From 2bb3704c98e70dbc4e35055f228c772b4fe8c88e Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Tue, 29 Jul 2025 00:21:11 +0000
Subject: [PATCH] import UBI sqlite-3.26.0-20.el8_10

---
 SOURCES/sqlite-3.34.1-CVE-2025-6965.patch | 95 +++++++++++++++++++++++
 SPECS/sqlite.spec                         |  7 +-
 2 files changed, 101 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/sqlite-3.34.1-CVE-2025-6965.patch

diff --git a/SOURCES/sqlite-3.34.1-CVE-2025-6965.patch b/SOURCES/sqlite-3.34.1-CVE-2025-6965.patch
new file mode 100644
index 0000000..2be7498
--- /dev/null
+++ b/SOURCES/sqlite-3.34.1-CVE-2025-6965.patch
@@ -0,0 +1,95 @@
+From d9ca6e7b0d2e93dc5510baac4b92c9b6d217f9e5 Mon Sep 17 00:00:00 2001
+From: Ales Nezbeda <anezbeda@redhat.com>
+Date: Wed, 16 Jul 2025 23:59:02 +0200
+Subject: [PATCH] Fixes CVE-2025-6965
+
+---
+ src/expr.c      | 19 ++++++++++++++++++-
+ src/sqliteInt.h |  8 ++++++++
+ 2 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/src/expr.c b/src/expr.c
+index 791e61e..946ed9b 100644
+--- a/src/expr.c
++++ b/src/expr.c
+@@ -5136,6 +5136,11 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+             ** is not an entry there already.
+             */
+             int k;
++
++            int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
++
++            assert( mxTerm <= SMXV(i16) );
++
+             pCol = pAggInfo->aCol;
+             for(k=0; k<pAggInfo->nColumn; k++, pCol++){
+               if( pCol->iTable==pExpr->iTable &&
+@@ -5146,6 +5151,10 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+             if( (k>=pAggInfo->nColumn)
+              && (k = addAggInfoColumn(pParse->db, pAggInfo))>=0 
+             ){
++              if( k>mxTerm ){
++                sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
++                k = mxTerm;
++              }
+               pCol = &pAggInfo->aCol[k];
+               pCol->pTab = pExpr->y.pTab;
+               pCol->iTable = pExpr->iTable;
+@@ -5179,6 +5188,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+             ExprSetVVAProperty(pExpr, EP_NoReduce);
+             pExpr->pAggInfo = pAggInfo;
+             pExpr->op = TK_AGG_COLUMN;
++            assert( k <= SMXV(pExpr->iAgg) );
+             pExpr->iAgg = (i16)k;
+             break;
+           } /* endif pExpr->iTable==pItem->iCursor */
+@@ -5194,12 +5204,18 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+         ** function that is already in the pAggInfo structure
+         */
+         struct AggInfo_func *pItem = pAggInfo->aFunc;
++        int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
++        assert( mxTerm <= SMXV(i16) );
+         for(i=0; i<pAggInfo->nFunc; i++, pItem++){
+           if( sqlite3ExprCompare(0, pItem->pExpr, pExpr, -1)==0 ){
+             break;
+           }
+         }
+-        if( i>=pAggInfo->nFunc ){
++        if( i>mxTerm ){
++          sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
++          i = mxTerm;
++          assert( i<pAggInfo->nFunc );
++        }else if( i>=pAggInfo->nFunc ){
+           /* pExpr is original.  Make a new entry in pAggInfo->aFunc[]
+           */
+           u8 enc = ENC(pParse->db);
+@@ -5224,6 +5240,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+         */
+         assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) );
+         ExprSetVVAProperty(pExpr, EP_NoReduce);
++        assert( i <= SMXV(pExpr->iAgg) );
+         pExpr->iAgg = (i16)i;
+         pExpr->pAggInfo = pAggInfo;
+         return WRC_Prune;
+diff --git a/src/sqliteInt.h b/src/sqliteInt.h
+index d13c715..a509330 100644
+--- a/src/sqliteInt.h
++++ b/src/sqliteInt.h
+@@ -868,6 +868,14 @@ typedef INT16_TYPE LogEst;
+ #define LARGEST_INT64  (0xffffffff|(((i64)0x7fffffff)<<32))
+ #define SMALLEST_INT64 (((i64)-1) - LARGEST_INT64)
+ 
++/*
++** Macro SMXV(n) return the maximum value that can be held in variable n,
++** assuming n is a signed integer type.  UMXV(n) is similar for unsigned
++** integer types.
++*/
++#define SMXV(n) ((((i64)1)<<(sizeof(n)*8-1))-1)
++#define UMXV(n) ((((i64)1)<<(sizeof(n)*8))-1)
++
+ /*
+ ** Round up a number to the next larger multiple of 8.  This is used
+ ** to force 8-byte alignment on 64-bit architectures.
+-- 
+2.50.0
+
diff --git a/SPECS/sqlite.spec b/SPECS/sqlite.spec
index f6b961a..7e64e24 100644
--- a/SPECS/sqlite.spec
+++ b/SPECS/sqlite.spec
@@ -10,7 +10,7 @@
 Summary: Library that implements an embeddable SQL database engine
 Name: sqlite
 Version: %{rpmver}
-Release: 19%{?dist}
+Release: 20%{?dist}
 License: Public Domain
 Group: Applications/Databases
 URL: http://www.sqlite.org/
@@ -105,6 +105,7 @@ Patch37: sqlite-3.26.0-CVE-2022-35737.patch
 # https://www.sqlite.org/src/info/579b66eaa0816561
 Patch38: sqlite-3.26.0-CVE-2020-24736.patch
 Patch39: sqlite-3.34.1-CVE-2023-7104.patch
+Patch40: sqlite-3.34.1-CVE-2025-6965.patch
 
 BuildRequires: ncurses-devel readline-devel glibc-devel
 BuildRequires: autoconf
@@ -239,6 +240,7 @@ This package contains the analysis program for %{name}.
 %patch -P 37 -p1
 %patch -P 38 -p1
 %patch -P 39 -p1
+%patch -P 40 -p1
 
 
 # Remove backup-file
@@ -340,6 +342,9 @@ make test
 %endif
 
 %changelog
+* Thu Jul 17 2025 Ales Nezbeda <anezbeda@redhat.com> - 3.26.0-20
+- Fixes CVE-2025-6965
+
 * Wed Jan 03 2024 Zuzana Miklankova <zmiklank@redhat.com> - 3.26.0-19
 - Fixed CVE-2023-7104