diff mbox series

[kirkstone,2/4] sqlite3: patch CVE-2025-7458

Message ID 4d5093e5103016c08b3a32fd83b1ec9edd87cd5a.1754412086.git.steve@sakoman.com
State Accepted, archived
Commit 4d5093e5103016c08b3a32fd83b1ec9edd87cd5a
Delegated to: Steve Sakoman
Headers show
Series [kirkstone,1/4] avahi: fix CVE-2024-52615 | expand

Commit Message

Steve Sakoman Aug. 5, 2025, 4:43 p.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

Pick patch [1] listed in [2].
Also pick another patch which is precondition to this one introducing
variable needed for the check.

[1] https://sqlite.org/src/info/12ad822d9b827777
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-7458

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...mpts-to-improve-the-detection-of-cov.patch | 91 +++++++++++++++++++
 .../sqlite/files/CVE-2025-7458.patch          | 32 +++++++
 meta/recipes-support/sqlite/sqlite3_3.38.5.bb |  2 +
 3 files changed, 125 insertions(+)
 create mode 100644 meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
 create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-7458.patch

Comments

Niko Mauno Aug. 29, 2025, 11:25 a.m. UTC | #1 
We have found that since this patch SELECT queries with COUNT(DISTINCT(column)) seem to cause sqlite to segfault. E.g.

# sqlite3 :memory: 'create table foo (x int); select count(distinct(x)) from foo;'
Segmentation fault (core dumped)

-Niko

On 5.8.2025 19.43, Steve Sakoman via lists.openembedded.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
> 
> Pick patch [1] listed in [2].
> Also pick another patch which is precondition to this one introducing
> variable needed for the check.
> 
> [1] https://sqlite.org/src/info/12ad822d9b827777
> [2] https://nvd.nist.gov/vuln/detail/CVE-2025-7458
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>   ...mpts-to-improve-the-detection-of-cov.patch | 91 +++++++++++++++++++
>   .../sqlite/files/CVE-2025-7458.patch          | 32 +++++++
>   meta/recipes-support/sqlite/sqlite3_3.38.5.bb |  2 +
>   3 files changed, 125 insertions(+)
>   create mode 100644 meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
>   create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> 
> diff --git a/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
> new file mode 100644
> index 0000000000..8fb037bb0f
> --- /dev/null
> +++ b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
> @@ -0,0 +1,91 @@
> +From f55a7dad195994f2bb24db7df0a0515502386fe2 Mon Sep 17 00:00:00 2001
> +From: drh <>
> +Date: Sat, 22 Oct 2022 14:16:02 +0000
> +Subject: [PATCH] This branch attempts to improve the detection of covering
> + indexes.  This first check-in merely improves a parameter name to
> + sqlite3WhereBegin() to be more descriptive of what it contains, and ensures
> + that a subroutine is not inlines so that sqlite3WhereBegin() runs slightly
> + faster.
> +
> +FossilOrigin-Name: cadf5f6bb1ce0492ef858ada476288e8057afd3609caa18b09c818d3845d7244
> +
> +Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/f55a7dad195994f2bb24db7df0a0515502386fe2]
> +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> +---
> + sqlite3.c | 28 +++++++++++++---------------
> + 1 file changed, 13 insertions(+), 15 deletions(-)
> +
> +diff --git a/sqlite3.c b/sqlite3.c
> +index 4cbc2d0..b7ed991 100644
> +--- a/sqlite3.c
> ++++ b/sqlite3.c
> +@@ -147371,9 +147371,7 @@ struct WhereInfo {
> +   ExprList *pOrderBy;       /* The ORDER BY clause or NULL */
> +   ExprList *pResultSet;     /* Result set of the query */
> +   Expr *pWhere;             /* The complete WHERE clause */
> +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> +-  Select *pLimit;           /* Used to access LIMIT expr/registers for vtabs */
> +-#endif
> ++  Select *pSelect;          /* The entire SELECT statement containing WHERE */
> +   int aiCurOnePass[2];      /* OP_OpenWrite cursors for the ONEPASS opt */
> +   int iContinue;            /* Jump here to continue with next record */
> +   int iBreak;               /* Jump here to break out of the loop */
> +@@ -149070,9 +149068,9 @@ SQLITE_PRIVATE Bitmask sqlite3WhereCodeOneLoopStart(
> +          && pLoop->u.vtab.bOmitOffset
> +         ){
> +           assert( pTerm->eOperator==WO_AUX );
> +-          assert( pWInfo->pLimit!=0 );
> +-          assert( pWInfo->pLimit->iOffset>0 );
> +-          sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pLimit->iOffset);
> ++          assert( pWInfo->pSelect!=0 );
> ++          assert( pWInfo->pSelect->iOffset>0 );
> ++          sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pSelect->iOffset);
> +           VdbeComment((v,"Zero OFFSET counter"));
> +         }
> +       }
> +@@ -151830,10 +151828,10 @@ static void whereAddLimitExpr(
> + ** exist only so that they may be passed to the xBestIndex method of the
> + ** single virtual table in the FROM clause of the SELECT.
> + */
> +-SQLITE_PRIVATE void sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
> +-  assert( p==0 || (p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0) );
> +-  if( (p && p->pLimit)                                          /* 1 */
> +-   && (p->selFlags & (SF_Distinct|SF_Aggregate))==0             /* 2 */
> ++SQLITE_PRIVATE void SQLITE_NOINLINE sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
> ++  assert( p!=0 && p->pLimit!=0 );                 /* 1 -- checked by caller */
> ++  assert( p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0 );
> ++  if( (p->selFlags & (SF_Distinct|SF_Aggregate))==0             /* 2 */
> +    && (p->pSrc->nSrc==1 && IsVirtual(p->pSrc->a[0].pTab))       /* 3 */
> +   ){
> +     ExprList *pOrderBy = p->pOrderBy;
> +@@ -157427,7 +157425,7 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
> +   Expr *pWhere,           /* The WHERE clause */
> +   ExprList *pOrderBy,     /* An ORDER BY (or GROUP BY) clause, or NULL */
> +   ExprList *pResultSet,   /* Query result set.  Req'd for DISTINCT */
> +-  Select *pLimit,         /* Use this LIMIT/OFFSET clause, if any */
> ++  Select *pSelect,        /* The entire SELECT statement */
> +   u16 wctrlFlags,         /* The WHERE_* flags defined in sqliteInt.h */
> +   int iAuxArg             /* If WHERE_OR_SUBCLAUSE is set, index cursor number
> +                           ** If WHERE_USE_LIMIT, then the limit amount */
> +@@ -157504,9 +157502,7 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
> +   pWInfo->wctrlFlags = wctrlFlags;
> +   pWInfo->iLimit = iAuxArg;
> +   pWInfo->savedNQueryLoop = pParse->nQueryLoop;
> +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> +-  pWInfo->pLimit = pLimit;
> +-#endif
> ++  pWInfo->pSelect = pSelect;
> +   memset(&pWInfo->nOBSat, 0,
> +          offsetof(WhereInfo,sWC) - offsetof(WhereInfo,nOBSat));
> +   memset(&pWInfo->a[0], 0, sizeof(WhereLoop)+nTabList*sizeof(WhereLevel));
> +@@ -157575,7 +157571,9 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
> +
> +   /* Analyze all of the subexpressions. */
> +   sqlite3WhereExprAnalyze(pTabList, &pWInfo->sWC);
> +-  sqlite3WhereAddLimit(&pWInfo->sWC, pLimit);
> ++  if( pSelect && pSelect->pLimit ){
> ++    sqlite3WhereAddLimit(&pWInfo->sWC, pSelect);
> ++  }
> +   if( db->mallocFailed ) goto whereBeginError;
> +
> +   /* Special case: WHERE terms that do not refer to any tables in the join
> diff --git a/meta/recipes-support/sqlite/files/CVE-2025-7458.patch b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> new file mode 100644
> index 0000000000..6b041d9332
> --- /dev/null
> +++ b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> @@ -0,0 +1,32 @@
> +From b816ca9994e03a8bc829b49452b8158a731e81a9 Mon Sep 17 00:00:00 2001
> +From: drh <>
> +Date: Thu, 16 Mar 2023 20:54:29 +0000
> +Subject: [PATCH] Correctly handle SELECT DISTINCT ... ORDER BY when all of the
> + result set terms are constant and there are more result set terms than ORDER
> + BY terms. Fix for these tickets: [c36cdb4afd504dc1], [4051a7f931d9ba24],
> + [d6fd512f50513ab7].
> +
> +FossilOrigin-Name: 12ad822d9b827777526ca5ed5bf3e678d600294fc9b5c25482dfff2a021328a4
> +
> +CVE: CVE-2025-7458
> +Upstream-Status: Backport [github.com/sqlite/sqlite/commit/b816ca9994e03a8bc829b49452b8158a731e81a9]
> +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> +---
> + sqlite3.c | 4 ++++
> + 1 file changed, 4 insertions(+)
> +
> +diff --git a/sqlite3.c b/sqlite3.c
> +index 19d0438..6d92184 100644
> +--- a/sqlite3.c
> ++++ b/sqlite3.c
> +@@ -156989,6 +156989,10 @@ static int wherePathSolver(WhereInfo *pWInfo, LogEst nRowEst){
> +       if( pFrom->isOrdered==pWInfo->pOrderBy->nExpr ){
> +         pWInfo->eDistinct = WHERE_DISTINCT_ORDERED;
> +       }
> ++      if( pWInfo->pSelect->pOrderBy
> ++       && pWInfo->nOBSat > pWInfo->pSelect->pOrderBy->nExpr ){
> ++        pWInfo->nOBSat = pWInfo->pSelect->pOrderBy->nExpr;
> ++      }
> +     }else{
> +       pWInfo->nOBSat = pFrom->isOrdered;
> +       pWInfo->revMask = pFrom->revLoop;
> diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> index 656e2d8bd8..86d9b4b33b 100644
> --- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> +++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> @@ -10,6 +10,8 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \
>              file://CVE-2023-7104.patch \
>              file://CVE-2025-29088.patch \
>              file://CVE-2025-6965.patch \
> +           file://0001-This-branch-attempts-to-improve-the-detection-of-cov.patch \
> +           file://CVE-2025-7458.patch \
>              "
>   SRC_URI[sha256sum] = "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
>   
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#221481): https://lists.openembedded.org/g/openembedded-core/message/221481
> Mute This Topic: https://lists.openembedded.org/mt/114551672/3618471
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [niko.mauno@vaisala.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Steve Sakoman Aug. 29, 2025, 3:37 p.m. UTC | #2 
On Fri, Aug 29, 2025 at 4:25 AM Niko Mauno <niko.mauno@vaisala.com> wrote:
>
> We have found that since this patch SELECT queries with COUNT(DISTINCT(column)) seem to cause sqlite to segfault. E.g.
>
> # sqlite3 :memory: 'create table foo (x int); select count(distinct(x)) from foo;'
> Segmentation fault (core dumped)

