Patch sqlite for CVE-2025-6965 [High] (#14381)

Signed-off-by: Madhur Aggarwal <[email protected]>

Author: MadhurAggarwal

SPECS/sqlite/CVE-2022-46908.patch

@@ -0,0 +1,105 @@
+From 1cc975ab5c8a066268501f98c71a54d20939f5e7 Mon Sep 17 00:00:00 2001
+From: Madhur Aggarwal <[email protected]>
+Date: Thu, 24 Jul 2025 10:43:07 +0000
+Subject: [PATCH] Patch CVE-2025-6965
+
+Upstream Patch Reference: https://www.sqlite.org/src/vpatch?from=c9ddd15b0197e6e5&to=5508b56fd24016c1
+---
+ sqlite3.c | 25 +++++++++++++++++++++----
+ 1 file changed, 21 insertions(+), 4 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 8f9309a..dd0c5f4 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -14867,6 +14867,9 @@ typedef INT16_TYPE LogEst;
+ #define LARGEST_INT64  (0xffffffff|(((i64)0x7fffffff)<<32))
+ #define LARGEST_UINT64 (0xffffffff|(((u64)0xffffffff)<<32))
+ #define SMALLEST_INT64 (((i64)-1) - LARGEST_INT64)
++#define SMXV(n) ((((i64)1)<<(sizeof(n)*8-1))-1)
++#define UMXV(n) ((((i64)1)<<(sizeof(n)*8))-1)
++
+ 
+ /*
+ ** Round up a number to the next larger multiple of 8.  This is used
+@@ -18637,7 +18640,7 @@ struct AggInfo {
+                           ** from source tables rather than from accumulators */
+   u8 useSortingIdx;       /* In direct mode, reference the sorting index rather
+                           ** than the source table */
+-  u16 nSortingColumn;     /* Number of columns in the sorting index */
++  u32 nSortingColumn;     /* Number of columns in the sorting index */
+   int sortingIdx;         /* Cursor number of the sorting index */
+   int sortingIdxPTab;     /* Cursor number of pseudo-table */
+   int iFirstReg;          /* First register in range for aCol[] and aFunc[] */
+@@ -18646,8 +18649,8 @@ struct AggInfo {
+     Table *pTab;             /* Source table */
+     Expr *pCExpr;            /* The original expression */
+     int iTable;              /* Cursor number of the source table */
+-    i16 iColumn;             /* Column number within the source table */
+-    i16 iSorterColumn;       /* Column number in the sorting index */
++    int iColumn;             /* Column number within the source table */
++    int iSorterColumn;       /* Column number in the sorting index */
+   } *aCol;
+   int nColumn;            /* Number of used entries in aCol[] */
+   int nAccumulator;       /* Number of columns that show through to the output.
+@@ -114514,7 +114517,9 @@ static void findOrCreateAggInfoColumn(
+ ){
+   struct AggInfo_col *pCol;
+   int k;
++  int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
+ 
++  assert( mxTerm <= SMXV(i16) );
+   assert( pAggInfo->iFirstReg==0 );
+   pCol = pAggInfo->aCol;
+   for(k=0; k<pAggInfo->nColumn; k++, pCol++){
+@@ -114532,6 +114537,10 @@ static void findOrCreateAggInfoColumn(
+     assert( pParse->db->mallocFailed );
+     return;
+   }
++  if( k>mxTerm ){
++    sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
++    k = mxTerm;
++  }
+   pCol = &pAggInfo->aCol[k];
+   assert( ExprUseYTab(pExpr) );
+   pCol->pTab = pExpr->y.pTab;
+@@ -114565,6 +114574,7 @@ fix_up_expr:
+   if( pExpr->op==TK_COLUMN ){
+     pExpr->op = TK_AGG_COLUMN;
+   }
++  assert( k <= SMXV(pExpr->iAgg) );
+   pExpr->iAgg = (i16)k;
+ }
+ 
+@@ -114648,13 +114658,19 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+         ** function that is already in the pAggInfo structure
+         */
+         struct AggInfo_func *pItem = pAggInfo->aFunc;
++        int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
++        assert( mxTerm <= SMXV(i16) );
+         for(i=0; i<pAggInfo->nFunc; i++, pItem++){
+           if( pItem->pFExpr==pExpr ) break;
+           if( sqlite3ExprCompare(0, pItem->pFExpr, pExpr, -1)==0 ){
+             break;
+           }
+         }
+-        if( i>=pAggInfo->nFunc ){
++        if( i>mxTerm ){
++          sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
++          i = mxTerm;
++          assert( i<pAggInfo->nFunc );
++        }else if( i>=pAggInfo->nFunc ){
+           /* pExpr is original.  Make a new entry in pAggInfo->aFunc[]
+           */
+           u8 enc = ENC(pParse->db);
+@@ -114706,6 +114722,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+         */
+         assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) );
+         ExprSetVVAProperty(pExpr, EP_NoReduce);
++        assert( i <= SMXV(pExpr->iAgg) );
+         pExpr->iAgg = (i16)i;
+         pExpr->pAggInfo = pAggInfo;
+         return WRC_Prune;
+-- 
+2.45.4
+

