import UBI sqlite-3.26.0-20.el8_10

2025-07-29 00:21:11 +00:00 · 2025-07-29 00:21:11 +00:00 · 2bb3704c98
commit 2bb3704c98
parent e931fa6171
2 changed files with 101 additions and 1 deletions
--- a/SOURCES/sqlite-3.34.1-CVE-2025-6965.patch
+++ b/SOURCES/sqlite-3.34.1-CVE-2025-6965.patch
@ -0,0 +1,95 @@
+From d9ca6e7b0d2e93dc5510baac4b92c9b6d217f9e5 Mon Sep 17 00:00:00 2001
+From: Ales Nezbeda <anezbeda@redhat.com>
+Date: Wed, 16 Jul 2025 23:59:02 +0200
+Subject: [PATCH] Fixes CVE-2025-6965
+
+---
+ src/expr.c      | 19 ++++++++++++++++++-
+ src/sqliteInt.h |  8 ++++++++
+ 2 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/src/expr.c b/src/expr.c
+index 791e61e..946ed9b 100644
+--- a/src/expr.c
+++ b/src/expr.c
+@@ -5136,6 +5136,11 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+             ** is not an entry there already.
+             */
+             int k;
+
+            int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
+
+            assert( mxTerm <= SMXV(i16) );
+
+             pCol = pAggInfo->aCol;
+             for(k=0; k<pAggInfo->nColumn; k++, pCol++){
+               if( pCol->iTable==pExpr->iTable &&
+@@ -5146,6 +5151,10 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+             if( (k>=pAggInfo->nColumn)
+              && (k = addAggInfoColumn(pParse->db, pAggInfo))>=0 
+             ){
+              if( k>mxTerm ){
+                sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
+                k = mxTerm;
+              }
+               pCol = &pAggInfo->aCol[k];
+               pCol->pTab = pExpr->y.pTab;
+               pCol->iTable = pExpr->iTable;
+@@ -5179,6 +5188,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+             ExprSetVVAProperty(pExpr, EP_NoReduce);
+             pExpr->pAggInfo = pAggInfo;
+             pExpr->op = TK_AGG_COLUMN;
+            assert( k <= SMXV(pExpr->iAgg) );
+             pExpr->iAgg = (i16)k;
+             break;
+           } /* endif pExpr->iTable==pItem->iCursor */
+@@ -5194,12 +5204,18 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+         ** function that is already in the pAggInfo structure
+         */
+         struct AggInfo_func *pItem = pAggInfo->aFunc;
+        int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
+        assert( mxTerm <= SMXV(i16) );
+         for(i=0; i<pAggInfo->nFunc; i++, pItem++){
+           if( sqlite3ExprCompare(0, pItem->pExpr, pExpr, -1)==0 ){
+             break;
+           }
+         }
+-        if( i>=pAggInfo->nFunc ){
+        if( i>mxTerm ){
+          sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
+          i = mxTerm;
+          assert( i<pAggInfo->nFunc );
+        }else if( i>=pAggInfo->nFunc ){
+           /* pExpr is original.  Make a new entry in pAggInfo->aFunc[]
+           */
+           u8 enc = ENC(pParse->db);
+@@ -5224,6 +5240,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+         */
+         assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) );
+         ExprSetVVAProperty(pExpr, EP_NoReduce);
+        assert( i <= SMXV(pExpr->iAgg) );
+         pExpr->iAgg = (i16)i;
+         pExpr->pAggInfo = pAggInfo;
+         return WRC_Prune;
+diff --git a/src/sqliteInt.h b/src/sqliteInt.h
+index d13c715..a509330 100644
+--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
+@@ -868,6 +868,14 @@ typedef INT16_TYPE LogEst;
+ #define LARGEST_INT64  (0xffffffff|(((i64)0x7fffffff)<<32))
+ #define SMALLEST_INT64 (((i64)-1) - LARGEST_INT64)
+ 
+/*
+** Macro SMXV(n) return the maximum value that can be held in variable n,
+** assuming n is a signed integer type.  UMXV(n) is similar for unsigned
+** integer types.
+*/
+#define SMXV(n) ((((i64)1)<<(sizeof(n)*8-1))-1)
+#define UMXV(n) ((((i64)1)<<(sizeof(n)*8))-1)
+
+ /*
+ ** Round up a number to the next larger multiple of 8.  This is used
+ ** to force 8-byte alignment on 64-bit architectures.
+-- 
+2.50.0
+
--- a/SPECS/sqlite.spec
+++ b/SPECS/sqlite.spec
@ -10,7 +10,7 @@
 Summary: Library that implements an embeddable SQL database engine
 Name: sqlite
 Version: %{rpmver}
-Release: 19%{?dist}
+Release: 20%{?dist}
 License: Public Domain
 Group: Applications/Databases
 URL: http://www.sqlite.org/
@ -105,6 +105,7 @@ Patch37: sqlite-3.26.0-CVE-2022-35737.patch
 # https://www.sqlite.org/src/info/579b66eaa0816561
 Patch38: sqlite-3.26.0-CVE-2020-24736.patch
 Patch39: sqlite-3.34.1-CVE-2023-7104.patch
+Patch40: sqlite-3.34.1-CVE-2025-6965.patch

 BuildRequires: ncurses-devel readline-devel glibc-devel
 BuildRequires: autoconf
@ -239,6 +240,7 @@ This package contains the analysis program for %{name}.
 %patch -P 37 -p1
 %patch -P 38 -p1
 %patch -P 39 -p1
+%patch -P 40 -p1


 # Remove backup-file
@ -340,6 +342,9 @@ make test
 %endif

 %changelog
+* Thu Jul 17 2025 Ales Nezbeda <anezbeda@redhat.com> - 3.26.0-20
+- Fixes CVE-2025-6965
+
 * Wed Jan 03 2024 Zuzana Miklankova <zmiklank@redhat.com> - 3.26.0-19
 - Fixed CVE-2023-7104