Hi Peter,

Could you check this to see if you can reproduce it?

If so, we should revert this patch.

Steve

> On 5.8.2025 19.43, Steve Sakoman via lists.openembedded.org wrote:
> > From: Peter Marko <peter.marko@siemens.com>
> >
> > Pick patch [1] listed in [2].
> > Also pick another patch which is precondition to this one introducing
> > variable needed for the check.
> >
> > [1] https://sqlite.org/src/info/12ad822d9b827777
> > [2] https://nvd.nist.gov/vuln/detail/CVE-2025-7458
> >
> > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> >   ...mpts-to-improve-the-detection-of-cov.patch | 91 +++++++++++++++++++
> >   .../sqlite/files/CVE-2025-7458.patch          | 32 +++++++
> >   meta/recipes-support/sqlite/sqlite3_3.38.5.bb |  2 +
> >   3 files changed, 125 insertions(+)
> >   create mode 100644 meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
> >   create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> >
> > diff --git a/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
> > new file mode 100644
> > index 0000000000..8fb037bb0f
> > --- /dev/null
> > +++ b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
> > @@ -0,0 +1,91 @@
> > +From f55a7dad195994f2bb24db7df0a0515502386fe2 Mon Sep 17 00:00:00 2001
> > +From: drh <>
> > +Date: Sat, 22 Oct 2022 14:16:02 +0000
> > +Subject: [PATCH] This branch attempts to improve the detection of covering
> > + indexes.  This first check-in merely improves a parameter name to
> > + sqlite3WhereBegin() to be more descriptive of what it contains, and ensures
> > + that a subroutine is not inlines so that sqlite3WhereBegin() runs slightly
> > + faster.
> > +
> > +FossilOrigin-Name: cadf5f6bb1ce0492ef858ada476288e8057afd3609caa18b09c818d3845d7244
> > +
> > +Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/f55a7dad195994f2bb24db7df0a0515502386fe2]
> > +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > +---
> > + sqlite3.c | 28 +++++++++++++---------------
> > + 1 file changed, 13 insertions(+), 15 deletions(-)
> > +
> > +diff --git a/sqlite3.c b/sqlite3.c
> > +index 4cbc2d0..b7ed991 100644
> > +--- a/sqlite3.c
> > ++++ b/sqlite3.c
> > +@@ -147371,9 +147371,7 @@ struct WhereInfo {
> > +   ExprList *pOrderBy;       /* The ORDER BY clause or NULL */
> > +   ExprList *pResultSet;     /* Result set of the query */
> > +   Expr *pWhere;             /* The complete WHERE clause */
> > +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> > +-  Select *pLimit;           /* Used to access LIMIT expr/registers for vtabs */
> > +-#endif
> > ++  Select *pSelect;          /* The entire SELECT statement containing WHERE */
> > +   int aiCurOnePass[2];      /* OP_OpenWrite cursors for the ONEPASS opt */
> > +   int iContinue;            /* Jump here to continue with next record */
> > +   int iBreak;               /* Jump here to break out of the loop */
> > +@@ -149070,9 +149068,9 @@ SQLITE_PRIVATE Bitmask sqlite3WhereCodeOneLoopStart(
> > +          && pLoop->u.vtab.bOmitOffset
> > +         ){
> > +           assert( pTerm->eOperator==WO_AUX );
> > +-          assert( pWInfo->pLimit!=0 );
> > +-          assert( pWInfo->pLimit->iOffset>0 );
> > +-          sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pLimit->iOffset);
> > ++          assert( pWInfo->pSelect!=0 );
> > ++          assert( pWInfo->pSelect->iOffset>0 );
> > ++          sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pSelect->iOffset);
> > +           VdbeComment((v,"Zero OFFSET counter"));
> > +         }
> > +       }
> > +@@ -151830,10 +151828,10 @@ static void whereAddLimitExpr(
> > + ** exist only so that they may be passed to the xBestIndex method of the
> > + ** single virtual table in the FROM clause of the SELECT.
> > + */
> > +-SQLITE_PRIVATE void sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
> > +-  assert( p==0 || (p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0) );
> > +-  if( (p && p->pLimit)                                          /* 1 */
> > +-   && (p->selFlags & (SF_Distinct|SF_Aggregate))==0             /* 2 */
> > ++SQLITE_PRIVATE void SQLITE_NOINLINE sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
> > ++  assert( p!=0 && p->pLimit!=0 );                 /* 1 -- checked by caller */
> > ++  assert( p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0 );
> > ++  if( (p->selFlags & (SF_Distinct|SF_Aggregate))==0             /* 2 */
> > +    && (p->pSrc->nSrc==1 && IsVirtual(p->pSrc->a[0].pTab))       /* 3 */
> > +   ){
> > +     ExprList *pOrderBy = p->pOrderBy;
> > +@@ -157427,7 +157425,7 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
> > +   Expr *pWhere,           /* The WHERE clause */
> > +   ExprList *pOrderBy,     /* An ORDER BY (or GROUP BY) clause, or NULL */
> > +   ExprList *pResultSet,   /* Query result set.  Req'd for DISTINCT */
> > +-  Select *pLimit,         /* Use this LIMIT/OFFSET clause, if any */
> > ++  Select *pSelect,        /* The entire SELECT statement */
> > +   u16 wctrlFlags,         /* The WHERE_* flags defined in sqliteInt.h */
> > +   int iAuxArg             /* If WHERE_OR_SUBCLAUSE is set, index cursor number
> > +                           ** If WHERE_USE_LIMIT, then the limit amount */
> > +@@ -157504,9 +157502,7 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
> > +   pWInfo->wctrlFlags = wctrlFlags;
> > +   pWInfo->iLimit = iAuxArg;
> > +   pWInfo->savedNQueryLoop = pParse->nQueryLoop;
> > +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> > +-  pWInfo->pLimit = pLimit;
> > +-#endif
> > ++  pWInfo->pSelect = pSelect;
> > +   memset(&pWInfo->nOBSat, 0,
> > +          offsetof(WhereInfo,sWC) - offsetof(WhereInfo,nOBSat));
> > +   memset(&pWInfo->a[0], 0, sizeof(WhereLoop)+nTabList*sizeof(WhereLevel));
> > +@@ -157575,7 +157571,9 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
> > +
> > +   /* Analyze all of the subexpressions. */
> > +   sqlite3WhereExprAnalyze(pTabList, &pWInfo->sWC);
> > +-  sqlite3WhereAddLimit(&pWInfo->sWC, pLimit);
> > ++  if( pSelect && pSelect->pLimit ){
> > ++    sqlite3WhereAddLimit(&pWInfo->sWC, pSelect);
> > ++  }
> > +   if( db->mallocFailed ) goto whereBeginError;
> > +
> > +   /* Special case: WHERE terms that do not refer to any tables in the join
> > diff --git a/meta/recipes-support/sqlite/files/CVE-2025-7458.patch b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > new file mode 100644
> > index 0000000000..6b041d9332
> > --- /dev/null
> > +++ b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > @@ -0,0 +1,32 @@
> > +From b816ca9994e03a8bc829b49452b8158a731e81a9 Mon Sep 17 00:00:00 2001
> > +From: drh <>
> > +Date: Thu, 16 Mar 2023 20:54:29 +0000
> > +Subject: [PATCH] Correctly handle SELECT DISTINCT ... ORDER BY when all of the
> > + result set terms are constant and there are more result set terms than ORDER
> > + BY terms. Fix for these tickets: [c36cdb4afd504dc1], [4051a7f931d9ba24],
> > + [d6fd512f50513ab7].
> > +
> > +FossilOrigin-Name: 12ad822d9b827777526ca5ed5bf3e678d600294fc9b5c25482dfff2a021328a4
> > +
> > +CVE: CVE-2025-7458
> > +Upstream-Status: Backport [github.com/sqlite/sqlite/commit/b816ca9994e03a8bc829b49452b8158a731e81a9]
> > +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > +---
> > + sqlite3.c | 4 ++++
> > + 1 file changed, 4 insertions(+)
> > +
> > +diff --git a/sqlite3.c b/sqlite3.c
> > +index 19d0438..6d92184 100644
> > +--- a/sqlite3.c
> > ++++ b/sqlite3.c
> > +@@ -156989,6 +156989,10 @@ static int wherePathSolver(WhereInfo *pWInfo, LogEst nRowEst){
> > +       if( pFrom->isOrdered==pWInfo->pOrderBy->nExpr ){
> > +         pWInfo->eDistinct = WHERE_DISTINCT_ORDERED;
> > +       }
> > ++      if( pWInfo->pSelect->pOrderBy
> > ++       && pWInfo->nOBSat > pWInfo->pSelect->pOrderBy->nExpr ){
> > ++        pWInfo->nOBSat = pWInfo->pSelect->pOrderBy->nExpr;
> > ++      }
> > +     }else{
> > +       pWInfo->nOBSat = pFrom->isOrdered;
> > +       pWInfo->revMask = pFrom->revLoop;
> > diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > index 656e2d8bd8..86d9b4b33b 100644
> > --- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > +++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > @@ -10,6 +10,8 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \
> >              file://CVE-2023-7104.patch \
> >              file://CVE-2025-29088.patch \
> >              file://CVE-2025-6965.patch \
> > +           file://0001-This-branch-attempts-to-improve-the-detection-of-cov.patch \
> > +           file://CVE-2025-7458.patch \
> >              "
> >   SRC_URI[sha256sum] = "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
> >
> >
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#221481): https://lists.openembedded.org/g/openembedded-core/message/221481
> > Mute This Topic: https://lists.openembedded.org/mt/114551672/3618471
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [niko.mauno@vaisala.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
Peter Marko Aug. 31, 2025, 9:12 p.m. UTC | #3 
> -----Original Message-----
> From: Steve Sakoman <steve@sakoman.com>
> Sent: Friday, August 29, 2025 17:38
> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Cc: openembedded-core@lists.openembedded.org; Niko Mauno
> <niko.mauno@vaisala.com>
> Subject: Re: [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458
> 
> On Fri, Aug 29, 2025 at 4:25 AM Niko Mauno <niko.mauno@vaisala.com> wrote:
> >
> > We have found that since this patch SELECT queries with
> COUNT(DISTINCT(column)) seem to cause sqlite to segfault. E.g.
> >
> > # sqlite3 :memory: 'create table foo (x int); select count(distinct(x)) from foo;'
> > Segmentation fault (core dumped)
> 
> Hi Peter,
> 
> Could you check this to see if you can reproduce it?

