rpms/sqlite
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI sqlite-3.26.0-20.el8_10

Browse Source
This commit is contained in:
eabdullin 2025-07-29 00:21:11 +00:00
parent e931fa6171
commit 2bb3704c98
2 changed files with 101 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
SOURCES/sqlite-3.34.1-CVE-2025-6965.patch Normal file
View File

@ -0,0 +1,95 @@
From d9ca6e7b0d2e93dc5510baac4b92c9b6d217f9e5 Mon Sep 17 00:00:00 2001
From: Ales Nezbeda <anezbeda@redhat.com>
Date: Wed, 16 Jul 2025 23:59:02 +0200
Subject: [PATCH] Fixes CVE-2025-6965
---
src/expr.c | 19 ++++++++++++++++++-
src/sqliteInt.h | 8 ++++++++
2 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/src/expr.c b/src/expr.c
index 791e61e..946ed9b 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -5136,6 +5136,11 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
** is not an entry there already.
*/
int k;
+
+ int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
+
+ assert( mxTerm <= SMXV(i16) );
+
pCol = pAggInfo->aCol;
for(k=0; k<pAggInfo->nColumn; k++, pCol++){
if( pCol->iTable==pExpr->iTable &&
@@ -5146,6 +5151,10 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
if( (k>=pAggInfo->nColumn)
&& (k = addAggInfoColumn(pParse->db, pAggInfo))>=0
){
+ if( k>mxTerm ){
+ sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
+ k = mxTerm;
+ }
pCol = &pAggInfo->aCol[k];
pCol->pTab = pExpr->y.pTab;
pCol->iTable = pExpr->iTable;
@@ -5179,6 +5188,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
ExprSetVVAProperty(pExpr, EP_NoReduce);
pExpr->pAggInfo = pAggInfo;
pExpr->op = TK_AGG_COLUMN;
+ assert( k <= SMXV(pExpr->iAgg) );
pExpr->iAgg = (i16)k;
break;
} /* endif pExpr->iTable==pItem->iCursor */
@@ -5194,12 +5204,18 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
** function that is already in the pAggInfo structure
*/
struct AggInfo_func *pItem = pAggInfo->aFunc;
+ int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
+ assert( mxTerm <= SMXV(i16) );
for(i=0; i<pAggInfo->nFunc; i++, pItem++){
if( sqlite3ExprCompare(0, pItem->pExpr, pExpr, -1)==0 ){
break;
}
}
- if( i>=pAggInfo->nFunc ){
+ if( i>mxTerm ){
+ sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
+ i = mxTerm;
+ assert( i<pAggInfo->nFunc );
+ }else if( i>=pAggInfo->nFunc ){
/* pExpr is original. Make a new entry in pAggInfo->aFunc[]
*/
u8 enc = ENC(pParse->db);
@@ -5224,6 +5240,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
*/
assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) );
ExprSetVVAProperty(pExpr, EP_NoReduce);
+ assert( i <= SMXV(pExpr->iAgg) );
pExpr->iAgg = (i16)i;
pExpr->pAggInfo = pAggInfo;
return WRC_Prune;
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
index d13c715..a509330 100644
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -868,6 +868,14 @@ typedef INT16_TYPE LogEst;
#define LARGEST_INT64 (0xffffffff|(((i64)0x7fffffff)<<32))
#define SMALLEST_INT64 (((i64)-1) - LARGEST_INT64)
+/*
+** Macro SMXV(n) return the maximum value that can be held in variable n,
+** assuming n is a signed integer type. UMXV(n) is similar for unsigned
+** integer types.
+*/
+#define SMXV(n) ((((i64)1)<<(sizeof(n)*8-1))-1)
+#define UMXV(n) ((((i64)1)<<(sizeof(n)*8))-1)
+
/*
** Round up a number to the next larger multiple of 8. This is used
** to force 8-byte alignment on 64-bit architectures.
--
2.50.0

7
SPECS/sqlite.spec
View File

@ -10,7 +10,7 @@
Summary: Library that implements an embeddable SQL database engine Summary: Library that implements an embeddable SQL database engine
Name: sqlite Name: sqlite
Version: %{rpmver} Version: %{rpmver}
Release: 19%{?dist} Release: 20%{?dist}
License: Public Domain License: Public Domain
Group: Applications/Databases Group: Applications/Databases
URL: http://www.sqlite.org/ URL: http://www.sqlite.org/
@ -105,6 +105,7 @@ Patch37: sqlite-3.26.0-CVE-2022-35737.patch
# https://www.sqlite.org/src/info/579b66eaa0816561 # https://www.sqlite.org/src/info/579b66eaa0816561
Patch38: sqlite-3.26.0-CVE-2020-24736.patch Patch38: sqlite-3.26.0-CVE-2020-24736.patch
Patch39: sqlite-3.34.1-CVE-2023-7104.patch Patch39: sqlite-3.34.1-CVE-2023-7104.patch
Patch40: sqlite-3.34.1-CVE-2025-6965.patch
BuildRequires: ncurses-devel readline-devel glibc-devel BuildRequires: ncurses-devel readline-devel glibc-devel
BuildRequires: autoconf BuildRequires: autoconf
@ -239,6 +240,7 @@ This package contains the analysis program for %{name}.
%patch -P 37 -p1 %patch -P 37 -p1
%patch -P 38 -p1 %patch -P 38 -p1
%patch -P 39 -p1 %patch -P 39 -p1
%patch -P 40 -p1
# Remove backup-file # Remove backup-file
@ -340,6 +342,9 @@ make test
%endif %endif
%changelog %changelog
* Thu Jul 17 2025 Ales Nezbeda <anezbeda@redhat.com> - 3.26.0-20
- Fixes CVE-2025-6965
* Wed Jan 03 2024 Zuzana Miklankova <zmiklank@redhat.com> - 3.26.0-19 * Wed Jan 03 2024 Zuzana Miklankova <zmiklank@redhat.com> - 3.26.0-19
- Fixed CVE-2023-7104 - Fixed CVE-2023-7104