From e8db41bbb9ec31dd038213a6275a827d61fabe3e Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 28 Jul 2025 20:46:38 +0000 Subject: [PATCH] import UBI sqlite-3.34.1-8.el9_6 --- SOURCES/sqlite-3.34.1-CVE-2025-6965.patch | 105 ++++++++++++++++++++++ SPECS/sqlite.spec | 7 +- 2 files changed, 111 insertions(+), 1 deletion(-) create mode 100644 SOURCES/sqlite-3.34.1-CVE-2025-6965.patch diff --git a/SOURCES/sqlite-3.34.1-CVE-2025-6965.patch b/SOURCES/sqlite-3.34.1-CVE-2025-6965.patch new file mode 100644 index 0000000..f8488b2 --- /dev/null +++ b/SOURCES/sqlite-3.34.1-CVE-2025-6965.patch @@ -0,0 +1,105 @@ +From ed59b03efb99197d29adeded924b0ede39a72124 Mon Sep 17 00:00:00 2001 +From: Ales Nezbeda +Date: Wed, 16 Jul 2025 20:05:08 +0200 +Subject: [PATCH] Backport fix for CVE-2025-6965 +--- + src/expr.c | 19 ++++++++++++++++++- + src/sqliteInt.h | 12 ++++++++++-- + 2 files changed, 28 insertions(+), 3 deletions(-) + +diff --git a/src/expr.c b/src/expr.c +index 685f041..f983c8d 100644 +--- a/src/expr.c ++++ b/src/expr.c +@@ -5862,6 +5862,11 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + ** is not an entry there already. + */ + int k; ++ ++ int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN]; ++ ++ assert( mxTerm <= SMXV(i16) ); ++ + pCol = pAggInfo->aCol; + for(k=0; knColumn; k++, pCol++){ + if( pCol->iTable==pExpr->iTable && +@@ -5872,6 +5877,10 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + if( (k>=pAggInfo->nColumn) + && (k = addAggInfoColumn(pParse->db, pAggInfo))>=0 + ){ ++ if( k>mxTerm ){ ++ sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm); ++ k = mxTerm; ++ } + pCol = &pAggInfo->aCol[k]; + pCol->pTab = pExpr->y.pTab; + pCol->iTable = pExpr->iTable; +@@ -5905,6 +5914,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + ExprSetVVAProperty(pExpr, EP_NoReduce); + pExpr->pAggInfo = pAggInfo; + pExpr->op = TK_AGG_COLUMN; ++ assert( k <= SMXV(pExpr->iAgg) ); + pExpr->iAgg = (i16)k; + break; + } /* endif pExpr->iTable==pItem->iCursor */ +@@ -5920,12 +5930,18 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + ** function that is already in the pAggInfo structure + */ + struct AggInfo_func *pItem = pAggInfo->aFunc; ++ int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN]; ++ assert( mxTerm <= SMXV(i16) ); + for(i=0; inFunc; i++, pItem++){ + if( sqlite3ExprCompare(0, pItem->pFExpr, pExpr, -1)==0 ){ + break; + } + } +- if( i>=pAggInfo->nFunc ){ ++ if( i>mxTerm ){ ++ sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm); ++ i = mxTerm; ++ assert( inFunc ); ++ }else if( i>=pAggInfo->nFunc ){ + /* pExpr is original. Make a new entry in pAggInfo->aFunc[] + */ + u8 enc = ENC(pParse->db); +@@ -5950,6 +5966,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + */ + assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) ); + ExprSetVVAProperty(pExpr, EP_NoReduce); ++ assert( i <= SMXV(pExpr->iAgg) ); + pExpr->iAgg = (i16)i; + pExpr->pAggInfo = pAggInfo; + return WRC_Prune; +diff --git a/src/sqliteInt.h b/src/sqliteInt.h +index 4670622..8e3c45d 100644 +--- a/src/sqliteInt.h ++++ b/src/sqliteInt.h +@@ -914,6 +914,14 @@ typedef INT16_TYPE LogEst; + #define LARGEST_UINT64 (0xffffffff|(((u64)0xffffffff)<<32)) + #define SMALLEST_INT64 (((i64)-1) - LARGEST_INT64) + ++/* ++** Macro SMXV(n) return the maximum value that can be held in variable n, ++** assuming n is a signed integer type. UMXV(n) is similar for unsigned ++** integer types. ++*/ ++#define SMXV(n) ((((i64)1)<<(sizeof(n)*8-1))-1) ++#define UMXV(n) ((((i64)1)<<(sizeof(n)*8))-1) ++ + /* + ** Round up a number to the next larger multiple of 8. This is used + ** to force 8-byte alignment on 64-bit architectures. +@@ -2535,8 +2543,8 @@ struct AggInfo { + Expr *pCExpr; /* The original expression */ + int iTable; /* Cursor number of the source table */ + int iMem; /* Memory location that acts as accumulator */ +- i16 iColumn; /* Column number within the source table */ +- i16 iSorterColumn; /* Column number in the sorting index */ ++ int iColumn; /* Column number within the source table */ ++ int iSorterColumn; /* Column number in the sorting index */ + } *aCol; + int nColumn; /* Number of used entries in aCol[] */ + int nAccumulator; /* Number of columns that show through to the output. +-- +2.50.0 + diff --git a/SPECS/sqlite.spec b/SPECS/sqlite.spec index 6779cad..d62cac9 100644 --- a/SPECS/sqlite.spec +++ b/SPECS/sqlite.spec @@ -12,7 +12,7 @@ Summary: Library that implements an embeddable SQL database engine Name: sqlite Version: %{rpmver} -Release: 7%{?dist} +Release: 8%{?dist} License: Public Domain URL: http://www.sqlite.org/ @@ -36,6 +36,7 @@ Patch6: sqlite-3.34.1-covscan-rhel-9.patch # Fixed CVE-2022-35737 Patch7: sqlite-3.26.0-CVE-2022-35737.patch Patch8: sqlite-3.34.1-CVE-2023-7104.patch +Patch9: sqlite-3.34.1-CVE-2025-6965.patch BuildRequires: make BuildRequires: gcc @@ -147,6 +148,7 @@ This package contains the analysis program for %{name}. %patch -P 6 -p1 %patch -P 7 -p1 %patch -P 8 -p1 +%patch -P 9 -p1 # Remove backup-file rm -f %{name}-doc-%{docver}/sqlite.css~ || : @@ -264,6 +266,9 @@ make test %endif %changelog +* Thu Jul 17 2025 Ales Nezbeda - 3.34.1-8 +- Fixes CVE-2025-6965 + * Wed Jan 03 2024 Zuzana Miklankova - 3.34.1-7 - Fixes CVE-2023-7104