I'll be offline for next two weeks, please revert and I'll check it when I'm back.

> 
> If so, we should revert this patch.
> 
> Steve
> 
> > On 5.8.2025 19.43, Steve Sakoman via lists.openembedded.org wrote:
> > > From: Peter Marko <peter.marko@siemens.com>
> > >
> > > Pick patch [1] listed in [2].
> > > Also pick another patch which is precondition to this one introducing
> > > variable needed for the check.
> > >
> > > [1] https://sqlite.org/src/info/12ad822d9b827777
> > > [2] https://nvd.nist.gov/vuln/detail/CVE-2025-7458
> > >
> > > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > > ---
> > >   ...mpts-to-improve-the-detection-of-cov.patch | 91 +++++++++++++++++++
> > >   .../sqlite/files/CVE-2025-7458.patch          | 32 +++++++
> > >   meta/recipes-support/sqlite/sqlite3_3.38.5.bb |  2 +
> > >   3 files changed, 125 insertions(+)
> > >   create mode 100644 meta/recipes-support/sqlite/files/0001-This-branch-
> attempts-to-improve-the-detection-of-cov.patch
> > >   create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > >
> > > diff --git a/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-
> improve-the-detection-of-cov.patch b/meta/recipes-support/sqlite/files/0001-This-
> branch-attempts-to-improve-the-detection-of-cov.patch
> > > new file mode 100644
> > > index 0000000000..8fb037bb0f
> > > --- /dev/null
> > > +++ b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-
> improve-the-detection-of-cov.patch
> > > @@ -0,0 +1,91 @@
> > > +From f55a7dad195994f2bb24db7df0a0515502386fe2 Mon Sep 17 00:00:00
> 2001
> > > +From: drh <>
> > > +Date: Sat, 22 Oct 2022 14:16:02 +0000
> > > +Subject: [PATCH] This branch attempts to improve the detection of covering
> > > + indexes.  This first check-in merely improves a parameter name to
> > > + sqlite3WhereBegin() to be more descriptive of what it contains, and ensures
> > > + that a subroutine is not inlines so that sqlite3WhereBegin() runs slightly
> > > + faster.
> > > +
> > > +FossilOrigin-Name:
> cadf5f6bb1ce0492ef858ada476288e8057afd3609caa18b09c818d3845d7244
> > > +
> > > +Upstream-Status: Backport
> [https://github.com/sqlite/sqlite/commit/f55a7dad195994f2bb24db7df0a051550238
> 6fe2]
> > > +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > +---
> > > + sqlite3.c | 28 +++++++++++++---------------
> > > + 1 file changed, 13 insertions(+), 15 deletions(-)
> > > +
> > > +diff --git a/sqlite3.c b/sqlite3.c
> > > +index 4cbc2d0..b7ed991 100644
> > > +--- a/sqlite3.c
> > > ++++ b/sqlite3.c
> > > +@@ -147371,9 +147371,7 @@ struct WhereInfo {
> > > +   ExprList *pOrderBy;       /* The ORDER BY clause or NULL */
> > > +   ExprList *pResultSet;     /* Result set of the query */
> > > +   Expr *pWhere;             /* The complete WHERE clause */
> > > +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> > > +-  Select *pLimit;           /* Used to access LIMIT expr/registers for vtabs */
> > > +-#endif
> > > ++  Select *pSelect;          /* The entire SELECT statement containing
> WHERE */
> > > +   int aiCurOnePass[2];      /* OP_OpenWrite cursors for the ONEPASS opt */
> > > +   int iContinue;            /* Jump here to continue with next record */
> > > +   int iBreak;               /* Jump here to break out of the loop */
> > > +@@ -149070,9 +149068,9 @@ SQLITE_PRIVATE Bitmask
> sqlite3WhereCodeOneLoopStart(
> > > +          && pLoop->u.vtab.bOmitOffset
> > > +         ){
> > > +           assert( pTerm->eOperator==WO_AUX );
> > > +-          assert( pWInfo->pLimit!=0 );
> > > +-          assert( pWInfo->pLimit->iOffset>0 );
> > > +-          sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pLimit->iOffset);
> > > ++          assert( pWInfo->pSelect!=0 );
> > > ++          assert( pWInfo->pSelect->iOffset>0 );
> > > ++          sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pSelect->iOffset);
> > > +           VdbeComment((v,"Zero OFFSET counter"));
> > > +         }
> > > +       }
> > > +@@ -151830,10 +151828,10 @@ static void whereAddLimitExpr(
> > > + ** exist only so that they may be passed to the xBestIndex method of the
> > > + ** single virtual table in the FROM clause of the SELECT.
> > > + */
> > > +-SQLITE_PRIVATE void sqlite3WhereAddLimit(WhereClause *pWC, Select
> *p){
> > > +-  assert( p==0 || (p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0)
> );
> > > +-  if( (p && p->pLimit)                                          /* 1 */
> > > +-   && (p->selFlags & (SF_Distinct|SF_Aggregate))==0             /* 2 */
> > > ++SQLITE_PRIVATE void SQLITE_NOINLINE
> sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
> > > ++  assert( p!=0 && p->pLimit!=0 );                 /* 1 -- checked by caller */
> > > ++  assert( p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0 );
> > > ++  if( (p->selFlags & (SF_Distinct|SF_Aggregate))==0             /* 2 */
> > > +    && (p->pSrc->nSrc==1 && IsVirtual(p->pSrc->a[0].pTab))       /* 3 */
> > > +   ){
> > > +     ExprList *pOrderBy = p->pOrderBy;
> > > +@@ -157427,7 +157425,7 @@ SQLITE_PRIVATE WhereInfo
> *sqlite3WhereBegin(
> > > +   Expr *pWhere,           /* The WHERE clause */
> > > +   ExprList *pOrderBy,     /* An ORDER BY (or GROUP BY) clause, or NULL
> */
> > > +   ExprList *pResultSet,   /* Query result set.  Req'd for DISTINCT */
> > > +-  Select *pLimit,         /* Use this LIMIT/OFFSET clause, if any */
> > > ++  Select *pSelect,        /* The entire SELECT statement */
> > > +   u16 wctrlFlags,         /* The WHERE_* flags defined in sqliteInt.h */
> > > +   int iAuxArg             /* If WHERE_OR_SUBCLAUSE is set, index cursor
> number
> > > +                           ** If WHERE_USE_LIMIT, then the limit amount */
> > > +@@ -157504,9 +157502,7 @@ SQLITE_PRIVATE WhereInfo
> *sqlite3WhereBegin(
> > > +   pWInfo->wctrlFlags = wctrlFlags;
> > > +   pWInfo->iLimit = iAuxArg;
> > > +   pWInfo->savedNQueryLoop = pParse->nQueryLoop;
> > > +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> > > +-  pWInfo->pLimit = pLimit;
> > > +-#endif
> > > ++  pWInfo->pSelect = pSelect;
> > > +   memset(&pWInfo->nOBSat, 0,
> > > +          offsetof(WhereInfo,sWC) - offsetof(WhereInfo,nOBSat));
> > > +   memset(&pWInfo->a[0], 0,
> sizeof(WhereLoop)+nTabList*sizeof(WhereLevel));
> > > +@@ -157575,7 +157571,9 @@ SQLITE_PRIVATE WhereInfo
> *sqlite3WhereBegin(
> > > +
> > > +   /* Analyze all of the subexpressions. */
> > > +   sqlite3WhereExprAnalyze(pTabList, &pWInfo->sWC);
> > > +-  sqlite3WhereAddLimit(&pWInfo->sWC, pLimit);
> > > ++  if( pSelect && pSelect->pLimit ){
> > > ++    sqlite3WhereAddLimit(&pWInfo->sWC, pSelect);
> > > ++  }
> > > +   if( db->mallocFailed ) goto whereBeginError;
> > > +
> > > +   /* Special case: WHERE terms that do not refer to any tables in the join
> > > diff --git a/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > > new file mode 100644
> > > index 0000000000..6b041d9332
> > > --- /dev/null
> > > +++ b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > > @@ -0,0 +1,32 @@
> > > +From b816ca9994e03a8bc829b49452b8158a731e81a9 Mon Sep 17 00:00:00
> 2001
> > > +From: drh <>
> > > +Date: Thu, 16 Mar 2023 20:54:29 +0000
> > > +Subject: [PATCH] Correctly handle SELECT DISTINCT ... ORDER BY when
> all of the
> > > + result set terms are constant and there are more result set terms than
> ORDER
> > > + BY terms. Fix for these tickets: [c36cdb4afd504dc1], [4051a7f931d9ba24],
> > > + [d6fd512f50513ab7].
> > > +
> > > +FossilOrigin-Name:
> 12ad822d9b827777526ca5ed5bf3e678d600294fc9b5c25482dfff2a021328a4
> > > +
> > > +CVE: CVE-2025-7458
> > > +Upstream-Status: Backport
> [github.com/sqlite/sqlite/commit/b816ca9994e03a8bc829b49452b8158a731e81a9]
> > > +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > +---
> > > + sqlite3.c | 4 ++++
> > > + 1 file changed, 4 insertions(+)
> > > +
> > > +diff --git a/sqlite3.c b/sqlite3.c
> > > +index 19d0438..6d92184 100644
> > > +--- a/sqlite3.c
> > > ++++ b/sqlite3.c
> > > +@@ -156989,6 +156989,10 @@ static int wherePathSolver(WhereInfo
> *pWInfo, LogEst nRowEst){
> > > +       if( pFrom->isOrdered==pWInfo->pOrderBy->nExpr ){
> > > +         pWInfo->eDistinct = WHERE_DISTINCT_ORDERED;
> > > +       }
> > > ++      if( pWInfo->pSelect->pOrderBy
> > > ++       && pWInfo->nOBSat > pWInfo->pSelect->pOrderBy->nExpr ){
> > > ++        pWInfo->nOBSat = pWInfo->pSelect->pOrderBy->nExpr;
> > > ++      }
> > > +     }else{
> > > +       pWInfo->nOBSat = pFrom->isOrdered;
> > > +       pWInfo->revMask = pFrom->revLoop;
> > > diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-
> support/sqlite/sqlite3_3.38.5.bb
> > > index 656e2d8bd8..86d9b4b33b 100644
> > > --- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > > +++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > > @@ -10,6 +10,8 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-
> ${SQLITE_PV}.tar.gz \
> > >              file://CVE-2023-7104.patch \
> > >              file://CVE-2025-29088.patch \
> > >              file://CVE-2025-6965.patch \
> > > +           file://0001-This-branch-attempts-to-improve-the-detection-of-
> cov.patch \
> > > +           file://CVE-2025-7458.patch \
> > >              "
> > >   SRC_URI[sha256sum] =
> "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
> > >
> > >
> > >
> > >
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > > Links: You receive all messages sent to this group.
> > > View/Reply Online (#221481):
> https://lists.openembedded.org/g/openembedded-core/message/221481
> > > Mute This Topic: https://lists.openembedded.org/mt/114551672/3618471
> > > Group Owner: openembedded-core+owner@lists.openembedded.org
> > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
> [niko.mauno@vaisala.com]
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > >
> >
Peter Marko Sept. 3, 2025, 10:34 p.m. UTC | #4 
I have looked at the problem and reverting was the correct action.
Trying to identify missing patch I realized that the CVE does not affect our version,
so I'd have to backport additional patches which would first introduce the CVE and then fix it.

Sorry for this inconvenience.

