| Message ID | 20250804164100.9355-1-peter.marko@siemens.com |
|---|---|
| State | Superseded |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [walnascar] sqlite3: patch CVE-2025-6965 | expand |
> -----Original Message----- > From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Peter Marko via lists.openembedded.org > Sent: den 4 augusti 2025 18:41 > To: openembedded-core@lists.openembedded.org > Cc: Peter Marko <peter.marko@siemens.com> > Subject: [OE-core][walnascar][PATCH] sqlite3: patch CVE-2025-6965 > > From: Peter Marko <peter.marko@siemens.com> > > Pick patch [1] mentioned in NVD report [2] from github mirror [3]. > > [1] https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8 > [2] https://nvd.nist.gov/vuln/detail/CVE-2025-6965 > [3] https://github.com/sqlite/sqlite/commit/c52e9d97d485a3eb168e3f8f3674a7bc4b419703 > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > --- > .../sqlite/sqlite3/CVE-2025-6965.patch | 112 ++++++++++++++++++ > meta/recipes-support/sqlite/sqlite3_3.48.0.bb | 1 + > 2 files changed, 113 insertions(+) > create mode 100644 meta/recipes-support/sqlite/sqlite3/CVE-2025-6965.patch > [cut] > diff --git a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb b/meta/recipes- > support/sqlite/sqlite3_3.48.0.bb > index 11f103dddc..6c9f1ed5d9 100644 > --- a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb > +++ b/meta/recipes-support/sqlite/sqlite3_3.48.0.bb > @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = > "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0 > SRC_URI = "http://www.sqlite.org/2025/sqlite-autoconf-${SQLITE_PV}.tar.gz \ > file://CVE-2025-3277.patch \ > file://CVE-2025-29088.patch \ > + file://CVE-2025-6965.patch \ > " > SRC_URI[sha256sum] = "ac992f7fca3989de7ed1fe99c16363f848794c8c32a158dafd4eb927a2e02fd5" > Why aren't these three patches on master? It still uses the same version of sqlite3 as Walnascar so they should be needed on master as well. //Peter
In my opinion master should go to 3.50.4, there are other commits that look like potential vulnerabilities. M. On Tue, Sep 23, 2025 at 8:34 PM Peter Kjellerstedt via lists.openembedded.org <peter.kjellerstedt=axis.com@lists.openembedded.org> wrote: > > -----Original Message----- > > From: openembedded-core@lists.openembedded.org < > openembedded-core@lists.openembedded.org> On Behalf Of Peter Marko via > lists.openembedded.org > > Sent: den 4 augusti 2025 18:41 > > To: openembedded-core@lists.openembedded.org > > Cc: Peter Marko <peter.marko@siemens.com> > > Subject: [OE-core][walnascar][PATCH] sqlite3: patch CVE-2025-6965 > > > > From: Peter Marko <peter.marko@siemens.com> > > > > Pick patch [1] mentioned in NVD report [2] from github mirror [3]. > > > > [1] > https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8 > > [2] https://nvd.nist.gov/vuln/detail/CVE-2025-6965 > > [3] > https://github.com/sqlite/sqlite/commit/c52e9d97d485a3eb168e3f8f3674a7bc4b419703 > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > > --- > > .../sqlite/sqlite3/CVE-2025-6965.patch | 112 ++++++++++++++++++ > > meta/recipes-support/sqlite/sqlite3_3.48.0.bb | 1 + > > 2 files changed, 113 insertions(+) > > create mode 100644 > meta/recipes-support/sqlite/sqlite3/CVE-2025-6965.patch > > > > [cut] > > > diff --git a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb > b/meta/recipes- > > support/sqlite/sqlite3_3.48.0.bb > > index 11f103dddc..6c9f1ed5d9 100644 > > --- a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb > > +++ b/meta/recipes-support/sqlite/sqlite3_3.48.0.bb > > @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = > > "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0 > > SRC_URI = " > http://www.sqlite.org/2025/sqlite-autoconf-${SQLITE_PV}.tar.gz \ > > file://CVE-2025-3277.patch \ > > file://CVE-2025-29088.patch \ > > + file://CVE-2025-6965.patch \ > > " > > SRC_URI[sha256sum] = > "ac992f7fca3989de7ed1fe99c16363f848794c8c32a158dafd4eb927a2e02fd5" > > > > Why aren't these three patches on master? It still uses the same version > of sqlite3 as Walnascar so they should be needed on master as well. > > In my opinion master should go to 3.50.4, there are other commits that look like potential vulnerabilities. M.
