From patchwork Thu Jul 24 12:40:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Roland_Kov=C3=A1cs?= X-Patchwork-Id: 67404 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B4B9CC83F1A for ; Thu, 24 Jul 2025 12:41:23 +0000 (UTC) Received: from MRWPR03CU001.outbound.protection.outlook.com (MRWPR03CU001.outbound.protection.outlook.com [40.107.130.54]) by mx.groups.io with SMTP id smtpd.web11.11675.1753360880821866632 for ; Thu, 24 Jul 2025 05:41:21 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@est.tech header.s=selector1 header.b=ZKNkyfVj; spf=pass (domain: est.tech, ip: 40.107.130.54, mailfrom: roland.kovacs@est.tech) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=HTSZKCe16TebNqkmNwFQ+0Fy1f43yPPXiG0Ej/Y8QVSVrVv+HeM6s6rNtXnrYuSa1jBLHc0PN8g0k5LsYYtqwDcJgLD1KrmUPYA2DHCoB5RmR24+LaK4TTAzYK/S1XzyU57zlbxa9gxStXJ5zCzYK++EfLPQjF0qjPXX7sKS4hJBFzSHa2LB/yXHPhNmFL8OtSNkKDJf2vvWqaxrIu661LtFM8dqOEO3xdXp3YJM7f9dDCpi039FzFgaDsndq23AswxggRh53JTqfHVC6TMWh2WtWTd5Z3UwVtzxyqkFQ7gndxYE6SJq9M+9xuRInSvzcJZScnZgEdAdlrh/LZYVXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iTqSpsb6xPE6+Z2wvyfnScIKAVe4OHnhjzqy+mKXb6Q=; b=f2quP9QODuMJ0BKkG/UWWP3uXKDrfc+FLR2GFjOXt9ccJJMd1j7OfK7gk1QyRCjsYDijzU3H1KBmsnnVQ+fdvr798KjcS8NjsB+hN5qAWvlb47ul1SJxHJF3cUdmvoIGH9r1JZFLGdU00qiOpkA4Qp6pueybXAtuEQt2ojqYv+urWgYsZ1+VKHQDOmjfzJdIoSAmgTAtRqWgD0Et+1bNZI4+FKMAlU2WEkAM7E+ep+wN2YsXhTC1IXbkY1MPTrzMiWxKZ7anpMaTAgKs5gSwxs+Nxs+Y77tiLKvukbOL/LUdxbH0zw4SgNqcOSRhpB2uDx3xPCyRMj5sC21CLFpFYA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=est.tech; dmarc=pass action=none header.from=est.tech; dkim=pass header.d=est.tech; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=est.tech; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iTqSpsb6xPE6+Z2wvyfnScIKAVe4OHnhjzqy+mKXb6Q=; b=ZKNkyfVjWfC9y8MqahVk1jz+8JeKvBwewOT79xmO/9SIdInfjAOHzZhuqF6RsLhLwtDr+Jlyalg07fxpq28Bk5v/eRdAsMbH2zM2qgCoqaCEWp2RuO4utWJQhfRuvGTjxmVze9NUkZp0BjVD9ObsJ3CDXcAbaJQnP2meAiJMxqpiFL/vHBtufFGeVfvnpr3AAOU2GqyWwk9Thuv4bPRCqsUhnV9YmThRXV2yyK4GRb67PY/7pY5TypGUIfrFjMBx24uLHH+8SMQqnFhffTKJAKTqxW1O+/5i886+c8Es2+CFD+o+eIjit0E7mpnHb2C6xMuCl4CWCFuicASNKRIhhQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=est.tech; Received: from AM7P189MB0725.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:111::20) by AM0P189MB0787.EURP189.PROD.OUTLOOK.COM (2603:10a6:208:19e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8964.21; Thu, 24 Jul 2025 12:41:15 +0000 Received: from AM7P189MB0725.EURP189.PROD.OUTLOOK.COM ([fe80::5f39:2db5:a647:ac07]) by AM7P189MB0725.EURP189.PROD.OUTLOOK.COM ([fe80::5f39:2db5:a647:ac07%3]) with mapi id 15.20.8964.021; Thu, 24 Jul 2025 12:41:14 +0000 From: roland.kovacs@est.tech To: openembedded-core@lists.openembedded.org CC: Roland Kovacs Subject: [scarthgap][PATCH] sqlite3: fix CVE-2025-6965 Date: Thu, 24 Jul 2025 14:40:14 +0200 Message-ID: <20250724124013.240210-2-roland.kovacs@est.tech> X-Mailer: git-send-email 2.50.1 X-ClientProxiedBy: DB9PR01CA0007.eurprd01.prod.exchangelabs.com (2603:10a6:10:1d8::12) To AM7P189MB0725.