sqlite3: upgrade 3.48.0 -> 3.49.1

Message ID	20250506163705.4099385-1-peter.marko@siemens.com
State	New
Headers	show Return-Path: <peter.marko@siemens.com> ip: 185.136.64.227, mailfrom: fm-256628-202505061637557a47b2f0910597ce66-grtdbl@rts-flowmailer.siemens.com) From: Peter Marko <peter.marko@siemens.com> To: openembedded-core@lists.openembedded.org Cc: Peter Marko <peter.marko@siemens.com> Subject: [PATCH] sqlite3: upgrade 3.48.0 -> 3.49.1 Date: Tue, 6 May 2025 18:37:05 +0200 Message-Id: <20250506163705.4099385-1-peter.marko@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-256628:519-21489:flowmailer
Series	sqlite3: upgrade 3.48.0 -> 3.49.1 \| expand sqlite3: upgrade 3.48.0 -> 3.49.1

Message ID

20250506163705.4099385-1-peter.marko@siemens.com

State

New

Headers

From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [PATCH] sqlite3: upgrade 3.48.0 -> 3.49.1
Date: Tue,  6 May 2025 18:37:05 +0200
Message-Id: <20250506163705.4099385-1-peter.marko@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Feedback-ID: 519:519-256628:519-21489:flowmailer

Series

sqlite3: upgrade 3.48.0 -> 3.49.1 | expand

Commit Message

Marko, Peter May 6, 2025, 4:37 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

Handle CVE-2025-3277, CVE-2025-29087 and CVE-2025-29088.

This update includes major change in how it is built.
Instead of autotools, autosetup is used.

Autosetup (https://msteveb.github.io/autosetup/) claims to be
* Replacement for autoconf in many situations
However it also claims NOT to
* Intended to replace all possible uses of autoconf
This means that some autoconf features are not available.

Recipe changes:
* stop inheriting autotools and define B, do_configure and do_install
* depend on zlib unconditionally, autoconf cannot be preconfigured in
  similar way as autotools
* update packageconfig options to match new syntax
* libedit is detected with ncurses linking options (as seen in
  do_configure log)
* backport rpaths fix
* define soname to avoid file-rdeps QA error due to wrong library name
* clean B for do_configure as the new Makefiles do not seem to properly
  retrigger build if configuration changes
* use unstripped binaries for native (non-cross-compile) case

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-support/sqlite/sqlite3.inc       |  41 +++++--
 ...tically-fail-the-check-for-rpath-on-.patch | 102 ++++++++++++++++++
 .../{sqlite3_3.48.0.bb => sqlite3_3.49.1.bb}  |   3 +-
 3 files changed, 138 insertions(+), 8 deletions(-)
 create mode 100644 meta/recipes-support/sqlite/sqlite3/0001-configure-automatically-fail-the-check-for-rpath-on-.patch
 rename meta/recipes-support/sqlite/{sqlite3_3.48.0.bb => sqlite3_3.49.1.bb} (53%)

Comments

Mathieu Dubois-Briand May 7, 2025, 7:45 a.m. UTC | #1

On Tue May 6, 2025 at 6:37 PM CEST, Peter Marko via lists.openembedded.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
>
> Handle CVE-2025-3277, CVE-2025-29087 and CVE-2025-29088.
>
> This update includes major change in how it is built.
> Instead of autotools, autosetup is used.
>
> Autosetup (https://msteveb.github.io/autosetup/) claims to be
> * Replacement for autoconf in many situations
> However it also claims NOT to
> * Intended to replace all possible uses of autoconf
> This means that some autoconf features are not available.
>
> Recipe changes:
> * stop inheriting autotools and define B, do_configure and do_install
> * depend on zlib unconditionally, autoconf cannot be preconfigured in
>   similar way as autotools
> * update packageconfig options to match new syntax
> * libedit is detected with ncurses linking options (as seen in
>   do_configure log)
> * backport rpaths fix
> * define soname to avoid file-rdeps QA error due to wrong library name
> * clean B for do_configure as the new Makefiles do not seem to properly
>   retrigger build if configuration changes
> * use unstripped binaries for native (non-cross-compile) case
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---

Hi Peter,

Thanks for your patch.

