SOURCES/sqlite-3.26.0-CVE-2020-24736.patch

@@ -1,114 +0,0 @@
-From f030b376820102ff6cda49565c8b8173b2d44606 Mon Sep 17 00:00:00 2001
-From: dan <dan@noemail.net>
-Date: Fri, 22 Feb 2019 19:24:16 +0000
-Subject: [PATCH] Internally, remove all references to a Window object that
- belongs to an expression in an ORDER BY clause if that expression is
- converted to an alias of a result-set expression. Fix for [4feb3159c6].
-
-FossilOrigin-Name: 579b66eaa0816561c6e47ea116b46f229188f0fc84c1173bfe0d21df2dff9a9a
----
- src/resolve.c     | 49 ++++++++++++++++++++++++++++++++++-------------
- test/window1.test | 20 +++++++++++++++++++
- 2 files changed, 56 insertions(+), 13 deletions(-)
-
-diff --git a/src/resolve.c b/src/resolve.c
-index 9410bc020..fd2cf539a 100644
---- a/src/resolve.c
-+++ b/src/resolve.c
-@@ -1243,6 +1243,38 @@ int sqlite3ResolveOrderGroupBy(
-   return 0;
- }
- 
-+#ifndef SQLITE_OMIT_WINDOWFUNC
-+/*
-+** Walker callback for resolveRemoveWindows().
-+*/
-+static int resolveRemoveWindowsCb(Walker *pWalker, Expr *pExpr){
-+  if( ExprHasProperty(pExpr, EP_WinFunc) ){
-+    Window **pp;
-+    for(pp=&pWalker->u.pSelect->pWin; *pp; pp=&(*pp)->pNextWin){
-+      if( *pp==pExpr->y.pWin ){
-+        *pp = (*pp)->pNextWin;
-+        break;
-+      }    
-+    }
-+  }
-+  return WRC_Continue;
-+}
-+
-+/*
-+** Remove any Window objects owned by the expression pExpr from the
-+** Select.pWin list of Select object pSelect.
-+*/
-+static void resolveRemoveWindows(Select *pSelect, Expr *pExpr){
-+  Walker sWalker;
-+  memset(&sWalker, 0, sizeof(Walker));
-+  sWalker.xExprCallback = resolveRemoveWindowsCb;
-+  sWalker.u.pSelect = pSelect;
-+  sqlite3WalkExpr(&sWalker, pExpr);
-+}
-+#else
-+# define resolveRemoveWindows(x,y)
-+#endif
-+
- /*
- ** pOrderBy is an ORDER BY or GROUP BY clause in SELECT statement pSelect.
- ** The Name context of the SELECT statement is pNC.  zType is either
-@@ -1309,19 +1341,10 @@ static int resolveOrderGroupBy(
-     }
-     for(j=0; j<pSelect->pEList->nExpr; j++){
-       if( sqlite3ExprCompare(0, pE, pSelect->pEList->a[j].pExpr, -1)==0 ){
--#ifndef SQLITE_OMIT_WINDOWFUNC
--        if( ExprHasProperty(pE, EP_WinFunc) ){
--          /* Since this window function is being changed into a reference
--          ** to the same window function the result set, remove the instance
--          ** of this window function from the Select.pWin list. */
--          Window **pp;
--          for(pp=&pSelect->pWin; *pp; pp=&(*pp)->pNextWin){
--            if( *pp==pE->y.pWin ){
--              *pp = (*pp)->pNextWin;
--            }    
--          }
--        }
--#endif
-+        /* Since this expresion is being changed into a reference
-+        ** to an identical expression in the result set, remove all Window
-+        ** objects belonging to the expression from the Select.pWin list. */
-+        resolveRemoveWindows(pSelect, pE);
-         pItem->u.x.iOrderByCol = j+1;
-       }
-     }
-diff --git a/test/window1.test b/test/window1.test
-index 2c504205e..b3073985b 100644
---- a/test/window1.test
-+++ b/test/window1.test
-@@ -594,6 +594,26 @@
- } {
- }
-
-+#-------------------------------------------------------------------------
-+do_execsql_test 17.0 {
-+  CREATE TABLE t8(a);
-+  INSERT INTO t8 VALUES(1), (2), (3);
-+}
-+
-+do_execsql_test 17.1 {
-+  SELECT +sum(0) OVER () ORDER BY +sum(0) OVER ();
-+} {0}
-+
-+do_execsql_test 17.2 {
-+  select +sum(a) OVER () FROM t8 ORDER BY +sum(a) OVER () DESC;
-+} {6 6 6}
-+
-+do_execsql_test 17.3 {
-+  SELECT 10+sum(a) OVER (ORDER BY a)
-+  FROM t8
-+  ORDER BY 10+sum(a) OVER (ORDER BY a) DESC;
-+} {16 13 11}
-+
- # 2020-05-23
- # ticket 7a5279a25c57adf1
- #
--- 
-2.39.2
-