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:111::20) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM7P189MB0725:EE_|AM0P189MB0787:EE_ X-MS-Office365-Filtering-Correlation-Id: 7c2c72a1-9901-43f3-6859-08ddcaaf608f X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|376014; X-Microsoft-Antispam-Message-Info: YeE3Zw0EGa5t/aOpAUz0kJvbbN67PgT5N+grgLAkvHeE1+r4NIIbhjRuP3vkcK7T6TrNn2bcl7WyskLJUa6/kXAh2ELTGRrmN+eJkAKMix2fo5zIy11h98QjEJW3V10guIN+5oq4bAgv3cw63aqUyo3cfcdjtoMLzJmEa1A85YhFXQawVyjS7fdVWQEapOvZiiT9VVR7LGffGZj0xO5XayT5ivRtgwo5yUfpGBBgfPZR/52/23r2VTlETwuuSQNvEg6g/zLbyKT98NhKj5syLwVON7ySjIxMA9g86NjbJtF0adiNVV8to8BmcN2r33M6UtYs2a7r/865+JMvrEOU+J0tfloDELjya5JEVzLDUXO1rkxSj65tM4enbMgSeDXsMFqIeEPMaFOKrjb0ngnVqKlpoX5sQbIcw7aNQOPAOXbmctDe1V73rFK7223y/WXStjRjbTRQ544wQv5+0XBiMEA1bZ0kn7a1/6YVCnszSQej8HTC/hm45uLIQCriGVTFyyFPZFNxZ0Qa6T5ixM/JwrRnQDeaCywTwzKCdYkd7CYZ0phmDWjLckYLzbKT+oDzfB7rI6bNNnamKPJOxRj1/ksVGclFeYqbiVWqOJxIq7BQKpsEloCAcu6ew3bywsVA8sU8NEscxgYQwQ1+HgkG6MQ9Tx2J6RKZ9JV0NgRXlSv291KXwJjStSoNWCad+jfE1wE29Y94ZT+/+WrhaywQo5y9iGnCVwB+68eH+TGSGQ+JZ1zx1z5PBtbmR8h5x6GMTvBMW7aBOodhb+ck0E4egxbUmhlGi0es/9eZxcjNMd7JJ02rWLM3eu+pzcSXYEgxrdgFoQL1l+0fDWemQMZQmnSN2sIDFVx0Lek1LZqmF93B/lyZuutTwnkcxbwbT/qPP5XyqVsNuO8Z5jZ35T6zWrQxIh82HYYc7+35SbdMrCpFJxJJhed1/+X7VDJ81siZN8iaeVcBwvzYDkgpSG2S4gWjGjkJSjDEpOMtHZmZ7vrX4Tiz+DfAwMiNNXc6fh9dgI186Sfz7xfjf/Iz3qcXi/Flt/3boMsFpJVDmpCLEkrOY3wFqT1FvGsiQunviYvVjSY+4m3q0kia2hcbPYcpRHm5WRz+MmRSiD9JvZjftTBCF45vo4n93YcsJshE2y1h4grooxog0rZJzis2Lzrhs/ScNuSwcgqYVKrbH/roB245EUf2J4ZG/zUnim49Z5cqk09fBQu4EbkhEby9yJjnkESPi1WAHtuDd+FdpfhfmXXV4l0jjYo6LkG7VVgzLIDJSrFUrodSJ0FMaGyxXTyV3H8q9FzAOM67MCNqavAu6Y+GDwhEGhTObdQZHfF88e/bS1lWmDaNbOQuERm5r9uBqakx8+T4t17LfW0v+T6jwbm15dhMj7JnRemcGfqFrvxbSVkok/lvdZGt2YFiwE49fzh3OFkYmC7urDruAsLrLpI= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM7P189MB0725.EURP189.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: etYMCsZPKxd4eP7k3eIGkCEtwjg1xTZs7L8ePgC5tvvdLRNw16+4DpEElscRDOqonb7UIZKWBAo+4zpiiSCKArQAVFzrOqM7lHv4uqhRZcjddEV/xLsTgmSz0JZPAfA3gg7UTSQ6EQzS8SRsUk8WY2g8McUSaTh3JW2O/EYeiP+f6KS2+bODhG7+rwIKMtPnojO1eoWxjZtUZdP+R7X0XgfFPBFjqIittlVYHj4ZJsvpfnuIiBy/LYLJKboz15IlziZjwVOWIA/9sm9vujEV0LUfJT+Xi0iBv92rmn+1dWZTHrBhp3v/TFrj3fKtKlinWcrSCZYP8xZJNwypsQK5Un+wm8XSYoZCPra+DfrICB9wyqsaurMjiP2DxBkPv6t+7b83sRHTElnN/8TSq6mNAWCUbJtiNKT8jTr6KbgTgQ84mfabwzHPEnV1QuzKNOal3mKDKpHnBir7Bug/d27DKzGBwwyFqQrcbvIPk3jIqMpp2+s8XCHqdssVq21mb1/f8zgXOYxfnb5c+s4tTpvoOGlIm7jAoKv/9+PNTG+983EGUCPe2zy2VjAjcPxxFBDI9hW6fRln8tVVd7oo8gu/ULMFxVgN25U2rBVFR7/7yewxMs9gozxJN7sy8v7oBfiP4ZcEN84lpyakVM+rz8lPiLiVEBQAFi9pRZJ7YbQupLkWDGzV0eQ+CwNVcfGnPH9QKkanY12VsP4nvG0+QxE9X9nBNoauMNti8CEvsaOpHvXWTsDR5DDcupQLinTWykhGZbw3K//1JtBMJgImo+PrmCs4IfovQRMwbKponxRci1/uXAV7rCt3vMbE36iFVnJG1zB2FV+LEXBUYk6eiuy5ATEYmpyeZP7HxUYhXs1SvBnFbrRjsn71PObWRA8ZwNlL6+hG+wXKzMKvG+QvMuOQKmGMsFLMqSijLX6b9rc4rPdriKgsp15gP9aCgojeSILszImikV16Mdeo5GmL0Qdpi0i11k3/jVWc5+b9JpM7q2fmPa3o+Eo8j2SiBhFKREYTcDNOCh4tGOZe+OZngw5PmD24BU+9r66e2bmJRFMtKcypt2o+0W7Gimj7C7EHlL0FoflZXyJYsOBLWMRJC4DS6eIYME5opwjPVbkWJAR51XJnbzlvMUOV1/ppcooRV9fRS2wnQgUoFSR1u4Bv9suKl7BluAEC5cyvo/0t6cuoSExQFDb6RHyw9D137YoQwoong5mCshJY6ONFfO2gjDCa1IiYw0OoZuDk/pnzaHbjnkZIyMvTZJ6qYMl38wFOClyla1OMwS0qHETTzkulfx+aVgt02cEpjaIotirZkclLPewwckKn24Xu0tyGi+1Qf8PAee/CDk2Wjz8Ban7myC63kjdScRB1DQOWG00fcgTlA6VcR9q6gp4vJYJHBUR+IriwlOM2gNv2IrkGjt/VfIleSt1xUVWPD4fqYlYAiES6E6k3LVXCI2ZlMsBy3mzyzb3jxNmxlF+q2aWpXHoK/bWBFdLxKABvwDHgrhqo4Gb43XLJQb9asEKf/HbTCFwdb9CsdugpThxEcuR8D0CRY2h0+MmzLUt7hxK2tbHq23UMfHaBhvOWfNjz4BC1bODK9c4d