Sure, but the patches should have been added to the master branch before being considered for the older branches. Because as it currently is, master lacks CVE fixes for sqlite3 that the older branches have. //Peter From: Marta Rybczynska <rybczynska@gmail.com> Sent: den 23 september 2025 20:49 To: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Cc: peter.marko@siemens.com; Steve Sakoman <steve@sakoman.com>; openembedded-core@lists.openembedded.org Subject: Re: [OE-core][walnascar][PATCH] sqlite3: patch CVE-2025-6965 In my opinion master should go to 3.50.4, there are other commits that look like potential vulnerabilities. M. On Tue, Sep 23, 2025 at 8:34 PM Peter Kjellerstedt via lists.openembedded.org<http://lists.openembedded.org> <peter.kjellerstedt=axis.com@lists.openembedded.org<mailto:axis.com@lists.openembedded.org>> wrote: > -----Original Message----- > From: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>> On Behalf Of Peter Marko via lists.openembedded.org<http://lists.openembedded.org> > Sent: den 4 augusti 2025 18:41 > To: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> > Cc: Peter Marko <peter.marko@siemens.com<mailto:peter.marko@siemens.com>> > Subject: [OE-core][walnascar][PATCH] sqlite3: patch CVE-2025-6965 > > From: Peter Marko <peter.marko@siemens.com<mailto:peter.marko@siemens.com>> > > Pick patch [1] mentioned in NVD report [2] from github mirror [3]. > > [1] https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8 > [2] https://nvd.nist.gov/vuln/detail/CVE-2025-6965 > [3] https://github.com/sqlite/sqlite/commit/c52e9d97d485a3eb168e3f8f3674a7bc4b419703 > > Signed-off-by: Peter Marko <peter.marko@siemens.com<mailto:peter.marko@siemens.com>> > --- > .../sqlite/sqlite3/CVE-2025-6965.patch | 112 ++++++++++++++++++ > meta/recipes-support/sqlite/sqlite3_3.48.0.bb<http://sqlite3_3.48.0.bb> | 1 + > 2 files changed, 113 insertions(+) > create mode 100644 meta/recipes-support/sqlite/sqlite3/CVE-2025-6965.patch > [cut] > diff --git a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb<http://sqlite3_3.48.0.bb> b/meta/recipes- > support/sqlite/sqlite3_3.48.0.bb<http://sqlite3_3.48.0.bb> > index 11f103dddc..6c9f1ed5d9 100644 > --- a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb<http://sqlite3_3.48.0.bb> > +++ b/meta/recipes-support/sqlite/sqlite3_3.48.0.bb<http://sqlite3_3.48.0.bb> > @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = > "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0 > SRC_URI = "http://www.sqlite.org/2025/sqlite-autoconf-${SQLITE_PV}.tar.gz<http://www.sqlite.org/2025/sqlite-autoconf-$%7BSQLITE_PV%7D.tar.gz> \ > file://CVE-2025-3277.patch \ > file://CVE-2025-29088.patch \ > + file://CVE-2025-6965.patch \ > " > SRC_URI[sha256sum] = "ac992f7fca3989de7ed1fe99c16363f848794c8c32a158dafd4eb927a2e02fd5" > Why aren't these three patches on master? It still uses the same version of sqlite3 as Walnascar so they should be needed on master as well. In my opinion master should go to 3.50.4, there are other commits that look like potential vulnerabilities. M.