SOURCES/sqlite-3.34.1-CVE-2023-7104.patch

@@ -1,42 +0,0 @@
-From 09f1652f36c5c4e8a6a640ce887f9ea0f48a7958 Mon Sep 17 00:00:00 2001
-From: dan <Dan Kennedy>
-Date: Thu, 7 Sep 2023 13:53:09 +0000
-Subject: [PATCH] Fix a buffer overread in the sessions extension that could
- occur when processing a corrupt changeset.
-
-FossilOrigin-Name: 0e4e7a05c4204b47a324d67e18e76d2a98e26b2723d19d5c655ec9fd2e41f4b7
-
-diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
-index 9f862f2465..0491549231 100644
---- a/ext/session/sqlite3session.c
-+++ b/ext/session/sqlite3session.c
-@@ -2811,15 +2811,19 @@ static int sessionReadRecord(
-         }
-       }
-       if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
--        sqlite3_int64 v = sessionGetI64(aVal);
--        if( eType==SQLITE_INTEGER ){
--          sqlite3VdbeMemSetInt64(apOut[i], v);
-+        if( (pIn->nData-pIn->iNext)<8 ){
-+          rc = SQLITE_CORRUPT_BKPT;
-         }else{
--          double d;
--          memcpy(&d, &v, 8);
--          sqlite3VdbeMemSetDouble(apOut[i], d);
-+          sqlite3_int64 v = sessionGetI64(aVal);
-+          if( eType==SQLITE_INTEGER ){
-+            sqlite3VdbeMemSetInt64(apOut[i], v);
-+          }else{
-+            double d;
-+            memcpy(&d, &v, 8);
-+            sqlite3VdbeMemSetDouble(apOut[i], d);
-+          }
-+          pIn->iNext += 8;
-         }
--        pIn->iNext += 8;
-       }
-     }
-   }
--- 
-2.43.0
-

SOURCES/sqlite-3.34.1-CVE-2025-6965.patch

@@ -1,95 +0,0 @@
-From d9ca6e7b0d2e93dc5510baac4b92c9b6d217f9e5 Mon Sep 17 00:00:00 2001
-From: Ales Nezbeda <anezbeda@redhat.com>
-Date: Wed, 16 Jul 2025 23:59:02 +0200
-Subject: [PATCH] Fixes CVE-2025-6965
-
----
- src/expr.c      | 19 ++++++++++++++++++-
- src/sqliteInt.h |  8 ++++++++
- 2 files changed, 26 insertions(+), 1 deletion(-)
-
-diff --git a/src/expr.c b/src/expr.c
-index 791e61e..946ed9b 100644
---- a/src/expr.c
-+++ b/src/expr.c
-@@ -5136,6 +5136,11 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
-             ** is not an entry there already.
-             */
-             int k;
-+
-+            int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
-+
-+            assert( mxTerm <= SMXV(i16) );
-+
-             pCol = pAggInfo->aCol;
-             for(k=0; k<pAggInfo->nColumn; k++, pCol++){
-               if( pCol->iTable==pExpr->iTable &&
-@@ -5146,6 +5151,10 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
-             if( (k>=pAggInfo->nColumn)
-              && (k = addAggInfoColumn(pParse->db, pAggInfo))>=0 
-             ){
-+              if( k>mxTerm ){
-+                sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
-+                k = mxTerm;
-+              }
-               pCol = &pAggInfo->aCol[k];
-               pCol->pTab = pExpr->y.pTab;
-               pCol->iTable = pExpr->iTable;
-@@ -5179,6 +5188,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
-             ExprSetVVAProperty(pExpr, EP_NoReduce);
-             pExpr->pAggInfo = pAggInfo;
-             pExpr->op = TK_AGG_COLUMN;
-+            assert( k <= SMXV(pExpr->iAgg) );
-             pExpr->iAgg = (i16)k;
-             break;
-           } /* endif pExpr->iTable==pItem->iCursor */
-@@ -5194,12 +5204,18 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
-         ** function that is already in the pAggInfo structure
-         */
-         struct AggInfo_func *pItem = pAggInfo->aFunc;
-+        int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
-+        assert( mxTerm <= SMXV(i16) );
-         for(i=0; i<pAggInfo->nFunc; i++, pItem++){
-           if( sqlite3ExprCompare(0, pItem->pExpr, pExpr, -1)==0 ){
-             break;
-           }
-         }
--        if( i>=pAggInfo->nFunc ){
-+        if( i>mxTerm ){
-+          sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
-+          i = mxTerm;
-+          assert( i<pAggInfo->nFunc );
-+        }else if( i>=pAggInfo->nFunc ){
-           /* pExpr is original.  Make a new entry in pAggInfo->aFunc[]
-           */
-           u8 enc = ENC(pParse->db);
-@@ -5224,6 +5240,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
-         */
-         assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) );
-         ExprSetVVAProperty(pExpr, EP_NoReduce);
-+        assert( i <= SMXV(pExpr->iAgg) );
-         pExpr->iAgg = (i16)i;
-         pExpr->pAggInfo = pAggInfo;
-         return WRC_Prune;
-diff --git a/src/sqliteInt.h b/src/sqliteInt.h
-index d13c715..a509330 100644
---- a/src/sqliteInt.h
-+++ b/src/sqliteInt.h
-@@ -868,6 +868,14 @@ typedef INT16_TYPE LogEst;
- #define LARGEST_INT64  (0xffffffff|(((i64)0x7fffffff)<<32))
- #define SMALLEST_INT64 (((i64)-1) - LARGEST_INT64)
- 
-+/*
-+** Macro SMXV(n) return the maximum value that can be held in variable n,
-+** assuming n is a signed integer type.  UMXV(n) is similar for unsigned
-+** integer types.
-+*/
-+#define SMXV(n) ((((i64)1)<<(sizeof(n)*8-1))-1)
-+#define UMXV(n) ((((i64)1)<<(sizeof(n)*8))-1)
-+
- /*
- ** Round up a number to the next larger multiple of 8.  This is used
- ** to force 8-byte alignment on 64-bit architectures.
--- 
-2.50.0
-

