITE_PV}.tar.gz"
-SRC_URI[sha256sum] = "ac992f7fca3989de7ed1fe99c16363f848794c8c32a158dafd4eb927a2e02fd5"
+SRC_URI[sha256sum] = "a3db587a1b92ee5ddac2f66b3edb41b26f9c867275782d46c3a088977d6a5b18"
 
+SRC_URI += "file://0001-Add-the-disable-rpath-configure-script-flag-to-addre.patch"