It looks like we can see some build errors on the autobuilder:

ERROR: sqlite3-3_3.49.1-r0 do_install: oe_runmake failed
ERROR: sqlite3-3_3.49.1-r0 do_install: Execution of '/srv/pokybuild/yocto-worker/genericarm64-alt/build/build/tmp/work/armv8a-poky-linux/sqlite3/3.49.1/temp/run.do_install.2425589' failed with exit code 1
...
| strip: Unable to recognise the format of the input file `/srv/pokybuild/yocto-worker/genericarm64-alt/build/build/tmp/work/armv8a-poky-linux/sqlite3/3.49.1/image/usr/bin/sqlite3'
| /srv/pokybuild/yocto-worker/genericarm64-alt/build/build/tmp/hosttools/install: strip process terminated abnormally

https://autobuilder.yoctoproject.org/valkyrie/#/builders/22/builds/1553

Can you have a look at this failure please?

Marko, Peter May 7, 2025, 8:18 a.m. UTC | #2

> -----Original Message-----
> From: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> Sent: Wednesday, May 7, 2025 9:46
> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>;
> openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH] sqlite3: upgrade 3.48.0 -> 3.49.1
> 
> On Tue May 6, 2025 at 6:37 PM CEST, Peter Marko via lists.openembedded.org
> wrote:
> > From: Peter Marko <peter.marko@siemens.com>
> >
> > Handle CVE-2025-3277, CVE-2025-29087 and CVE-2025-29088.
> >
> > This update includes major change in how it is built.
> > Instead of autotools, autosetup is used.
> >
> > Autosetup (https://msteveb.github.io/autosetup/) claims to be
> > * Replacement for autoconf in many situations
> > However it also claims NOT to
> > * Intended to replace all possible uses of autoconf
> > This means that some autoconf features are not available.
> >
> > Recipe changes:
> > * stop inheriting autotools and define B, do_configure and do_install
> > * depend on zlib unconditionally, autoconf cannot be preconfigured in
> >   similar way as autotools
> > * update packageconfig options to match new syntax
> > * libedit is detected with ncurses linking options (as seen in
> >   do_configure log)
> > * backport rpaths fix
> > * define soname to avoid file-rdeps QA error due to wrong library name
> > * clean B for do_configure as the new Makefiles do not seem to properly
> >   retrigger build if configuration changes
> > * use unstripped binaries for native (non-cross-compile) case
> >
> > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > ---
> 
> Hi Peter,
> 
> Thanks for your patch.
> 
> It looks like we can see some build errors on the autobuilder:
> 
> ERROR: sqlite3-3_3.49.1-r0 do_install: oe_runmake failed
> ERROR: sqlite3-3_3.49.1-r0 do_install: Execution of '/srv/pokybuild/yocto-
> worker/genericarm64-alt/build/build/tmp/work/armv8a-poky-
> linux/sqlite3/3.49.1/temp/run.do_install.2425589' failed with exit code 1
> ...
> | strip: Unable to recognise the format of the input file `/srv/pokybuild/yocto-
> worker/genericarm64-alt/build/build/tmp/work/armv8a-poky-
> linux/sqlite3/3.49.1/image/usr/bin/sqlite3'
> | /srv/pokybuild/yocto-worker/genericarm64-alt/build/build/tmp/hosttools/install:
> strip process terminated abnormally
> 
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/22/builds/1553
> 
> Can you have a look at this failure please?

I was afraid of this kind of failure, but I wanted to have a nice code.
I have sent a v2 with a little tweak.
If that will not work for all platforms, I'll have to do some ugly hacks...

Peter

> 
> --
> Mathieu Dubois-Briand, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

diff --git a/meta/recipes-support/sqlite/sqlite3.inc b/meta/recipes-support/sqlite/sqlite3.inc
index d093ec5859..e4bd1bfbec 100644
--- a/meta/recipes-support/sqlite/sqlite3.inc
+++ b/meta/recipes-support/sqlite/sqlite3.inc
@@ -14,34 +14,37 @@  def sqlite_download_version(d):
 SQLITE_PV = "${@sqlite_download_version(d)}"
 
 S = "${WORKDIR}/sqlite-autoconf-${SQLITE_PV}"
+B = "${WORKDIR}/build"
 
 UPSTREAM_CHECK_URI = "http://www.sqlite.org/"
 UPSTREAM_CHECK_REGEX = "releaselog/(?P<pver>(\d+[\.\-_]*)+)\.html"
 
 CVE_PRODUCT = "sqlite"
 
-inherit autotools pkgconfig siteinfo
+inherit pkgconfig siteinfo
+
+# zlib is autodetected and gets to sysroots as transitive dependency, make this deterministic
+DEPENDS = "zlib"
 