On Tue, Sep 23, 2025, 4:01 PM Peter Kjellerstedt < peter.kjellerstedt@axis.com> wrote: > Sure, but the patches should have been added to the master branch before > being considered for the older branches. Because as it currently is, master > lacks CVE fixes for sqlite3 that the older branches have. > > > My fault, I should have noticed this :-( Steve //Peter > > > > *From:* Marta Rybczynska <rybczynska@gmail.com> > *Sent:* den 23 september 2025 20:49 > *To:* Peter Kjellerstedt <peter.kjellerstedt@axis.com> > *Cc:* peter.marko@siemens.com; Steve Sakoman <steve@sakoman.com>; > openembedded-core@lists.openembedded.org > *Subject:* Re: [OE-core][walnascar][PATCH] sqlite3: patch CVE-2025-6965 > > > > In my opinion master should go to 3.50.4, there are other commits that > look like potential vulnerabilities. > > > > M. > > > > On Tue, Sep 23, 2025 at 8:34 PM Peter Kjellerstedt via > lists.openembedded.org <peter.kjellerstedt=axis.com@lists.openembedded.org> > wrote: > > > -----Original Message----- > > From: openembedded-core@lists.openembedded.org < > openembedded-core@lists.openembedded.org> On Behalf Of Peter Marko via > lists.openembedded.org > > Sent: den 4 augusti 2025 18:41 > > To: openembedded-core@lists.openembedded.org > > Cc: Peter Marko <peter.marko@siemens.com> > > Subject: [OE-core][walnascar][PATCH] sqlite3: patch CVE-2025-6965 > > > > From: Peter Marko <peter.marko@siemens.com> > > > > Pick patch [1] mentioned in NVD report [2] from github mirror [3]. > > > > [1] > https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8 > > [2] https://nvd.nist.gov/vuln/detail/CVE-2025-6965 > > [3] > https://github.com/sqlite/sqlite/commit/c52e9d97d485a3eb168e3f8f3674a7bc4b419703 > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > > --- > > .../sqlite/sqlite3/CVE-2025-6965.patch | 112 ++++++++++++++++++ > > meta/recipes-support/sqlite/sqlite3_3.48.0.bb | 1 + > > 2 files changed, 113 insertions(+) > > create mode 100644 > meta/recipes-support/sqlite/sqlite3/CVE-2025-6965.patch > > > > [cut] > > > diff --git a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb > b/meta/recipes- > > support/sqlite/sqlite3_3.48.0.bb > > index 11f103dddc..6c9f1ed5d9 100644 > > --- a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb > > +++ b/meta/recipes-support/sqlite/sqlite3_3.48.0.bb > > @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = > > "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0 > > SRC_URI = " > http://www.sqlite.org/2025/sqlite-autoconf-${SQLITE_PV}.tar.gz \ > > file://CVE-2025-3277.patch \ > > file://CVE-2025-29088.patch \ > > + file://CVE-2025-6965.patch \ > > " > > SRC_URI[sha256sum] = > "ac992f7fca3989de7ed1fe99c16363f848794c8c32a158dafd4eb927a2e02fd5" > > > > Why aren't these three patches on master? It still uses the same version > of sqlite3 as Walnascar so they should be needed on master as well. > > In my opinion master should go to 3.50.4, there are other commits that > look like potential vulnerabilities. > > > > M. >
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2025-6965.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2025-6965.patch new file mode 100644 index 0000000000..9b2f4409b3 --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2025-6965.patch @@ -0,0 +1,112 @@ +From c52e9d97d485a3eb168e3f8f3674a7bc4b419703 Mon Sep 17 00:00:00 2001 +From: drh <> +Date: Fri, 27 Jun 2025 19:02:21 +0000 +Subject: [PATCH] Raise an error right away if the number of aggregate terms in + a query exceeds the maximum number of columns. + +FossilOrigin-Name: 5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8 + +CVE: CVE-2025-6965 +Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/c52e9d97d485a3eb168e3f8f3674a7bc4b419703] +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + sqlite3.c | 30 ++++++++++++++++++++++++++---- + 1 file changed, 26 insertions(+), 4 deletions(-) + +diff --git a/sqlite3.c b/sqlite3.c +index 146047d..c78f58b 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -15257,6 +15257,14 @@ typedef INT16_TYPE LogEst; + #define LARGEST_UINT64 (0xffffffff|(((u64)0xffffffff)<<32)) + #define SMALLEST_INT64 (((i64)-1) - LARGEST_INT64) + ++/* ++** Macro SMXV(n) return the maximum value that can be held in variable n, ++** assuming n is a signed integer type. UMXV(n) is similar for unsigned ++** integer types. ++*/ ++#define SMXV(n) ((((i64)1)<<(sizeof(n)*8-1))-1) ++#define UMXV(n) ((((i64)1)<<(sizeof(n)*8))-1) ++ + /* + ** Round up a number to the next larger multiple of 8. This is used + ** to force 8-byte alignment on 64-bit architectures. +@@ -19046,7 +19054,7 @@ struct AggInfo { + ** from source tables rather than from accumulators */ + u8 useSortingIdx; /* In direct mode, reference the sorting index rather + ** than the source table */ +- u16 nSortingColumn; /* Number of columns in the sorting index */ ++ u32 nSortingColumn; /* Number of columns in the sorting index */ + int sortingIdx; /* Cursor number of the sorting index */ + int sortingIdxPTab; /* Cursor number of pseudo-table */ + int iFirstReg; /* First register in range for aCol[] and aFunc[] */ +@@ -19055,8 +19063,8 @@ struct AggInfo { + Table *pTab; /* Source table */ + Expr *pCExpr; /* The original expression */ + int iTable; /* Cursor number of the source table */ +- i16 iColumn; /* Column number within the source table */ +- i16 iSorterColumn; /* Column number in the sorting index */ ++ int iColumn; /* Column number within the source table */ ++ int iSorterColumn; /* Column number in the sorting index */ + } *aCol; + int nColumn; /* Number of used entries in aCol[] */ + int nAccumulator; /* Number of columns that show through to the output. +@@ -116445,7 +116453,9 @@ static void findOrCreateAggInfoColumn( + ){ + struct AggInfo_col *pCol; + int k; ++ int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN]; + ++ assert( mxTerm <= SMXV(i16) ); + assert( pAggInfo->iFirstReg==0 ); + pCol = pAggInfo->aCol; + for(k=0; k<pAggInfo->nColumn; k++, pCol++){ +@@ -116463,6 +116473,10 @@ static void findOrCreateAggInfoColumn( + assert( pParse->db->mallocFailed ); + return; + } ++ if( k>mxTerm ){ ++ sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm); ++ k = mxTerm; ++ } + pCol = &pAggInfo->aCol[k]; + assert( ExprUseYTab(pExpr) ); + pCol->pTab = pExpr->y.pTab; +@@ -116496,6 +116510,7 @@ fix_up_expr: + if( pExpr->op==TK_COLUMN ){ + pExpr->op = TK_AGG_COLUMN; + } ++ assert( k <= SMXV(pExpr->iAgg) ); + pExpr->iAgg = (i16)k; + } + +@@ -116580,13 +116595,19 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + ** function that is already in the pAggInfo structure + */ + struct AggInfo_func *pItem = pAggInfo->aFunc; ++ int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN]; ++ assert( mxTerm <= SMXV(i16) ); + for(i=0; i<pAggInfo->nFunc; i++, pItem++){ + if( NEVER(pItem->pFExpr==pExpr) ) break; + if( sqlite3ExprCompare(0, pItem->pFExpr, pExpr, -1)==0 ){ + break; + } + } +- if( i>=pAggInfo->nFunc ){ ++ if( i>mxTerm ){ ++ sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm); ++ i = mxTerm; ++ assert( i<pAggInfo->nFunc ); ++ }else if( i>=pAggInfo->nFunc ){ + /* pExpr is original. Make a new entry in pAggInfo->aFunc[] + */ + u8 enc = ENC(pParse->db); +@@ -116640,6 +116661,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + */ + assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) ); + ExprSetVVAProperty(pExpr, EP_NoReduce); ++ assert( i <= SMXV(pExpr->iAgg) ); + pExpr->iAgg = (i16)i; + pExpr->pAggInfo = pAggInfo; + return WRC_Prune; diff --git a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb b/meta/recipes-support/sqlite/sqlite3_3.48.0.bb index 11f103dddc..6c9f1ed5d9 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.48.0.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0 SRC_URI = "http://www.sqlite.org/2025/sqlite-autoconf-${SQLITE_PV}.tar.gz \ file://CVE-2025-3277.patch \ file://CVE-2025-29088.patch \ + file://CVE-2025-6965.patch \ " SRC_URI[sha256sum] = "ac992f7fca3989de7ed1fe99c16363f848794c8c32a158dafd4eb927a2e02fd5"