SPECS/sqlite/CVE-2025-6965.patch

@@ -2,7 +2,7 @@
 Summary:        A portable, high level programming interface to various calling conventions
 Name:           sqlite
 Version:        3.44.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        Public Domain
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -11,7 +11,7 @@ URL:            https://www.sqlite.org
 Source0:        https://www.sqlite.org/2023/%{name}-autoconf-%{sourcever}.tar.gz
 # CVE-2015-3717 applies to versions shipped in iOS and OS X
 Patch0:         CVE-2015-3717.nopatch
-#Patch1:         CVE-2022-46908.patch
+Patch1:         CVE-2025-6965.patch
 Requires:       sqlite-libs = %{version}-%{release}
 Provides:       sqlite3
 
@@ -82,6 +82,10 @@ make %{?_smp_mflags} check
 %{_libdir}/libsqlite3.so.0.8.6
 
 %changelog
+* Thu Jul 24 2025 Madhur Aggarwal <[email protected]> - 3.44.0-2
+- Patch CVE-2025-6965
+- remove unused patch file from SPEC folder.
+
 * Fri Nov 10 2023 Andrew Phelps <[email protected]> - 3.44.0-1
 - Upgrade to version 3.44.0
 

SPECS/sqlite/sqlite.spec

@@ -88,9 +88,9 @@ bison-3.8.2-1.azl3.aarch64.rpm
 popt-1.19-1.azl3.aarch64.rpm
 popt-devel-1.19-1.azl3.aarch64.rpm
 popt-lang-1.19-1.azl3.aarch64.rpm
-sqlite-3.44.0-1.azl3.aarch64.rpm
-sqlite-devel-3.44.0-1.azl3.aarch64.rpm
-sqlite-libs-3.44.0-1.azl3.aarch64.rpm
+sqlite-3.44.0-2.azl3.aarch64.rpm
+sqlite-devel-3.44.0-2.azl3.aarch64.rpm
+sqlite-libs-3.44.0-2.azl3.aarch64.rpm
 elfutils-0.189-5.azl3.aarch64.rpm
 elfutils-default-yama-scope-0.189-5.azl3.noarch.rpm
 elfutils-devel-0.189-5.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -88,9 +88,9 @@ bison-3.8.2-1.azl3.x86_64.rpm
 popt-1.19-1.azl3.x86_64.rpm
 popt-devel-1.19-1.azl3.x86_64.rpm
 popt-lang-1.19-1.azl3.x86_64.rpm
-sqlite-3.44.0-1.azl3.x86_64.rpm
-sqlite-devel-3.44.0-1.azl3.x86_64.rpm
-sqlite-libs-3.44.0-1.azl3.x86_64.rpm
+sqlite-3.44.0-2.azl3.x86_64.rpm
+sqlite-devel-3.44.0-2.azl3.x86_64.rpm
+sqlite-libs-3.44.0-2.azl3.x86_64.rpm
 elfutils-0.189-5.azl3.x86_64.rpm
 elfutils-default-yama-scope-0.189-5.azl3.noarch.rpm
 elfutils-devel-0.189-5.azl3.x86_64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -573,10 +573,10 @@ sed-lang-4.9-1.azl3.aarch64.rpm
 slang-2.3.3-1.azl3.aarch64.rpm
 slang-debuginfo-2.3.3-1.azl3.aarch64.rpm
 slang-devel-2.3.3-1.azl3.aarch64.rpm
-sqlite-3.44.0-1.azl3.aarch64.rpm
-sqlite-debuginfo-3.44.0-1.azl3.aarch64.rpm
-sqlite-devel-3.44.0-1.azl3.aarch64.rpm
-sqlite-libs-3.44.0-1.azl3.aarch64.rpm
+sqlite-3.44.0-2.azl3.aarch64.rpm
+sqlite-debuginfo-3.44.0-2.azl3.aarch64.rpm
+sqlite-devel-3.44.0-2.azl3.aarch64.rpm
+sqlite-libs-3.44.0-2.azl3.aarch64.rpm
 swig-4.2.1-1.azl3.aarch64.rpm
 swig-debuginfo-4.2.1-1.azl3.aarch64.rpm
 systemd-bootstrap-250.3-17.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -581,10 +581,10 @@ sed-lang-4.9-1.azl3.x86_64.rpm
 slang-2.3.3-1.azl3.x86_64.rpm
 slang-debuginfo-2.3.3-1.azl3.x86_64.rpm
 slang-devel-2.3.3-1.azl3.x86_64.rpm
-sqlite-3.44.0-1.azl3.x86_64.rpm
-sqlite-debuginfo-3.44.0-1.azl3.x86_64.rpm
-sqlite-devel-3.44.0-1.azl3.x86_64.rpm
-sqlite-libs-3.44.0-1.azl3.x86_64.rpm
+sqlite-3.44.0-2.azl3.x86_64.rpm
+sqlite-debuginfo-3.44.0-2.azl3.x86_64.rpm
+sqlite-devel-3.44.0-2.azl3.x86_64.rpm
+sqlite-libs-3.44.0-2.azl3.x86_64.rpm
 swig-4.2.1-1.azl3.x86_64.rpm
 swig-debuginfo-4.2.1-1.azl3.x86_64.rpm
 systemd-bootstrap-250.3-17.azl3.x86_64.rpm