 # enable those which are enabled by default in configure
 PACKAGECONFIG ?= "fts4 fts5 rtree dyn_ext"
 PACKAGECONFIG:class-native ?= "fts4 fts5 rtree dyn_ext"
 
-PACKAGECONFIG[editline] = "--enable-editline,--disable-editline,libedit"
-PACKAGECONFIG[readline] = "--enable-readline,--disable-readline,readline ncurses"
+PACKAGECONFIG[editline] = "--enable-editline --with-readline-header=${includedir}/editline/readline.h,--disable-editline,libedit ncurses"
+PACKAGECONFIG[readline] = "--enable-readline --with-readline-header=${includedir}/readline/readline.h,--disable-readline,readline ncurses"
 PACKAGECONFIG[fts3] = "--enable-fts3,--disable-fts3"
 PACKAGECONFIG[fts4] = "--enable-fts4,--disable-fts4"
 PACKAGECONFIG[fts5] = "--enable-fts5,--disable-fts5"
 PACKAGECONFIG[rtree] = "--enable-rtree,--disable-rtree"
 PACKAGECONFIG[session] = "--enable-session,--disable-session"
-PACKAGECONFIG[dyn_ext] = "--enable-dynamic-extensions,--disable-dynamic-extensions"
-PACKAGECONFIG[zlib] = ",,zlib"
-
-CACHED_CONFIGUREVARS += "${@bb.utils.contains('PACKAGECONFIG', 'zlib', '', 'ac_cv_search_deflate=no',d)}"
+PACKAGECONFIG[dyn_ext] = "--enable-load-extension,--disable-load-extension"
 
 EXTRA_OECONF = " \
     --enable-shared \
     --enable-threadsafe \
     --disable-static-shell \
+    --disable-rpath \
+    --soname=${PV} \
 "
 
 # pread() is in POSIX.1-2001 so any reasonable system must surely support it
@@ -65,4 +68,28 @@  FILES:lib${BPN}-staticdev = "${libdir}/lib*.a"
 
 AUTO_LIBNAME_PKGS = "${MLPREFIX}lib${BPN}"
 
