From 41baf176e30d50ce6c2f9a87beef78686cf4fac1 Mon Sep 17 00:00:00 2001 From: Jacob Wang Date: Tue, 29 Jul 2025 11:55:01 +0800 Subject: [PATCH] [CVE]update to sqlite-3.26.0-20 to #ICPEMC update to sqlite-3.26.0-20 for CVE-2025-6965 Project: TC2024080204 Signed-off-by: Jacob Wang --- dist | 2 +- ...atch => sqlite-3.26.0-CVE-2020-24736.patch | 29 +++--- sqlite-3.34.1-CVE-2025-6965.patch | 95 +++++++++++++++++++ sqlite.spec | 94 +++++++++--------- 4 files changed, 159 insertions(+), 61 deletions(-) rename 1000-Crash-due-to-misuse-of-window-functions.patch => sqlite-3.26.0-CVE-2020-24736.patch (81%) create mode 100644 sqlite-3.34.1-CVE-2025-6965.patch diff --git a/dist b/dist index 535c690..1fe92cf 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8_7 +an8_10 diff --git a/1000-Crash-due-to-misuse-of-window-functions.patch b/sqlite-3.26.0-CVE-2020-24736.patch similarity index 81% rename from 1000-Crash-due-to-misuse-of-window-functions.patch rename to sqlite-3.26.0-CVE-2020-24736.patch index 15a3957..38c1930 100644 --- a/1000-Crash-due-to-misuse-of-window-functions.patch +++ b/sqlite-3.26.0-CVE-2020-24736.patch @@ -1,22 +1,21 @@ -From 90d196ae5a4ed2e498c40116e5c0b25fa8a3a826 Mon Sep 17 00:00:00 2001 -From: Liwei Ge -Date: Thu, 29 Jun 2023 11:19:32 +0800 -Subject: [PATCH] Crash due to misuse of window functions +From f030b376820102ff6cda49565c8b8173b2d44606 Mon Sep 17 00:00:00 2001 +From: dan +Date: Fri, 22 Feb 2019 19:24:16 +0000 +Subject: [PATCH] Internally, remove all references to a Window object that + belongs to an expression in an ORDER BY clause if that expression is + converted to an alias of a result-set expression. Fix for [4feb3159c6]. -backport patch from -https://www.sqlite.org/src/info/579b66eaa0816561 - -Signed-off-by: Liwei Ge +FossilOrigin-Name: 579b66eaa0816561c6e47ea116b46f229188f0fc84c1173bfe0d21df2dff9a9a --- src/resolve.c | 49 ++++++++++++++++++++++++++++++++++------------- test/window1.test | 20 +++++++++++++++++++ 2 files changed, 56 insertions(+), 13 deletions(-) diff --git a/src/resolve.c b/src/resolve.c -index c47f6bb..9a4acae 100644 +index 9410bc020..fd2cf539a 100644 --- a/src/resolve.c +++ b/src/resolve.c -@@ -1214,6 +1214,38 @@ int sqlite3ResolveOrderGroupBy( +@@ -1243,6 +1243,38 @@ int sqlite3ResolveOrderGroupBy( return 0; } @@ -55,7 +54,7 @@ index c47f6bb..9a4acae 100644 /* ** pOrderBy is an ORDER BY or GROUP BY clause in SELECT statement pSelect. ** The Name context of the SELECT statement is pNC. zType is either -@@ -1280,19 +1312,10 @@ static int resolveOrderGroupBy( +@@ -1309,19 +1341,10 @@ static int resolveOrderGroupBy( } for(j=0; jpEList->nExpr; j++){ if( sqlite3ExprCompare(0, pE, pSelect->pEList->a[j].pExpr, -1)==0 ){ @@ -80,13 +79,13 @@ index c47f6bb..9a4acae 100644 } } diff --git a/test/window1.test b/test/window1.test -index 13ecc32..9eef1cf 100644 +index 2c504205e..b3073985b 100644 --- a/test/window1.test +++ b/test/window1.test -@@ -594,6 +594,26 @@ do_execsql_test 13.5 { +@@ -594,6 +594,26 @@ } { } - + +#------------------------------------------------------------------------- +do_execsql_test 17.0 { + CREATE TABLE t8(a); @@ -111,5 +110,5 @@ index 13ecc32..9eef1cf 100644 # ticket 7a5279a25c57adf1 # -- -2.27.0 +2.39.2 diff --git a/sqlite-3.34.1-CVE-2025-6965.patch b/sqlite-3.34.1-CVE-2025-6965.patch new file mode 100644 index 0000000..2be7498 --- /dev/null +++ b/sqlite-3.34.1-CVE-2025-6965.patch @@ -0,0 +1,95 @@ +From d9ca6e7b0d2e93dc5510baac4b92c9b6d217f9e5 Mon Sep 17 00:00:00 2001 +From: Ales Nezbeda +Date: Wed, 16 Jul 2025 23:59:02 +0200 +Subject: [PATCH] Fixes CVE-2025-6965 + +--- + src/expr.c | 19 ++++++++++++++++++- + src/sqliteInt.h | 8 ++++++++ + 2 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/src/expr.c b/src/expr.c +index 791e61e..946ed9b 100644 +--- a/src/expr.c ++++ b/src/expr.c +@@ -5136,6 +5136,11 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + ** is not an entry there already. + */ + int k; ++ ++ int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN]; ++ ++ assert( mxTerm <= SMXV(i16) ); ++ + pCol = pAggInfo->aCol; + for(k=0; knColumn; k++, pCol++){ + if( pCol->iTable==pExpr->iTable && +@@ -5146,6 +5151,10 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + if( (k>=pAggInfo->nColumn) + && (k = addAggInfoColumn(pParse->db, pAggInfo))>=0 + ){ ++ if( k>mxTerm ){ ++ sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm); ++ k = mxTerm; ++ } + pCol = &pAggInfo->aCol[k]; + pCol->pTab = pExpr->y.pTab; + pCol->iTable = pExpr->iTable; +@@ -5179,6 +5188,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + ExprSetVVAProperty(pExpr, EP_NoReduce); + pExpr->pAggInfo = pAggInfo; + pExpr->op = TK_AGG_COLUMN; ++ assert( k <= SMXV(pExpr->iAgg) ); + pExpr->iAgg = (i16)k; + break; + } /* endif pExpr->iTable==pItem->iCursor */ +@@ -5194,12 +5204,18 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + ** function that is already in the pAggInfo structure + */ + struct AggInfo_func *pItem = pAggInfo->aFunc; ++ int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN]; ++ assert( mxTerm <= SMXV(i16) ); + for(i=0; inFunc; i++, pItem++){ + if( sqlite3ExprCompare(0, pItem->pExpr, pExpr, -1)==0 ){ + break; + } + } +- if( i>=pAggInfo->nFunc ){ ++ if( i>mxTerm ){ ++ sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm); ++ i = mxTerm; ++ assert( inFunc ); ++ }else if( i>=pAggInfo->nFunc ){ + /* pExpr is original. Make a new entry in pAggInfo->aFunc[] + */ + u8 enc = ENC(pParse->db); +@@ -5224,6 +5240,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + */ + assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) ); + ExprSetVVAProperty(pExpr, EP_NoReduce); ++ assert( i <= SMXV(pExpr->iAgg) ); + pExpr->iAgg = (i16)i; + pExpr->pAggInfo = pAggInfo; + return WRC_Prune; +diff --git a/src/sqliteInt.h b/src/sqliteInt.h +index d13c715..a509330 100644 +--- a/src/sqliteInt.h ++++ b/src/sqliteInt.h +@@ -868,6 +868,14 @@ typedef INT16_TYPE LogEst; + #define LARGEST_INT64 (0xffffffff|(((i64)0x7fffffff)<<32)) + #define SMALLEST_INT64 (((i64)-1) - LARGEST_INT64) + ++/* ++** Macro SMXV(n) return the maximum value that can be held in variable n, ++** assuming n is a signed integer type. UMXV(n) is similar for unsigned ++** integer types. ++*/ ++#define SMXV(n) ((((i64)1)<<(sizeof(n)*8-1))-1) ++#define UMXV(n) ((((i64)1)<<(sizeof(n)*8))-1) ++ + /* + ** Round up a number to the next larger multiple of 8. This is used + ** to force 8-byte alignment on 64-bit architectures. +-- +2.50.0 + diff --git a/sqlite.spec b/sqlite.spec index 52bab88..7e64e24 100644 --- a/sqlite.spec +++ b/sqlite.spec @@ -10,7 +10,7 @@ Summary: Library that implements an embeddable SQL database engine Name: sqlite Version: %{rpmver} -Release: 19%{?dist} +Release: 20%{?dist} License: Public Domain Group: Applications/Databases URL: http://www.sqlite.org/ @@ -101,10 +101,11 @@ Patch36: sqlite-3.26.0-CVE-2020-35525.patch # Fix for CVE-2022-35737 # https://www.sqlite.org/src/info/26db4fc22fe66658 Patch37: sqlite-3.26.0-CVE-2022-35737.patch -# https://sqlite.org/src/info/0e4e7a05c4204b47 -Patch38: sqlite-3.34.1-CVE-2023-7104.patch - -Patch1000: 1000-Crash-due-to-misuse-of-window-functions.patch +# Fix for CVE-2020-24736 +# https://www.sqlite.org/src/info/579b66eaa0816561 +Patch38: sqlite-3.26.0-CVE-2020-24736.patch +Patch39: sqlite-3.34.1-CVE-2023-7104.patch +Patch40: sqlite-3.34.1-CVE-2025-6965.patch BuildRequires: ncurses-devel readline-devel glibc-devel BuildRequires: autoconf @@ -201,45 +202,45 @@ This package contains the analysis program for %{name}. %prep %setup -q -a1 -n %{name}-src-%{realver} -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch6 -p1 +%patch -P 1 -p1 +%patch -P 2 -p1 +%patch -P 3 -p1 +%patch -P 4 -p1 +%patch -P 6 -p1 %ifarch %{ix86} -%patch7 -p1 +%patch -P 7 -p1 %endif -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 -%patch27 -p1 -%patch28 -p1 -%patch29 -p1 -%patch30 -p1 -%patch31 -p1 -%patch34 -p1 -%patch35 -p1 -%patch36 -p1 -%patch37 -p1 -%patch38 -p1 - -%patch1000 -p1 +%patch -P 8 -p1 +%patch -P 9 -p1 +%patch -P 10 -p1 +%patch -P 11 -p1 +%patch -P 12 -p1 +%patch -P 13 -p1 +%patch -P 14 -p1 +%patch -P 15 -p1 +%patch -P 16 -p1 +%patch -P 17 -p1 +%patch -P 18 -p1 +%patch -P 19 -p1 +%patch -P 20 -p1 +%patch -P 21 -p1 +%patch -P 22 -p1 +%patch -P 23 -p1 +%patch -P 24 -p1 +%patch -P 25 -p1 +%patch -P 26 -p1 +%patch -P 27 -p1 +%patch -P 28 -p1 +%patch -P 29 -p1 +%patch -P 30 -p1 +%patch -P 31 -p1 +%patch -P 34 -p1 +%patch -P 35 -p1 +%patch -P 36 -p1 +%patch -P 37 -p1 +%patch -P 38 -p1 +%patch -P 39 -p1 +%patch -P 40 -p1 # Remove backup-file @@ -341,11 +342,14 @@ make test %endif %changelog -* Wed Jan 24 2024 Bo Liu - 3.26.0-19 +* Thu Jul 17 2025 Ales Nezbeda - 3.26.0-20 +- Fixes CVE-2025-6965 + +* Wed Jan 03 2024 Zuzana Miklankova - 3.26.0-19 - Fixed CVE-2023-7104 -* Thu Jun 29 2023 Liwei Ge - 3.26.0-18 -- Fixed CVE-2020-24736 +* Fri Apr 14 2023 Zuzana Miklankova - 3.26.0-18 +- Fixed CVE-2022-24736 * Tue Nov 15 2022 Zuzana Miklankova - 3.26.0-17 - Fixed CVE-2022-35737 -- Gitee