From 4bdbfe75837cf8b0d58e4eda1de7cc5a4b2bd34a Mon Sep 17 00:00:00 2001
From: Ales Nezbeda <anezbeda@redhat.com>
Date: Tue, 15 Apr 2025 12:00:46 +0200
Subject: [PATCH] CVE-2025-3277 Integer overflow

Fix tests, gating and rpminspect

Resolves: RHEL-87295
---
 ci.fmf                     | 11 +----------
 gating.yaml                | 21 ++++++++++++++++++++-
 plans/tier1-internal.fmf   |  2 ++
 plans/tier1-public.fmf     |  8 ++++++++
 rpminspect.yaml            | 14 ++++++++++++++
 sqlite-cve-2025-3277.patch | 18 ++++++++++++++++++
 sqlite.spec                |  8 +++++++-
 7 files changed, 70 insertions(+), 12 deletions(-)
 create mode 100644 plans/tier1-public.fmf
 create mode 100644 rpminspect.yaml
 create mode 100644 sqlite-cve-2025-3277.patch

diff --git a/ci.fmf b/ci.fmf
index fac4c0a..c5aa0e0 100644
--- a/ci.fmf
+++ b/ci.fmf
@@ -1,10 +1 @@
-/test:
-    summary:
-        Basic set of quick tests for sqlite.
-    discover:
-      - name: fedora
-        how: fmf
-        url: "https://src.fedoraproject.org/tests/sqlite.git"
-        ref: main
-    execute:
-        how: tmt
+resultsdb-testcase: separate
diff --git a/gating.yaml b/gating.yaml
index 7da9094..0158a0f 100644
--- a/gating.yaml
+++ b/gating.yaml
@@ -1,7 +1,26 @@
-#gating rhel
+# Branched Fedora (non-Rawhide)
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_testing
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
+ 
+# Rawhide Fedora
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_stable
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
+ 
+# RHEL
 --- !Policy
 product_versions:
   - rhel-*
 decision_context: osci_compose_gate
 rules:
   - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}
+
diff --git a/plans/tier1-internal.fmf b/plans/tier1-internal.fmf
index 71ca79d..a7869c8 100644
--- a/plans/tier1-internal.fmf
+++ b/plans/tier1-internal.fmf
@@ -8,3 +8,5 @@ execute:
 adjust:
     enabled: false
     when: distro == centos-stream or distro == fedora
+    because: No access to internal git repositories
+
diff --git a/plans/tier1-public.fmf b/plans/tier1-public.fmf
new file mode 100644
index 0000000..1c93de9
--- /dev/null
+++ b/plans/tier1-public.fmf
@@ -0,0 +1,8 @@
+summary: Public Tier1 tests plan
+discover:
+    how: fmf
+    filter: 'tier: 1'
+    url: https://gitlab.com/redhat/centos-stream/tests/sqlite
+execute:
+    how: tmt
+
diff --git a/rpminspect.yaml b/rpminspect.yaml
new file mode 100644
index 0000000..6eb2205
--- /dev/null
+++ b/rpminspect.yaml
@@ -0,0 +1,14 @@
+annocheck:
+    # Optional list of glob(7) specifications or path prefixes to
+    # match files to ignore for this inspection.  The format of this
+    # list is the same as the global 'ignore' list.  The difference is
+    # the items specified here will only be used during this
+    # inspection.  If globbing characters are used, be sure to wrap
+    # them in single quotes.
+ 
+    # These have to be ignored due to TCL library being partly compiled without lto.
+    # Ref: https://issues.redhat.com/browse/RHEL-45991
+    ignore:
+        - '/usr/lib*/tcl*/sqlite*/libtclsqlite*.so*'
+        - '/usr/lib*/tcl*/sqlite*/libsqlite*.so*'
+
diff --git a/sqlite-cve-2025-3277.patch b/sqlite-cve-2025-3277.patch
new file mode 100644
index 0000000..035e19f
--- /dev/null
+++ b/sqlite-cve-2025-3277.patch
@@ -0,0 +1,18 @@
+Index: src/func.c
+==================================================================
+--- /src/func.c
++++ /src/func.c
+@@ -1568,11 +1568,11 @@
+   int i;
+   char *z;
+   for(i=0; i<argc; i++){
+     n += sqlite3_value_bytes(argv[i]);
+   }
+-  n += (argc-1)*nSep;
++  n += (argc-1)*(i64)nSep;
+   z = sqlite3_malloc64(n+1);
+   if( z==0 ){
+     sqlite3_result_error_nomem(context);
+     return;
+   }
+
diff --git a/sqlite.spec b/sqlite.spec
index d429966..f97f387 100644
--- a/sqlite.spec
+++ b/sqlite.spec
@@ -12,7 +12,7 @@
 Summary: Library that implements an embeddable SQL database engine
 Name: sqlite
 Version: %{rpmver}
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: blessing
 URL: http://www.sqlite.org/
 
@@ -21,6 +21,7 @@ Source1: http://www.sqlite.org/%{year}/sqlite-doc-%{docver}.zip
 Source2: http://www.sqlite.org/%{year}/sqlite-autoconf-%{realver}.tar.gz
 # Support a system-wide lemon template
 Patch1: sqlite-3.6.23-lemon-system-template.patch
+Patch2: sqlite-cve-2025-3277.patch
 
 BuildRequires: make
 BuildRequires: gcc
@@ -124,6 +125,7 @@ This package contains the analysis program for %{name}.
 %prep
 %setup -q -a1 -n %{name}-src-%{realver}
 %patch -P 1 -p1
+%patch -P 2 -p1
 
 # The atof test is failing on the i686 architecture, when binary configured with
 # --enable-rtree option. Failing part is text->real conversion and
@@ -260,6 +262,10 @@ make test
 %endif
 
 %changelog
+* Tue Apr 15 2025 Ales Nezbeda <anezbeda@redhat.com> - 3.46.1-4
+- Fix for CVE-2025-3277
+- Resolves: RHEL-87295
+
 * Mon Feb 3 2025 Ales Nezbeda <anezbeda@redhat.com> - 3.46.1-3
 - Enabled sqlite-session feature
 - Resolves: RHEL-77326