+do_configure() {
+    ${S}/configure \
+        --build=${HOST_SYS} \
+        --host=${TARGET_SYS} \
+        --prefix=${prefix} \
+        --bindir=${bindir} \
+        --libdir=${libdir} \
+        --includedir=${includedir} \
+        --mandir=${mandir} \
+        ${EXTRA_OECONF} \
+        ${PACKAGECONFIG_CONFARGS}
+}
+do_configure[cleandirs] = "${B}"
+
+do_install() {
+    oe_runmake DESTDIR=${D} install
+
+    # binaries are stripped during installation when not cross-compiling, take the unstripped ones instead
+    if [ "${HOST_SYS}" = "${TARGET_SYS}" ]; then
+        install -m 0644 ${B}/sqlite3 ${D}${bindir}
+        install -m 0644 ${B}/libsqlite3.so ${D}${libdir}/libsqlite3.so.${PV}
+    fi
+}
+
 BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/sqlite/sqlite3/0001-configure-automatically-fail-the-check-for-rpath-on-.patch b/meta/recipes-support/sqlite/sqlite3/0001-configure-automatically-fail-the-check-for-rpath-on-.patch
new file mode 100644
index 0000000000..0eaa06d908
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/0001-configure-automatically-fail-the-check-for-rpath-on-.patch
@@ -0,0 +1,102 @@ 
+From f9f6410c31de9f6b377c7d8cd6d56548d3f20551 Mon Sep 17 00:00:00 2001
+From: stephan <stephan@noemail.net>
+Date: Thu, 20 Feb 2025 17:15:37 +0000
+Subject: [PATCH] configure: automatically fail the check for rpath on AIX
+ systems and provide a --disable-rpath flag as a fallback for use on platforms
+ which pass the configure-time rpath check but then fail at link-time. Based
+ on discussion in [forum:ae5bd8a84b|forum thread ae5bd8a84b].
+
+FossilOrigin-Name: b6603986e621918525312130996c298135ad27af293df9bb9f99e1fc87844379
+
+Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/f9f6410c31de9f6b377c7d8cd6d56548d3f20551]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ auto.def                    |  2 +-
+ autosetup/proj.tcl          | 18 ++++++++++++++----
+ autosetup/sqlite-config.tcl | 14 ++++++++++++++
+ 3 files changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/auto.def b/auto.def
+index 9df87f579a..84dfa824c2 100644
+--- a/auto.def
++++ b/auto.def
+@@ -11,7 +11,7 @@ use sqlite-config
+ sqlite-config-bootstrap autoconf
+ sqlite-check-common-bins
+ sqlite-check-common-system-deps
+-proj-check-rpath
++sqlite-handle-rpath
+ sqlite-handle-soname
+ sqlite-setup-default-cflags
+ sqlite-handle-debug
+diff --git a/autosetup/proj.tcl b/autosetup/proj.tcl
+index 6a1960f603..6b49dcdae0 100644
+--- a/autosetup/proj.tcl
++++ b/autosetup/proj.tcl
+@@ -921,9 +921,20 @@ proc proj-check-emsdk {} {
+ #
+ # Achtung: we have seen platforms which report that a given option
+ # checked here will work but then fails at build-time, and the current
+-# order of checks reflects that.
++# order of checks reflects that. Similarly, platforms which are known
++# to report success here but fail to handle this flag at link-time are
++# special-cased here to behave as if the check failed.
+ proc proj-check-rpath {} {
+-  set rc 1
++  switch -glob -- [get-define host] {
++    *-*-aix* {
++      # Skip this check on platform(s) where we know it to pass at
++      # this step but fail at build-time, as a workaround for
++      # https://sqlite.org/forum/forumpost/ae5bd8a84b until we can
++      # find a more reliable approach.
++      define LDFLAGS_RPATH ""
++      return 0
++    }
++  }
+   if {[proj-opt-was-provided libdir]
+       || [proj-opt-was-provided exec-prefix]} {
+     set lp "[get-define libdir]"
+@@ -945,10 +956,9 @@ proc proj-check-rpath {} {
+       define LDFLAGS_RPATH "-Wl,-R$lp"
+     } else {
+       define LDFLAGS_RPATH ""
+-      set rc 0
+     }
+   }
+-  return $rc
++  expr {"" ne [get-define LDFLAGS_RPATH]}
+ }
+ 
+ ########################################################################
+diff --git a/autosetup/sqlite-config.tcl b/autosetup/sqlite-config.tcl
+index 7d9a9ea84b..be2522fb12 100644
+--- a/autosetup/sqlite-config.tcl
++++ b/autosetup/sqlite-config.tcl
+@@ -244,6 +244,9 @@ proc sqlite-config-bootstrap {buildMode} {
+         static-shell=1       => {Link the sqlite3 shell app against the DLL instead of embedding sqlite3.c}
+       }
+       {*} {
++        # rpath: https://sqlite.org/forum/forumpost/fa3a6ed858
++        rpath=1
++          => {Disable checking for rpath support}
+         # soname: https://sqlite.org/src/forumpost/5a3b44f510df8ded
+         soname:=legacy
+           => {SONAME for libsqlite3.so. "none", or not using this flag, sets no
+@@ -644,6 +647,17 @@ proc sqlite-handle-debug {} {
+   }
+ }
+ 
++########################################################################
++# If the --disable-rpath flag is used, this [define]s LDFLAGS_RPATH to
++# an empty string, else it invokes [proj-check-rpath].
++proc sqlite-handle-rpath {} {
++  proj-if-opt-truthy rpath {
++    proj-check-rpath
++  } {
++    define LDFLAGS_RPATH ""
++  }
++}
++
+ ########################################################################
+ # "soname" for libsqlite3.so. See discussion at:
+ # https://sqlite.org/src/forumpost/5a3b44f510df8ded
diff --git a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb b/meta/recipes-support/sqlite/sqlite3_3.49.1.bb
similarity index 53%
rename from meta/recipes-support/sqlite/sqlite3_3.48.0.bb
rename to meta/recipes-support/sqlite/sqlite3_3.49.1.bb
index bd2ac6614d..c3c0670884 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.49.1.bb
@@ -4,5 +4,6 @@  LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66"
 
 SRC_URI = "http://www.sqlite.org/2025/sqlite-autoconf-${SQLITE_PV}.tar.gz"
-SRC_URI[sha256sum] = "ac992f7fca3989de7ed1fe99c16363f848794c8c32a158dafd4eb927a2e02fd5"
+SRC_URI[sha256sum] = "106642d8ccb36c5f7323b64e4152e9b719f7c0215acf5bfeac3d5e7f97b59254"
 
+SRC_URI += "file://0001-configure-automatically-fail-the-check-for-rpath-on-.patch"

sqlite3: upgrade 3.48.0 -> 3.49.1

Commit Message

Comments

Patch