SPECS/sqlite.spec

@@ -10,7 +10,7 @@
 Summary: Library that implements an embeddable SQL database engine
 Name: sqlite
 Version: %{rpmver}
-Release: 20%{?dist}
+Release: 17%{?dist}
 License: Public Domain
 Group: Applications/Databases
 URL: http://www.sqlite.org/
@@ -101,11 +101,6 @@ Patch36: sqlite-3.26.0-CVE-2020-35525.patch
 # Fix for CVE-2022-35737
 # https://www.sqlite.org/src/info/26db4fc22fe66658
 Patch37: sqlite-3.26.0-CVE-2022-35737.patch
-# Fix for CVE-2020-24736
-# https://www.sqlite.org/src/info/579b66eaa0816561
-Patch38: sqlite-3.26.0-CVE-2020-24736.patch
-Patch39: sqlite-3.34.1-CVE-2023-7104.patch
-Patch40: sqlite-3.34.1-CVE-2025-6965.patch
 
 BuildRequires: ncurses-devel readline-devel glibc-devel
 BuildRequires: autoconf
@@ -202,45 +197,42 @@ This package contains the analysis program for %{name}.
 
 %prep
 %setup -q -a1 -n %{name}-src-%{realver}
-%patch -P 1 -p1
-%patch -P 2 -p1
-%patch -P 3 -p1
-%patch -P 4 -p1
-%patch -P 6 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch6 -p1
 %ifarch %{ix86}
-%patch -P 7 -p1
+%patch7 -p1
 %endif
-%patch -P 8 -p1
-%patch -P 9 -p1
-%patch -P 10 -p1
-%patch -P 11 -p1
-%patch -P 12 -p1
-%patch -P 13 -p1
-%patch -P 14 -p1
-%patch -P 15 -p1
-%patch -P 16 -p1
-%patch -P 17 -p1
-%patch -P 18 -p1
-%patch -P 19 -p1
-%patch -P 20 -p1
-%patch -P 21 -p1
-%patch -P 22 -p1
-%patch -P 23 -p1
-%patch -P 24 -p1
-%patch -P 25 -p1
-%patch -P 26 -p1
-%patch -P 27 -p1
-%patch -P 28 -p1
-%patch -P 29 -p1
-%patch -P 30 -p1
-%patch -P 31 -p1
-%patch -P 34 -p1
-%patch -P 35 -p1
-%patch -P 36 -p1
-%patch -P 37 -p1
-%patch -P 38 -p1
-%patch -P 39 -p1
-%patch -P 40 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch25 -p1
+%patch26 -p1
+%patch27 -p1
+%patch28 -p1
+%patch29 -p1
+%patch30 -p1
+%patch31 -p1
+%patch34 -p1
+%patch35 -p1
+%patch36 -p1
+%patch37 -p1
 
 
 # Remove backup-file
@@ -342,15 +334,6 @@ make test
 %endif
 
 %changelog
-* Thu Jul 17 2025 Ales Nezbeda <anezbeda@redhat.com> - 3.26.0-20
-- Fixes CVE-2025-6965
-
-* Wed Jan 03 2024 Zuzana Miklankova <zmiklank@redhat.com> - 3.26.0-19
-- Fixed CVE-2023-7104
-
-* Fri Apr 14 2023 Zuzana Miklankova <zmiklank@redhat.com> - 3.26.0-18
-- Fixed CVE-2022-24736
-
 * Tue Nov 15 2022 Zuzana Miklankova <zmiklank@redhat.com> - 3.26.0-17
 - Fixed CVE-2022-35737