Peter

> -----Original Message-----
> From: Marko, Peter (FT D EU SK BFS1)
> Sent: Sunday, August 31, 2025 23:12
> To: Steve Sakoman <steve@sakoman.com>
> Cc: openembedded-core@lists.openembedded.org; Niko Mauno
> <niko.mauno@vaisala.com>
> Subject: RE: [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458
> 
> 
> 
> > -----Original Message-----
> > From: Steve Sakoman <steve@sakoman.com>
> > Sent: Friday, August 29, 2025 17:38
> > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> > Cc: openembedded-core@lists.openembedded.org; Niko Mauno
> > <niko.mauno@vaisala.com>
> > Subject: Re: [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458
> >
> > On Fri, Aug 29, 2025 at 4:25 AM Niko Mauno <niko.mauno@vaisala.com>
> wrote:
> > >
> > > We have found that since this patch SELECT queries with
> > COUNT(DISTINCT(column)) seem to cause sqlite to segfault. E.g.
> > >
> > > # sqlite3 :memory: 'create table foo (x int); select count(distinct(x)) from foo;'
> > > Segmentation fault (core dumped)
> >
> > Hi Peter,
> >
> > Could you check this to see if you can reproduce it?
> 
> I'll be offline for next two weeks, please revert and I'll check it when I'm back.
> 
> >
> > If so, we should revert this patch.
> >
> > Steve
> >
> > > On 5.8.2025 19.43, Steve Sakoman via lists.openembedded.org wrote:
> > > > From: Peter Marko <peter.marko@siemens.com>
> > > >
> > > > Pick patch [1] listed in [2].
> > > > Also pick another patch which is precondition to this one introducing
> > > > variable needed for the check.
> > > >
> > > > [1] https://sqlite.org/src/info/12ad822d9b827777
> > > > [2] https://nvd.nist.gov/vuln/detail/CVE-2025-7458
> > > >
> > > > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > > > ---
> > > >   ...mpts-to-improve-the-detection-of-cov.patch | 91
> +++++++++++++++++++
> > > >   .../sqlite/files/CVE-2025-7458.patch          | 32 +++++++
> > > >   meta/recipes-support/sqlite/sqlite3_3.38.5.bb |  2 +
> > > >   3 files changed, 125 insertions(+)
> > > >   create mode 100644 meta/recipes-support/sqlite/files/0001-This-branch-
> > attempts-to-improve-the-detection-of-cov.patch
> > > >   create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-
> 7458.patch
> > > >
> > > > diff --git a/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-
> > improve-the-detection-of-cov.patch b/meta/recipes-support/sqlite/files/0001-
> This-
> > branch-attempts-to-improve-the-detection-of-cov.patch
> > > > new file mode 100644
> > > > index 0000000000..8fb037bb0f
> > > > --- /dev/null
> > > > +++ b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-
> > improve-the-detection-of-cov.patch
> > > > @@ -0,0 +1,91 @@
> > > > +From f55a7dad195994f2bb24db7df0a0515502386fe2 Mon Sep 17 00:00:00
> > 2001
> > > > +From: drh <>
> > > > +Date: Sat, 22 Oct 2022 14:16:02 +0000
> > > > +Subject: [PATCH] This branch attempts to improve the detection of
> covering
> > > > + indexes.  This first check-in merely improves a parameter name to
> > > > + sqlite3WhereBegin() to be more descriptive of what it contains, and
> ensures
> > > > + that a subroutine is not inlines so that sqlite3WhereBegin() runs slightly
> > > > + faster.
> > > > +
> > > > +FossilOrigin-Name:
> > cadf5f6bb1ce0492ef858ada476288e8057afd3609caa18b09c818d3845d7244
> > > > +
> > > > +Upstream-Status: Backport
> >
> [https://github.com/sqlite/sqlite/commit/f55a7dad195994f2bb24db7df0a051550238
> > 6fe2]
> > > > +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > > +---
> > > > + sqlite3.c | 28 +++++++++++++---------------
> > > > + 1 file changed, 13 insertions(+), 15 deletions(-)
> > > > +
> > > > +diff --git a/sqlite3.c b/sqlite3.c
> > > > +index 4cbc2d0..b7ed991 100644
> > > > +--- a/sqlite3.c
> > > > ++++ b/sqlite3.c
> > > > +@@ -147371,9 +147371,7 @@ struct WhereInfo {
> > > > +   ExprList *pOrderBy;       /* The ORDER BY clause or NULL */
> > > > +   ExprList *pResultSet;     /* Result set of the query */
> > > > +   Expr *pWhere;             /* The complete WHERE clause */
> > > > +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> > > > +-  Select *pLimit;           /* Used to access LIMIT expr/registers for vtabs */
> > > > +-#endif
> > > > ++  Select *pSelect;          /* The entire SELECT statement containing
> > WHERE */
> > > > +   int aiCurOnePass[2];      /* OP_OpenWrite cursors for the ONEPASS opt
> */
> > > > +   int iContinue;            /* Jump here to continue with next record */
> > > > +   int iBreak;               /* Jump here to break out of the loop */
> > > > +@@ -149070,9 +149068,9 @@ SQLITE_PRIVATE Bitmask
> > sqlite3WhereCodeOneLoopStart(
> > > > +          && pLoop->u.vtab.bOmitOffset
> > > > +         ){
> > > > +           assert( pTerm->eOperator==WO_AUX );
> > > > +-          assert( pWInfo->pLimit!=0 );
> > > > +-          assert( pWInfo->pLimit->iOffset>0 );
> > > > +-          sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pLimit->iOffset);
> > > > ++          assert( pWInfo->pSelect!=0 );
> > > > ++          assert( pWInfo->pSelect->iOffset>0 );
> > > > ++          sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pSelect->iOffset);
> > > > +           VdbeComment((v,"Zero OFFSET counter"));
> > > > +         }
> > > > +       }
> > > > +@@ -151830,10 +151828,10 @@ static void whereAddLimitExpr(
> > > > + ** exist only so that they may be passed to the xBestIndex method of the
> > > > + ** single virtual table in the FROM clause of the SELECT.
> > > > + */
> > > > +-SQLITE_PRIVATE void sqlite3WhereAddLimit(WhereClause *pWC,
> Select
> > *p){
> > > > +-  assert( p==0 || (p->pGroupBy==0 && (p->selFlags &
> SF_Aggregate)==0)
> > );
> > > > +-  if( (p && p->pLimit)                                          /* 1 */
> > > > +-   && (p->selFlags & (SF_Distinct|SF_Aggregate))==0             /* 2 */
> > > > ++SQLITE_PRIVATE void SQLITE_NOINLINE
> > sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
> > > > ++  assert( p!=0 && p->pLimit!=0 );                 /* 1 -- checked by caller */
> > > > ++  assert( p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0 );
> > > > ++  if( (p->selFlags & (SF_Distinct|SF_Aggregate))==0             /* 2 */
> > > > +    && (p->pSrc->nSrc==1 && IsVirtual(p->pSrc->a[0].pTab))       /* 3 */
> > > > +   ){
> > > > +     ExprList *pOrderBy = p->pOrderBy;
> > > > +@@ -157427,7 +157425,7 @@ SQLITE_PRIVATE WhereInfo
> > *sqlite3WhereBegin(
> > > > +   Expr *pWhere,           /* The WHERE clause */
> > > > +   ExprList *pOrderBy,     /* An ORDER BY (or GROUP BY) clause, or
> NULL
> > */
> > > > +   ExprList *pResultSet,   /* Query result set.  Req'd for DISTINCT */
> > > > +-  Select *pLimit,         /* Use this LIMIT/OFFSET clause, if any */
> > > > ++  Select *pSelect,        /* The entire SELECT statement */
> > > > +   u16 wctrlFlags,         /* The WHERE_* flags defined in sqliteInt.h */
> > > > +   int iAuxArg             /* If WHERE_OR_SUBCLAUSE is set, index cursor
> > number
> > > > +                           ** If WHERE_USE_LIMIT, then the limit amount */
> > > > +@@ -157504,9 +157502,7 @@ SQLITE_PRIVATE WhereInfo
> > *sqlite3WhereBegin(
> > > > +   pWInfo->wctrlFlags = wctrlFlags;
> > > > +   pWInfo->iLimit = iAuxArg;
> > > > +   pWInfo->savedNQueryLoop = pParse->nQueryLoop;
> > > > +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> > > > +-  pWInfo->pLimit = pLimit;
> > > > +-#endif
> > > > ++  pWInfo->pSelect = pSelect;
> > > > +   memset(&pWInfo->nOBSat, 0,
> > > > +          offsetof(WhereInfo,sWC) - offsetof(WhereInfo,nOBSat));
> > > > +   memset(&pWInfo->a[0], 0,
> > sizeof(WhereLoop)+nTabList*sizeof(WhereLevel));
> > > > +@@ -157575,7 +157571,9 @@ SQLITE_PRIVATE WhereInfo
> > *sqlite3WhereBegin(
> > > > +
> > > > +   /* Analyze all of the subexpressions. */
> > > > +   sqlite3WhereExprAnalyze(pTabList, &pWInfo->sWC);
> > > > +-  sqlite3WhereAddLimit(&pWInfo->sWC, pLimit);
> > > > ++  if( pSelect && pSelect->pLimit ){
> > > > ++    sqlite3WhereAddLimit(&pWInfo->sWC, pSelect);
> > > > ++  }
> > > > +   if( db->mallocFailed ) goto whereBeginError;
> > > > +
> > > > +   /* Special case: WHERE terms that do not refer to any tables in the join
> > > > diff --git a/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > > > new file mode 100644
> > > > index 0000000000..6b041d9332
> > > > --- /dev/null
> > > > +++ b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > > > @@ -0,0 +1,32 @@
> > > > +From b816ca9994e03a8bc829b49452b8158a731e81a9 Mon Sep 17
> 00:00:00
> > 2001
> > > > +From: drh <>
> > > > +Date: Thu, 16 Mar 2023 20:54:29 +0000
> > > > +Subject: [PATCH] Correctly handle SELECT DISTINCT ... ORDER BY
> when
> > all of the
> > > > + result set terms are constant and there are more result set terms than
> > ORDER
> > > > + BY terms. Fix for these tickets: [c36cdb4afd504dc1], [4051a7f931d9ba24],
> > > > + [d6fd512f50513ab7].
> > > > +
> > > > +FossilOrigin-Name:
> > 12ad822d9b827777526ca5ed5bf3e678d600294fc9b5c25482dfff2a021328a4
> > > > +
> > > > +CVE: CVE-2025-7458
> > > > +Upstream-Status: Backport
> >
> [github.com/sqlite/sqlite/commit/b816ca9994e03a8bc829b49452b8158a731e81a9]
> > > > +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > > +---
> > > > + sqlite3.c | 4 ++++
> > > > + 1 file changed, 4 insertions(+)
> > > > +
> > > > +diff --git a/sqlite3.c b/sqlite3.c
> > > > +index 19d0438..6d92184 100644
> > > > +--- a/sqlite3.c
> > > > ++++ b/sqlite3.c
> > > > +@@ -156989,6 +156989,10 @@ static int wherePathSolver(WhereInfo
> > *pWInfo, LogEst nRowEst){
> > > > +       if( pFrom->isOrdered==pWInfo->pOrderBy->nExpr ){
> > > > +         pWInfo->eDistinct = WHERE_DISTINCT_ORDERED;
> > > > +       }
> > > > ++      if( pWInfo->pSelect->pOrderBy
> > > > ++       && pWInfo->nOBSat > pWInfo->pSelect->pOrderBy->nExpr ){
> > > > ++        pWInfo->nOBSat = pWInfo->pSelect->pOrderBy->nExpr;
> > > > ++      }
> > > > +     }else{
> > > > +       pWInfo->nOBSat = pFrom->isOrdered;
> > > > +       pWInfo->revMask = pFrom->revLoop;
> > > > diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-
> > support/sqlite/sqlite3_3.38.5.bb
> > > > index 656e2d8bd8..86d9b4b33b 100644
> > > > --- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > > > +++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > > > @@ -10,6 +10,8 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-
> autoconf-
> > ${SQLITE_PV}.tar.gz \
> > > >              file://CVE-2023-7104.patch \
> > > >              file://CVE-2025-29088.patch \
> > > >              file://CVE-2025-6965.patch \
> > > > +           file://0001-This-branch-attempts-to-improve-the-detection-of-
> > cov.patch \
> > > > +           file://CVE-2025-7458.patch \
> > > >              "
> > > >   SRC_URI[sha256sum] =
> > "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
> > > >
> > > >
> > > >
> > > >
> > > > -=-=-=-=-=-=-=-=-=-=-=-
> > > > Links: You receive all messages sent to this group.
> > > > View/Reply Online (#221481):
> > https://lists.openembedded.org/g/openembedded-core/message/221481
> > > > Mute This Topic: https://lists.openembedded.org/mt/114551672/3618471
> > > > Group Owner: openembedded-core+owner@lists.openembedded.org
> > > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
> > [niko.mauno@vaisala.com]
> > > > -=-=-=-=-=-=-=-=-=-=-=-
> > > >
> > >
Steve Sakoman Sept. 3, 2025, 11:03 p.m. UTC | #5 
On Wed, Sep 3, 2025, 3:34 PM Marko, Peter <Peter.Marko@siemens.com> wrote:

> I have looked at the problem and reverting was the correct action.
> Trying to identify missing patch I realized that the CVE does not affect
> our version,
> so I'd have to backport additional patches which would first introduce the
> CVE and then fix it
>


Thanks for investigating!

Steve


> Sorry for this inconvenience.
>
> Peter
>
> > -----Original Message-----
> > From: Marko, Peter (FT D EU SK BFS1)
> > Sent: Sunday, August 31, 2025 23:12
> > To: Steve Sakoman <steve@sakoman.com>
> > Cc: openembedded-core@lists.openembedded.org; Niko Mauno
> > <niko.mauno@vaisala.com>
> > Subject: RE: [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458
> >
> >
> >
> > > -----Original Message-----
> > > From: Steve Sakoman <steve@sakoman.com>
> > > Sent: Friday, August 29, 2025 17:38
> > > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> > > Cc: openembedded-core@lists.openembedded.org; Niko Mauno
> > > <niko.mauno@vaisala.com>
> > > Subject: Re: [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458
> > >
> > > On Fri, Aug 29, 2025 at 4:25 AM Niko Mauno <niko.mauno@vaisala.com>
> > wrote:
> > > >
> > > > We have found that since this patch SELECT queries with
> > > COUNT(DISTINCT(column)) seem to cause sqlite to segfault. E.g.
> > > >
> > > > # sqlite3 :memory: 'create table foo (x int); select
> count(distinct(x)) from foo;'
> > > > Segmentation fault (core dumped)
> > >
> > > Hi Peter,
> > >
> > > Could you check this to see if you can reproduce it?
> >
> > I'll be offline for next two weeks, please revert and I'll check it when
> I'm back.
> >
> > >
> > > If so, we should revert this patch.
> > >
> > > Steve
> > >
> > > > On 5.8.2025 19.43, Steve Sakoman via lists.openembedded.org wrote:
> > > > > From: Peter Marko <peter.marko@siemens.com>
> > > > >
> > > > > Pick patch [1] listed in [2].
> > > > > Also pick another patch which is precondition to this one
> introducing
> > > > > variable needed for the check.
> > > > >
> > > > > [1] https://sqlite.org/src/info/12ad822d9b827777
> > > > > [2] https://nvd.nist.gov/vuln/detail/CVE-2025-7458
> > > > >
> > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > > > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > > > > ---
> > > > >   ...mpts-to-improve-the-detection-of-cov.patch | 91
> > +++++++++++++++++++
> > > > >   .../sqlite/files/CVE-2025-7458.patch          | 32 +++++++
> > > > >   meta/recipes-support/sqlite/sqlite3_3.38.5.bb |  2 +
> > > > >   3 files changed, 125 insertions(+)
> > > > >   create mode 100644
> meta/recipes-support/sqlite/files/0001-This-branch-
> > > attempts-to-improve-the-detection-of-cov.patch
> > > > >   create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-
> > 7458.patch
> > > > >
> > > > > diff --git
> a/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-
> > > improve-the-detection-of-cov.patch
> b/meta/recipes-support/sqlite/files/0001-
> > This-
> > > branch-attempts-to-improve-the-detection-of-cov.patch
> > > > > new file mode 100644
> > > > > index 0000000000..8fb037bb0f
> > > > > --- /dev/null
> > > > > +++
> b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-
> > > improve-the-detection-of-cov.patch
> > > > > @@ -0,0 +1,91 @@
> > > > > +From f55a7dad195994f2bb24db7df0a0515502386fe2 Mon Sep 17 00:00:00
> > > 2001
> > > > > +From: drh <>
> > > > > +Date: Sat, 22 Oct 2022 14:16:02 +0000
> > > > > +Subject: [PATCH] This branch attempts to improve the detection of
> > covering
> > > > > + indexes.  This first check-in merely improves a parameter name to
> > > > > + sqlite3WhereBegin() to be more descriptive of what it contains,
> and
> > ensures
> > > > > + that a subroutine is not inlines so that sqlite3WhereBegin()
> runs slightly
> > > > > + faster.
> > > > > +
> > > > > +FossilOrigin-Name:
> > > cadf5f6bb1ce0492ef858ada476288e8057afd3609caa18b09c818d3845d7244
> > > > > +
> > > > > +Upstream-Status: Backport
> > >
> > [
> https://github.com/sqlite/sqlite/commit/f55a7dad195994f2bb24db7df0a051550238
> > > 6fe2]
> > > > > +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > > > +---
> > > > > + sqlite3.c | 28 +++++++++++++---------------
> > > > > + 1 file changed, 13 insertions(+), 15 deletions(-)
> > > > > +
> > > > > +diff --git a/sqlite3.c b/sqlite3.c
> > > > > +index 4cbc2d0..b7ed991 100644
> > > > > +--- a/sqlite3.c
> > > > > ++++ b/sqlite3.c
> > > > > +@@ -147371,9 +147371,7 @@ struct WhereInfo {
> > > > > +   ExprList *pOrderBy;       /* The ORDER BY clause or NULL */
> > > > > +   ExprList *pResultSet;     /* Result set of the query */
> > > > > +   Expr *pWhere;             /* The complete WHERE clause */
> > > > > +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> > > > > +-  Select *pLimit;           /* Used to access LIMIT
> expr/registers for vtabs */
> > > > > +-#endif
> > > > > ++  Select *pSelect;          /* The entire SELECT statement
> containing
> > > WHERE */
> > > > > +   int aiCurOnePass[2];      /* OP_OpenWrite cursors for the
> ONEPASS opt
> > */
> > > > > +   int iContinue;            /* Jump here to continue with next
> record */
> > > > > +   int iBreak;               /* Jump here to break out of the
> loop */
> > > > > +@@ -149070,9 +149068,9 @@ SQLITE_PRIVATE Bitmask
> > > sqlite3WhereCodeOneLoopStart(
> > > > > +          && pLoop->u.vtab.bOmitOffset
> > > > > +         ){
> > > > > +           assert( pTerm->eOperator==WO_AUX );
> > > > > +-          assert( pWInfo->pLimit!=0 );
> > > > > +-          assert( pWInfo->pLimit->iOffset>0 );
> > > > > +-          sqlite3VdbeAddOp2(v, OP_Integer, 0,
> pWInfo->pLimit->iOffset);
> > > > > ++          assert( pWInfo->pSelect!=0 );
> > > > > ++          assert( pWInfo->pSelect->iOffset>0 );
> > > > > ++          sqlite3VdbeAddOp2(v, OP_Integer, 0,
> pWInfo->pSelect->iOffset);
> > > > > +           VdbeComment((v,"Zero OFFSET counter"));
> > > > > +         }
> > > > > +       }
> > > > > +@@ -151830,10 +151828,10 @@ static void whereAddLimitExpr(
> > > > > + ** exist only so that they may be passed to the xBestIndex
> method of the
> > > > > + ** single virtual table in the FROM clause of the SELECT.
