Bug#1106512: unblock: sqlite3/3.46.1-5 (pre-approval)
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Control: affects -1 + src:sqlite3
Hi RMs,
Please pre-approve unblocking of package sqlite3.
[ Reason ]
There is a bug that in a special case invalid data to be used for a
column. It isn't seen in the wild, found by the Chromium fuzzer.
For some reason upstream turned off recovery support by default for a
long time. It was active in Bullseye, but not in Bookworm nor in
Trixie.
[ Impact ]
The column handling bug is considered important and fixed by upstream,
but the details of the possible exploit is not yet made public [1].
That is, I can't declare the importance of the fix, but I say it is
better to have this.
The recovery support needs a compile option to be added and as it's
exposed to outside, a new library symbol is being added.
[ Tests ]
Tested by myself on my box running Trixie and even backported to my
Bookworm one. There's no issues.
[ Risks ]
Fairly low if any. The fix is a minimal change and while the recovery
support exposes some internal data to the user it is for the specific
reason.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
Regards,
Laszlo/GCS
[1] https://issues.chromium.org/issues/415397143
diff -Nru sqlite3-3.46.1/debian/changelog sqlite3-3.46.1/debian/changelog
--- sqlite3-3.46.1/debian/changelog 2025-04-18 19:33:30.000000000 +0200
+++ sqlite3-3.46.1/debian/changelog 2025-05-24 15:36:17.000000000 +0200
@@ -1,3 +1,13 @@
+sqlite3 (3.46.1-5) unstable; urgency=medium
+
+ * Backport upstream fix for a bug in the NOT NULL/IS NULL optimization that
+ can cause invalid data to be used for a column if that column has a CHECK
+ constraint that includes the NOT NULL or IS NULL operator.
+ * Enable the SQLITE_DBPAGE extension (closes: #1099542).
+ * Update symbols file.
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sat, 24 May 2025 15:36:17 +0200
+
sqlite3 (3.46.1-4) unstable; urgency=high
* Backport upstream security fix for CVE-2025-29088: certain argument
diff -Nru sqlite3-3.46.1/debian/libsqlite3-0.symbols sqlite3-3.46.1/debian/libsqlite3-0.symbols
--- sqlite3-3.46.1/debian/libsqlite3-0.symbols 2024-05-30 19:37:02.000000000 +0200
+++ sqlite3-3.46.1/debian/libsqlite3-0.symbols 2025-05-24 15:36:17.000000000 +0200
@@ -197,6 +197,7 @@
sqlite3DbSpanDup@Base 3.37.0
sqlite3DbStrDup@Base 3.37.0
sqlite3DbStrNDup@Base 3.37.0
+ sqlite3DbpageRegister@Base 3.46.1
sqlite3DbstatRegister@Base 3.37.0
sqlite3DecOrHexToI64@Base 3.37.0
sqlite3DefaultMutex@Base 3.37.0
diff -Nru sqlite3-3.46.1/debian/patches/41-fix_a_bug_in_the_NOT_NULL-IS_NULL_optimization.patch sqlite3-3.46.1/debian/patches/41-fix_a_bug_in_the_NOT_NULL-IS_NULL_optimization.patch
--- sqlite3-3.46.1/debian/patches/41-fix_a_bug_in_the_NOT_NULL-IS_NULL_optimization.patch 1970-01-01 01:00:00.000000000 +0100
