[whinlatter,v2,28/29] sqlite3: patch CVE-2025-3277

Message ID	20251219032209.960840-29-ankur.tyagi85@gmail.com
State	New
Headers	show Return-Path: <ankur.tyagi85@gmail.com> ip: 209.85.210.170, mailfrom: ankur.tyagi85@gmail.com) From: ankur.tyagi85@gmail.com To: openembedded-core@lists.openembedded.org Cc: Ankur Tyagi <ankur.tyagi85@gmail.com> Subject: [OE-core][whinlatter][PATCH v2 28/29] sqlite3: patch CVE-2025-3277 Date: Fri, 19 Dec 2025 08:52:07 +0530 Message-ID: <20251219032209.960840-29-ankur.tyagi85@gmail.com> In-Reply-To: <20251219032209.960840-1-ankur.tyagi85@gmail.com> References: <20251219032209.960840-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Updates for Whinlatter \| expand [whinlatter,v2,00/29] Updates for Whinlatter [whinlatter,v2,01/29] libxmlb: upgrade 0.3.23 -> 0.3.24 [whinlatter,v2,02/29] libarchive: upgrade 3.8.2 -> 3.8.3 [whinlatter,v2,03/29] glib-2.0: Upgrade 2.86.0 -> 2.86.1 [whinlatter,v2,04/29] ell: upgrade 0.79 -> 0.80 [whinlatter,v2,05/29] spirv-llvm-translator: Upgrade to 21.1.2 [whinlatter,v2,06/29] gst-devtools: upgrade 1.26.5 -> 1.26.7 [whinlatter,v2,07/29] gst-examples: upgrade 1.26.5 -> 1.26.7 [whinlatter,v2,08/29] gstreamer1.0-libav: upgrade 1.26.5 -> 1.26.7 [whinlatter,v2,09/29] gstreamer1.0-plugins-bad: upgrade 1.26.5 -> 1.26.7 [whinlatter,v2,10/29] gstreamer1.0-plugins-base: upgrade 1.26.5 -> 1.26.7 [whinlatter,v2,11/29] gstreamer1.0-plugins-good: upgrade 1.26.5 -> 1.26.7 [whinlatter,v2,12/29] gstreamer1.0-plugins-ugly: upgrade 1.26.5 -> 1.26.7 [whinlatter,v2,13/29] gstreamer1.0-python: upgrade 1.26.5 -> 1.26.7 [whinlatter,v2,14/29] gstreamer1.0-rtsp-server: upgrade 1.26.5 -> 1.26.7 [whinlatter,v2,15/29] gstreamer1.0: upgrade 1.26.5 -> 1.26.7 [whinlatter,v2,16/29] gstreamer1.0-vaapi: upgrade 1.26.5 -> 1.26.7 [whinlatter,v2,17/29] go: upgrade 1.25.4 -> 1.25.5 [whinlatter,v2,18/29] enchant2: upgrade 2.8.12 -> 2.8.14 [whinlatter,v2,19/29] libpng: upgrade 1.6.50 -> 1.6.51 [whinlatter,v2,20/29] llvm/clang: Upgrade to 21.1.6 release [whinlatter,v2,21/29] llvm/clang: Upgrade to 21.1.7 release [whinlatter,v2,22/29] mesa: upgrade 25.2.5 -> 25.2.8 [whinlatter,v2,23/29] e2fsprogs: misc/create_inode.c: Fix for file larger than 2GB [whinlatter,v2,24/29] ccache: upgrade 4.12 -> 4.12.1 [whinlatter,v2,25/29] ccache: 4.12.1 -> 4.12.2 [whinlatter,v2,26/29] gnutls: patch CVE-2025-9820 [whinlatter,v2,27/29] cups: upgrade from 2.4.14 to 2.4.15 [whinlatter,v2,28/29] sqlite3: patch CVE-2025-3277 [whinlatter,v2,29/29] sqlite3: patch CVE-2025-6965

Message ID

20251219032209.960840-29-ankur.tyagi85@gmail.com

State

New

Headers

From: ankur.tyagi85@gmail.com
To: openembedded-core@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [OE-core][whinlatter][PATCH v2 28/29] sqlite3: patch CVE-2025-3277
Date: Fri, 19 Dec 2025 08:52:07 +0530
Message-ID: <20251219032209.960840-29-ankur.tyagi85@gmail.com>
In-Reply-To: <20251219032209.960840-1-ankur.tyagi85@gmail.com>
References: <20251219032209.960840-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Updates for Whinlatter | expand

Commit Message

Ankur Tyagi Dec. 19, 2025, 3:22 a.m. UTC

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details https://nvd.nist.gov/vuln/detail/CVE-2025-3277

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../sqlite/files/CVE-2025-3277.patch          | 29 +++++++++++++++++++
 meta/recipes-support/sqlite/sqlite3_3.48.0.bb |  4 ++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-3277.patch

diff --git a/meta/recipes-support/sqlite/files/CVE-2025-3277.patch b/meta/recipes-support/sqlite/files/CVE-2025-3277.patch
new file mode 100644
index 0000000000..a3e28465f5
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2025-3277.patch
@@ -0,0 +1,29 @@ 
+From c4add21ff123bc01be51f6e7374a14c2106e3686 Mon Sep 17 00:00:00 2001
+From: Ankur Tyagi <ankur.tyagi85@gmail.com>
+Date: Thu, 18 Dec 2025 23:28:45 +0530
+Subject: [PATCH] Add a typecast to avoid 32-bit integer overflow in the
+ concat_ws() function with an enormous separator values and many arguments.
+
+FossilOrigin-Name: 498e3f1cf57f164fbd8380e92bf91b9f26d6aa05d092fcd135d754abf1e5b1b5
+
+CVE: CVE-2025-3277
+Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/f4fc2ee20311a0a5141726c71d318ab52001c974]
+
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ sqlite3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 80433f6c1f..8a43734131 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -130954,7 +130954,7 @@ static void concatFuncCore(
+   for(i=0; i<argc; i++){
+     n += sqlite3_value_bytes(argv[i]);
+   }
+-  n += (argc-1)*nSep;
++  n += (argc-1)*(i64)nSep;
+   z = sqlite3_malloc64(n+1);
+   if( z==0 ){
+     sqlite3_result_error_nomem(context);
diff --git a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb b/meta/recipes-support/sqlite/sqlite3_3.48.0.bb
index bd2ac6614d..4988231a0c 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.48.0.bb
@@ -3,6 +3,8 @@  require sqlite3.inc
 LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66"
 
-SRC_URI = "http://www.sqlite.org/2025/sqlite-autoconf-${SQLITE_PV}.tar.gz"
+SRC_URI = "http://www.sqlite.org/2025/sqlite-autoconf-${SQLITE_PV}.tar.gz \
+           file://CVE-2025-3277.patch \
+"
 SRC_URI[sha256sum] = "ac992f7fca3989de7ed1fe99c16363f848794c8c32a158dafd4eb927a2e02fd5"

[whinlatter,v2,28/29] sqlite3: patch CVE-2025-3277

Commit Message

Patch