> > > > > + */
> > > > > +-SQLITE_PRIVATE void sqlite3WhereAddLimit(WhereClause *pWC,
> > Select
> > > *p){
> > > > > +-  assert( p==0 || (p->pGroupBy==0 && (p->selFlags &
> > SF_Aggregate)==0)
> > > );
> > > > > +-  if( (p && p->pLimit)
> /* 1 */
> > > > > +-   && (p->selFlags & (SF_Distinct|SF_Aggregate))==0
>  /* 2 */
> > > > > ++SQLITE_PRIVATE void SQLITE_NOINLINE
> > > sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
> > > > > ++  assert( p!=0 && p->pLimit!=0 );                 /* 1 --
> checked by caller */
> > > > > ++  assert( p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0 );
> > > > > ++  if( (p->selFlags & (SF_Distinct|SF_Aggregate))==0
>  /* 2 */
> > > > > +    && (p->pSrc->nSrc==1 && IsVirtual(p->pSrc->a[0].pTab))
>  /* 3 */
> > > > > +   ){
> > > > > +     ExprList *pOrderBy = p->pOrderBy;
> > > > > +@@ -157427,7 +157425,7 @@ SQLITE_PRIVATE WhereInfo
> > > *sqlite3WhereBegin(
> > > > > +   Expr *pWhere,           /* The WHERE clause */
> > > > > +   ExprList *pOrderBy,     /* An ORDER BY (or GROUP BY) clause, or
> > NULL
> > > */
> > > > > +   ExprList *pResultSet,   /* Query result set.  Req'd for
> DISTINCT */
> > > > > +-  Select *pLimit,         /* Use this LIMIT/OFFSET clause, if
> any */
> > > > > ++  Select *pSelect,        /* The entire SELECT statement */
> > > > > +   u16 wctrlFlags,         /* The WHERE_* flags defined in
> sqliteInt.h */
> > > > > +   int iAuxArg             /* If WHERE_OR_SUBCLAUSE is set, index
> cursor
> > > number
> > > > > +                           ** If WHERE_USE_LIMIT, then the limit
> amount */
> > > > > +@@ -157504,9 +157502,7 @@ SQLITE_PRIVATE WhereInfo
> > > *sqlite3WhereBegin(
> > > > > +   pWInfo->wctrlFlags = wctrlFlags;
> > > > > +   pWInfo->iLimit = iAuxArg;
> > > > > +   pWInfo->savedNQueryLoop = pParse->nQueryLoop;
> > > > > +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> > > > > +-  pWInfo->pLimit = pLimit;
> > > > > +-#endif
> > > > > ++  pWInfo->pSelect = pSelect;
> > > > > +   memset(&pWInfo->nOBSat, 0,
> > > > > +          offsetof(WhereInfo,sWC) - offsetof(WhereInfo,nOBSat));
> > > > > +   memset(&pWInfo->a[0], 0,
> > > sizeof(WhereLoop)+nTabList*sizeof(WhereLevel));
> > > > > +@@ -157575,7 +157571,9 @@ SQLITE_PRIVATE WhereInfo
> > > *sqlite3WhereBegin(
> > > > > +
> > > > > +   /* Analyze all of the subexpressions. */
> > > > > +   sqlite3WhereExprAnalyze(pTabList, &pWInfo->sWC);
> > > > > +-  sqlite3WhereAddLimit(&pWInfo->sWC, pLimit);
> > > > > ++  if( pSelect && pSelect->pLimit ){
> > > > > ++    sqlite3WhereAddLimit(&pWInfo->sWC, pSelect);
> > > > > ++  }
> > > > > +   if( db->mallocFailed ) goto whereBeginError;
> > > > > +
> > > > > +   /* Special case: WHERE terms that do not refer to any tables
> in the join
> > > > > diff --git a/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > > b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > > > > new file mode 100644
> > > > > index 0000000000..6b041d9332
> > > > > --- /dev/null
> > > > > +++ b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > > > > @@ -0,0 +1,32 @@
> > > > > +From b816ca9994e03a8bc829b49452b8158a731e81a9 Mon Sep 17
> > 00:00:00
> > > 2001
> > > > > +From: drh <>
> > > > > +Date: Thu, 16 Mar 2023 20:54:29 +0000
> > > > > +Subject: [PATCH] Correctly handle SELECT DISTINCT ... ORDER BY
> > when
> > > all of the
> > > > > + result set terms are constant and there are more result set
> terms than
> > > ORDER
> > > > > + BY terms. Fix for these tickets: [c36cdb4afd504dc1],
> [4051a7f931d9ba24],
> > > > > + [d6fd512f50513ab7].
> > > > > +
> > > > > +FossilOrigin-Name:
> > > 12ad822d9b827777526ca5ed5bf3e678d600294fc9b5c25482dfff2a021328a4
> > > > > +
> > > > > +CVE: CVE-2025-7458
> > > > > +Upstream-Status: Backport
> > >
> > [
> github.com/sqlite/sqlite/commit/b816ca9994e03a8bc829b49452b8158a731e81a9]
> > > > > +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > > > +---
> > > > > + sqlite3.c | 4 ++++
> > > > > + 1 file changed, 4 insertions(+)
> > > > > +
> > > > > +diff --git a/sqlite3.c b/sqlite3.c
> > > > > +index 19d0438..6d92184 100644
> > > > > +--- a/sqlite3.c
> > > > > ++++ b/sqlite3.c
> > > > > +@@ -156989,6 +156989,10 @@ static int wherePathSolver(WhereInfo
> > > *pWInfo, LogEst nRowEst){
> > > > > +       if( pFrom->isOrdered==pWInfo->pOrderBy->nExpr ){
> > > > > +         pWInfo->eDistinct = WHERE_DISTINCT_ORDERED;
> > > > > +       }
> > > > > ++      if( pWInfo->pSelect->pOrderBy
> > > > > ++       && pWInfo->nOBSat > pWInfo->pSelect->pOrderBy->nExpr ){
> > > > > ++        pWInfo->nOBSat = pWInfo->pSelect->pOrderBy->nExpr;
> > > > > ++      }
> > > > > +     }else{
> > > > > +       pWInfo->nOBSat = pFrom->isOrdered;
> > > > > +       pWInfo->revMask = pFrom->revLoop;
> > > > > diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> b/meta/recipes-
> > > support/sqlite/sqlite3_3.38.5.bb
> > > > > index 656e2d8bd8..86d9b4b33b 100644
> > > > > --- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > > > > +++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > > > > @@ -10,6 +10,8 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-
> > autoconf-
> > > ${SQLITE_PV}.tar.gz \
> > > > >              file://CVE-2023-7104.patch \
> > > > >              file://CVE-2025-29088.patch \
> > > > >              file://CVE-2025-6965.patch \
> > > > > +
>  file://0001-This-branch-attempts-to-improve-the-detection-of-
> > > cov.patch \
> > > > > +           file://CVE-2025-7458.patch \
> > > > >              "
> > > > >   SRC_URI[sha256sum] =
> > > "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -=-=-=-=-=-=-=-=-=-=-=-
> > > > > Links: You receive all messages sent to this group.
> > > > > View/Reply Online (#221481):
> > > https://lists.openembedded.org/g/openembedded-core/message/221481
> > > > > Mute This Topic:
> https://lists.openembedded.org/mt/114551672/3618471
> > > > > Group Owner: openembedded-core+owner@lists.openembedded.org
> > > > > Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub
> > > [niko.mauno@vaisala.com]
> > > > > -=-=-=-=-=-=-=-=-=-=-=-
> > > > >
> > > >
>
diff mbox series

Patch

diff --git a/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
new file mode 100644
index 0000000000..8fb037bb0f
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
@@ -0,0 +1,91 @@ 
+From f55a7dad195994f2bb24db7df0a0515502386fe2 Mon Sep 17 00:00:00 2001
+From: drh <>
+Date: Sat, 22 Oct 2022 14:16:02 +0000
+Subject: [PATCH] This branch attempts to improve the detection of covering
+ indexes.  This first check-in merely improves a parameter name to
+ sqlite3WhereBegin() to be more descriptive of what it contains, and ensures
+ that a subroutine is not inlines so that sqlite3WhereBegin() runs slightly
+ faster.
+
+FossilOrigin-Name: cadf5f6bb1ce0492ef858ada476288e8057afd3609caa18b09c818d3845d7244
+
+Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/f55a7dad195994f2bb24db7df0a0515502386fe2]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ sqlite3.c | 28 +++++++++++++---------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 4cbc2d0..b7ed991 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -147371,9 +147371,7 @@ struct WhereInfo {
+   ExprList *pOrderBy;       /* The ORDER BY clause or NULL */
+   ExprList *pResultSet;     /* Result set of the query */
+   Expr *pWhere;             /* The complete WHERE clause */
+-#ifndef SQLITE_OMIT_VIRTUALTABLE
+-  Select *pLimit;           /* Used to access LIMIT expr/registers for vtabs */
+-#endif
++  Select *pSelect;          /* The entire SELECT statement containing WHERE */
+   int aiCurOnePass[2];      /* OP_OpenWrite cursors for the ONEPASS opt */
+   int iContinue;            /* Jump here to continue with next record */
+   int iBreak;               /* Jump here to break out of the loop */
+@@ -149070,9 +149068,9 @@ SQLITE_PRIVATE Bitmask sqlite3WhereCodeOneLoopStart(
+          && pLoop->u.vtab.bOmitOffset
+         ){
+           assert( pTerm->eOperator==WO_AUX );
+-          assert( pWInfo->pLimit!=0 );
+-          assert( pWInfo->pLimit->iOffset>0 );
+-          sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pLimit->iOffset);
++          assert( pWInfo->pSelect!=0 );
++          assert( pWInfo->pSelect->iOffset>0 );
++          sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pSelect->iOffset);
+           VdbeComment((v,"Zero OFFSET counter"));
+         }
+       }
+@@ -151830,10 +151828,10 @@ static void whereAddLimitExpr(
+ ** exist only so that they may be passed to the xBestIndex method of the
+ ** single virtual table in the FROM clause of the SELECT.
+ */
+-SQLITE_PRIVATE void sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
+-  assert( p==0 || (p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0) );
+-  if( (p && p->pLimit)                                          /* 1 */
+-   && (p->selFlags & (SF_Distinct|SF_Aggregate))==0             /* 2 */
++SQLITE_PRIVATE void SQLITE_NOINLINE sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
++  assert( p!=0 && p->pLimit!=0 );                 /* 1 -- checked by caller */
++  assert( p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0 );
++  if( (p->selFlags & (SF_Distinct|SF_Aggregate))==0             /* 2 */
+    && (p->pSrc->nSrc==1 && IsVirtual(p->pSrc->a[0].pTab))       /* 3 */
+   ){
+     ExprList *pOrderBy = p->pOrderBy;
+@@ -157427,7 +157425,7 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
+   Expr *pWhere,           /* The WHERE clause */
+   ExprList *pOrderBy,     /* An ORDER BY (or GROUP BY) clause, or NULL */
+   ExprList *pResultSet,   /* Query result set.  Req'd for DISTINCT */
+-  Select *pLimit,         /* Use this LIMIT/OFFSET clause, if any */
++  Select *pSelect,        /* The entire SELECT statement */
+   u16 wctrlFlags,         /* The WHERE_* flags defined in sqliteInt.h */
+   int iAuxArg             /* If WHERE_OR_SUBCLAUSE is set, index cursor number
+                           ** If WHERE_USE_LIMIT, then the limit amount */
+@@ -157504,9 +157502,7 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
+   pWInfo->wctrlFlags = wctrlFlags;
+   pWInfo->iLimit = iAuxArg;
+   pWInfo->savedNQueryLoop = pParse->nQueryLoop;
+-#ifndef SQLITE_OMIT_VIRTUALTABLE
+-  pWInfo->pLimit = pLimit;
+-#endif
++  pWInfo->pSelect = pSelect;
+   memset(&pWInfo->nOBSat, 0,
+          offsetof(WhereInfo,sWC) - offsetof(WhereInfo,nOBSat));
+   memset(&pWInfo->a[0], 0, sizeof(WhereLoop)+nTabList*sizeof(WhereLevel));
+@@ -157575,7 +157571,9 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
+ 
+   /* Analyze all of the subexpressions. */
+   sqlite3WhereExprAnalyze(pTabList, &pWInfo->sWC);
+-  sqlite3WhereAddLimit(&pWInfo->sWC, pLimit);
++  if( pSelect && pSelect->pLimit ){
++    sqlite3WhereAddLimit(&pWInfo->sWC, pSelect);
++  }
+   if( db->mallocFailed ) goto whereBeginError;
+ 
+   /* Special case: WHERE terms that do not refer to any tables in the join
diff --git a/meta/recipes-support/sqlite/files/CVE-2025-7458.patch b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
new file mode 100644
index 0000000000..6b041d9332
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
@@ -0,0 +1,32 @@ 
+From b816ca9994e03a8bc829b49452b8158a731e81a9 Mon Sep 17 00:00:00 2001
+From: drh <>
+Date: Thu, 16 Mar 2023 20:54:29 +0000
+Subject: [PATCH] Correctly handle SELECT DISTINCT ... ORDER BY when all of the
+ result set terms are constant and there are more result set terms than ORDER
+ BY terms. Fix for these tickets: [c36cdb4afd504dc1], [4051a7f931d9ba24],
+ [d6fd512f50513ab7].
+
+FossilOrigin-Name: 12ad822d9b827777526ca5ed5bf3e678d600294fc9b5c25482dfff2a021328a4
+
+CVE: CVE-2025-7458
+Upstream-Status: Backport [github.com/sqlite/sqlite/commit/b816ca9994e03a8bc829b49452b8158a731e81a9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ sqlite3.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 19d0438..6d92184 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -156989,6 +156989,10 @@ static int wherePathSolver(WhereInfo *pWInfo, LogEst nRowEst){
+       if( pFrom->isOrdered==pWInfo->pOrderBy->nExpr ){
+         pWInfo->eDistinct = WHERE_DISTINCT_ORDERED;
+       }
++      if( pWInfo->pSelect->pOrderBy
++       && pWInfo->nOBSat > pWInfo->pSelect->pOrderBy->nExpr ){
++        pWInfo->nOBSat = pWInfo->pSelect->pOrderBy->nExpr;
++      }
+     }else{
+       pWInfo->nOBSat = pFrom->isOrdered;
+       pWInfo->revMask = pFrom->revLoop;
diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
index 656e2d8bd8..86d9b4b33b 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
@@ -10,6 +10,8 @@  SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \
            file://CVE-2023-7104.patch \
            file://CVE-2025-29088.patch \
            file://CVE-2025-6965.patch \
+           file://0001-This-branch-attempts-to-improve-the-detection-of-cov.patch \
+           file://CVE-2025-7458.patch \
            "
 SRC_URI[sha256sum] = "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"