CVE-2025-3277 Integer overflow

Fix tests, gating and rpminspect

Resolves: RHEL-87295

ci.fmf

@@ -1,10 +1 @@
-/test:
+resultsdb-testcase: separate
-    summary:
-        Basic set of quick tests for sqlite.
-    discover:
-      - name: fedora
-        how: fmf
-        url: "https://src.fedoraproject.org/tests/sqlite.git"
-        ref: main
-    execute:
-        how: tmt

gating.yaml

@@ -1,7 +1,26 @@
-#gating rhel
+# Branched Fedora (non-Rawhide)
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_testing
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
+ 
+# Rawhide Fedora
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_stable
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
+ 
+# RHEL
 --- !Policy
 product_versions:
   - rhel-*
 decision_context: osci_compose_gate
 rules:
   - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}
+

plans/tier1-internal.fmf

@@ -8,3 +8,5 @@ execute:
 adjust:
     enabled: false
     when: distro == centos-stream or distro == fedora
+    because: No access to internal git repositories
+

plans/tier1-public.fmf

@@ -0,0 +1,8 @@
+summary: Public Tier1 tests plan
+discover:
+    how: fmf
+    filter: 'tier: 1'
+    url: https://gitlab.com/redhat/centos-stream/tests/sqlite
+execute:
+    how: tmt
+

rpminspect.yaml

@@ -0,0 +1,14 @@
+annocheck:
+    # Optional list of glob(7) specifications or path prefixes to
+    # match files to ignore for this inspection.  The format of this
+    # list is the same as the global 'ignore' list.  The difference is
+    # the items specified here will only be used during this
+    # inspection.  If globbing characters are used, be sure to wrap
+    # them in single quotes.
+ 
+    # These have to be ignored due to TCL library being partly compiled without lto.
+    # Ref: https://issues.redhat.com/browse/RHEL-45991
+    ignore:
+        - '/usr/lib*/tcl*/sqlite*/libtclsqlite*.so*'
+        - '/usr/lib*/tcl*/sqlite*/libsqlite*.so*'
+

sqlite-cve-2025-3277.patch

@@ -0,0 +1,18 @@
+Index: src/func.c
+==================================================================
+--- /src/func.c
++++ /src/func.c
+@@ -1568,11 +1568,11 @@
+   int i;
+   char *z;
+   for(i=0; i<argc; i++){
+     n += sqlite3_value_bytes(argv[i]);
+   }
+-  n += (argc-1)*nSep;
++  n += (argc-1)*(i64)nSep;
+   z = sqlite3_malloc64(n+1);
+   if( z==0 ){
+     sqlite3_result_error_nomem(context);
+     return;
+   }
+

sqlite.spec

@@ -12,7 +12,7 @@
 Summary: Library that implements an embeddable SQL database engine
 Name: sqlite
 Version: %{rpmver}
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: blessing
 URL: http://www.sqlite.org/
 
@@ -21,6 +21,7 @@ Source1: http://www.sqlite.org/%{year}/sqlite-doc-%{docver}.zip
 Source2: http://www.sqlite.org/%{year}/sqlite-autoconf-%{realver}.tar.gz
 # Support a system-wide lemon template
 Patch1: sqlite-3.6.23-lemon-system-template.patch
+Patch2: sqlite-cve-2025-3277.patch
 
 BuildRequires: make
 BuildRequires: gcc
@@ -124,6 +125,7 @@ This package contains the analysis program for %{name}.
 %prep
 %setup -q -a1 -n %{name}-src-%{realver}
 %patch -P 1 -p1
+%patch -P 2 -p1
 
 # The atof test is failing on the i686 architecture, when binary configured with
 # --enable-rtree option. Failing part is text->real conversion and
@@ -260,6 +262,10 @@ make test
 %endif
 
 %changelog
+* Tue Apr 15 2025 Ales Nezbeda <anezbeda@redhat.com> - 3.46.1-4
+- Fix for CVE-2025-3277
+- Resolves: RHEL-87295
+
 * Mon Feb 3 2025 Ales Nezbeda <anezbeda@redhat.com> - 3.46.1-3
 - Enabled sqlite-session feature
 - Resolves: RHEL-77326