X-OriginatorOrg: est.tech X-MS-Exchange-CrossTenant-Network-Message-Id: 7c2c72a1-9901-43f3-6859-08ddcaaf608f X-MS-Exchange-CrossTenant-AuthSource: AM7P189MB0725.EURP189.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jul 2025 12:41:14.7081 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 1RlJEps4IMYjHX2NUY2AhrGRko3AlLGa/VLy4g7peIxBXysOusUIu5qNiHZHozMQE6v9ImenF6wSP3TNcy01Fg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0P189MB0787 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 24 Jul 2025 12:41:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/220836 From: Roland Kovacs There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. Signed-off-by: Roland Kovacs --- .../sqlite/sqlite3/CVE-2025-6965.patch | 112 ++++++++++++++++++ meta/recipes-support/sqlite/sqlite3_3.45.3.bb | 1 + 2 files changed, 113 insertions(+) create mode 100644 meta/recipes-support/sqlite/sqlite3/CVE-2025-6965.patch diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2025-6965.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2025-6965.patch new file mode 100644 index 0000000000..233d8697ec --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2025-6965.patch @@ -0,0 +1,112 @@ +From a91c0d55011d06858726d4783fd16ed8ec71e793 Mon Sep 17 00:00:00 2001 +From: drh <> +Date: Fri, 27 Jun 2025 19:02:21 +0000 +Subject: [PATCH] Raise an error right away if the number of aggregate terms in + a query exceeds the maximum number of columns. + +FossilOrigin-Name: 5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8 + +CVE: CVE-2025-6965 +Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/c52e9d97d485a3eb168e3f8f3674a7bc4b419703] +Signed-off-by: Roland Kovacs +--- + sqlite3.c | 30 ++++++++++++++++++++++++++---- + 1 file changed, 26 insertions(+), 4 deletions(-) + +diff --git a/sqlite3.c b/sqlite3.c +index 1ee8de4a85..5c7c126076 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -15000,6 +15000,14 @@ typedef INT16_TYPE LogEst; + #define LARGEST_UINT64 (0xffffffff|(((u64)0xffffffff)<<32)) + #define SMALLEST_INT64 (((i64)-1) - LARGEST_INT64) + ++/* ++** Macro SMXV(n) return the maximum value that can be held in variable n, ++** assuming n is a signed integer type. UMXV(n) is similar for unsigned ++** integer types. ++*/ ++#define SMXV(n) ((((i64)1)<<(sizeof(n)*8-1))-1) ++#define UMXV(n) ((((i64)1)<<(sizeof(n)*8))-1) ++ + /* + ** Round up a number to the next larger multiple of 8. This is used + ** to force 8-byte alignment on 64-bit architectures. +@@ -18785,7 +18793,7 @@ struct AggInfo { + ** from source tables rather than from accumulators */ + u8 useSortingIdx; /* In direct mode, reference the sorting index rather + ** than the source table */ +- u16 nSortingColumn; /* Number of columns in the sorting index */ ++ u32 nSortingColumn; /* Number of columns in the sorting index */ + int sortingIdx; /* Cursor number of the sorting index */ + int sortingIdxPTab; /* Cursor number of pseudo-table */ + int iFirstReg; /* First register in range for aCol[] and aFunc[] */ +@@ -18794,8 +18802,8 @@ struct AggInfo { + Table *pTab; /* Source table */ + Expr *pCExpr; /* The original expression */ + int iTable; /* Cursor number of the source table */ +- i16 iColumn; /* Column number within the source table */ +- i16 iSorterColumn; /* Column number in the sorting index */ ++ int iColumn; /* Column number within the source table */ ++ int iSorterColumn; /* Column number in the sorting index */ + } *aCol; + int nColumn; /* Number of used entries in aCol[] */ + int nAccumulator; /* Number of columns that show through to the output. +@@ -115162,7 +115170,9 @@ static void findOrCreateAggInfoColumn( + ){ + struct AggInfo_col *pCol; + int k; ++ int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN]; + ++ assert( mxTerm <= SMXV(i16) ); + assert( pAggInfo->iFirstReg==0 ); + pCol = pAggInfo->aCol; + for(k=0; knColumn; k++, pCol++){ +@@ -115180,6 +115190,10 @@ static void findOrCreateAggInfoColumn( + assert( pParse->db->mallocFailed ); + return; + } ++ if( k>mxTerm ){ ++ sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm); ++ k = mxTerm; ++ } + pCol = &pAggInfo->aCol[k]; + assert( ExprUseYTab(pExpr) ); + pCol->pTab = pExpr->y.pTab; +@@ -115213,6 +115227,7 @@ fix_up_expr: + if( pExpr->op==TK_COLUMN ){ + pExpr->op = TK_AGG_COLUMN; + } ++ assert( k <= SMXV(pExpr->iAgg) ); + pExpr->iAgg = (i16)k; + } + +@@ -115297,13 +115312,19 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + ** function that is already in the pAggInfo structure + */ + struct AggInfo_func *pItem = pAggInfo->aFunc; ++ int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN]; ++ assert( mxTerm <= SMXV(i16) ); + for(i=0; inFunc; i++, pItem++){ + if( NEVER(pItem->pFExpr==pExpr) ) break; + if( sqlite3ExprCompare(0, pItem->pFExpr, pExpr, -1)==0 ){ + break; + } + } +- if( i>=pAggInfo->nFunc ){ ++ if( i>mxTerm ){ ++ sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm); ++ i = mxTerm; ++ assert( inFunc ); ++ }else if( i>=pAggInfo->nFunc ){ + /* pExpr is original. Make a new entry in pAggInfo->aFunc[] + */ + u8 enc = ENC(pParse->db); +@@ -115357,6 +115378,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + */ + assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) ); + ExprSetVVAProperty(pExpr, EP_NoReduce); ++ assert( i <= SMXV(pExpr->iAgg) ); + pExpr->iAgg = (i16)i; + pExpr->pAggInfo = pAggInfo; + return WRC_Prune; diff --git a/meta/recipes-support/sqlite/sqlite3_3.45.3.bb b/meta/recipes-support/sqlite/sqlite3_3.45.3.bb index d39cb3805b..60a8f1449b 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.45.3.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.45.3.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0 SRC_URI = "http://www.sqlite.org/2024/sqlite-autoconf-${SQLITE_PV}.tar.gz \ file://CVE-2025-3277.patch \ file://CVE-2025-29088.patch \ + file://CVE-2025-6965.patch \ " SRC_URI[sha256sum] = "b2809ca53124c19c60f42bf627736eae011afdcc205bb48270a5ee9a38191531"