+++ sqlite3-3.46.1/debian/patches/41-fix_a_bug_in_the_NOT_NULL-IS_NULL_optimization.patch 2025-05-24 15:36:17.000000000 +0200
@@ -0,0 +1,58 @@
+Index: sqlite3/src/expr.c
+==================================================================
+--- sqlite3/src/expr.c
++++ sqlite3/src/expr.c
+@@ -5735,15 +5735,15 @@
+ case TK_ISNULL:
+ case TK_NOTNULL: {
+ assert( TK_ISNULL==OP_IsNull ); testcase( op==TK_ISNULL );
+ assert( TK_NOTNULL==OP_NotNull ); testcase( op==TK_NOTNULL );
+ r1 = sqlite3ExprCodeTemp(pParse, pExpr->pLeft, ®Free1);
+- sqlite3VdbeTypeofColumn(v, r1);
++ assert( regFree1==0 || regFree1==r1 );
++ if( regFree1 ) sqlite3VdbeTypeofColumn(v, r1);
+ sqlite3VdbeAddOp2(v, op, r1, dest);
+ VdbeCoverageIf(v, op==TK_ISNULL);
+ VdbeCoverageIf(v, op==TK_NOTNULL);
+- testcase( regFree1==0 );
+ break;
+ }
+ case TK_BETWEEN: {
+ testcase( jumpIfNull==0 );
+ exprCodeBetween(pParse, pExpr, dest, sqlite3ExprIfTrue, jumpIfNull);
+@@ -5910,15 +5910,15 @@
+ break;
+ }
+ case TK_ISNULL:
+ case TK_NOTNULL: {
+ r1 = sqlite3ExprCodeTemp(pParse, pExpr->pLeft, ®Free1);
+- sqlite3VdbeTypeofColumn(v, r1);
++ assert( regFree1==0 || regFree1==r1 );
++ if( regFree1 ) sqlite3VdbeTypeofColumn(v, r1);
+ sqlite3VdbeAddOp2(v, op, r1, dest);
+ testcase( op==TK_ISNULL ); VdbeCoverageIf(v, op==TK_ISNULL);
+ testcase( op==TK_NOTNULL ); VdbeCoverageIf(v, op==TK_NOTNULL);
+- testcase( regFree1==0 );
+ break;
+ }
+ case TK_BETWEEN: {
+ testcase( jumpIfNull==0 );
+ exprCodeBetween(pParse, pExpr, dest, sqlite3ExprIfFalse, jumpIfNull);
+
+Index: sqlite3/src/vdbe.c
+==================================================================
+--- sqlite3/src/vdbe.c
++++ sqlite3/src/vdbe.c
+@@ -3679,10 +3679,11 @@
+ }
+ }else{
+ zHdr += sqlite3PutVarint(zHdr, serial_type);
+ if( pRec->n ){
+ assert( pRec->z!=0 );
++ assert( pRec->z!=(const char*)sqlite3CtypeMap );
+ memcpy(zPayload, pRec->z, pRec->n);
+ zPayload += pRec->n;
+ }
+ }
+ if( pRec==pLast ) break;
+
diff -Nru sqlite3-3.46.1/debian/patches/series sqlite3-3.46.1/debian/patches/series
--- sqlite3-3.46.1/debian/patches/series 2025-04-18 19:33:30.000000000 +0200
+++ sqlite3-3.46.1/debian/patches/series 2025-05-24 15:36:17.000000000 +0200
@@ -7,5 +7,6 @@
32-dynamic_link.patch
02-use-packaged-lempar.c.patch
40-amalgamation_configure.patch
+41-fix_a_bug_in_the_NOT_NULL-IS_NULL_optimization.patch
50-CVE-2025-29087.patch
51-CVE-2025-29088.patch
diff -Nru sqlite3-3.46.1/debian/rules sqlite3-3.46.1/debian/rules
--- sqlite3-3.46.1/debian/rules 2025-03-04 18:11:00.000000000 +0100
+++ sqlite3-3.46.1/debian/rules 2025-05-24 15:36:17.000000000 +0200
@@ -46,6 +46,7 @@
-DSQLITE_ENABLE_RTREE=1 -DSQLITE_SOUNDEX=1 \
-DSQLITE_ENABLE_UNLOCK_NOTIFY \
-DSQLITE_ENABLE_DBSTAT_VTAB \
+ -DSQLITE_ENABLE_DBPAGE_VTAB \
-DSQLITE_ALLOW_ROWID_IN_VIEW \
-DSQLITE_ENABLE_UPDATE_DELETE_LIMIT=1 \
-DSQLITE_ENABLE_LOAD_EXTENSION \
Reply to: