Bug#1110140: unblock: sqlite3/3.46.1-7
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Control: affects -1 + src:sqlite3
Hi RMs,
[ Reason ]
There's a security issue where the number of aggregate terms could
exceed the number of columns available. This could lead to a memory
corruption issue. This update fixes this vulnerability.
This issue was found by Google and it's said that threat actors may
already know about this and use it in their attack. As such, this is
considered a critical security issue. See:
https://thehackernews.com/2025/07/google-ai-big-sleep-stops-exploitation.html
[ Impact ]
Very minimal, the change is small and quite straightforward.
[ Tests ]
Local self user testing. Including reverse dependency package tests.
[ Risks ]
I don't see any.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
diff -Nru sqlite3-3.46.1/debian/changelog sqlite3-3.46.1/debian/changelog
--- sqlite3-3.46.1/debian/changelog 2025-05-28 07:02:56.000000000 +0200
+++ sqlite3-3.46.1/debian/changelog 2025-07-25 21:04:34.000000000 +0200
@@ -1,3 +1,10 @@
+sqlite3 (3.46.1-7) unstable; urgency=high
+
+ * Backport upstream security fix for CVE-2025-6965: the number of aggregate
+ terms could exceed the number of columns available (closes: #1109379).
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org> Fri, 25 Jul 2025 21:04:34 +0200
+
sqlite3 (3.46.1-6) unstable; urgency=medium
* Correct version of sqlite3DbpageRegister@Base library symbol.
diff -Nru sqlite3-3.46.1/debian/patches/52-CVE-2025-6965.patch sqlite3-3.46.1/debian/patches/52-CVE-2025-6965.patch
--- sqlite3-3.46.1/debian/patches/52-CVE-2025-6965.patch 1970-01-01 01:00:00.000000000 +0100
+++ sqlite3-3.46.1/debian/patches/52-CVE-2025-6965.patch 2025-07-25 21:04:34.000000000 +0200
@@ -0,0 +1,128 @@
+Index: sqlite3/src/expr.c
+==================================================================
+--- sqlite3/src/expr.c
++++ sqlite3/src/expr.c
+@@ -6755,11 +6755,13 @@
+ AggInfo *pAggInfo, /* The AggInfo object to search and/or modify */
+ Expr *pExpr /* Expr describing the column to find or insert */
+ ){
+ struct AggInfo_col *pCol;
+ int k;
++ int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
+
++ assert( mxTerm <= SMXV(i16) );
+ assert( pAggInfo->iFirstReg==0 );
+ pCol = pAggInfo->aCol;
+ for(k=0; k<pAggInfo->nColumn; k++, pCol++){
+ if( pCol->pCExpr==pExpr ) return;
+ if( pCol->iTable==pExpr->iTable
+@@ -6772,10 +6774,14 @@
+ k = addAggInfoColumn(pParse->db, pAggInfo);
+ if( k<0 ){
+ /* OOM on resize */
+ assert( pParse->db->mallocFailed );
+ return;
++ }
++ if( k>mxTerm ){
++ sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
++ k = mxTerm;
+ }
+ pCol = &pAggInfo->aCol[k];
+ assert( ExprUseYTab(pExpr) );
+ pCol->pTab = pExpr->y.pTab;
+ pCol->iTable = pExpr->iTable;
+@@ -6806,10 +6812,11 @@
+ assert( pExpr->pAggInfo==0 || pExpr->pAggInfo==pAggInfo );
+ pExpr->pAggInfo = pAggInfo;
+ if( pExpr->op==TK_COLUMN ){
+ pExpr->op = TK_AGG_COLUMN;
+ }
++ assert( k <= SMXV(pExpr->iAgg) );
+ pExpr->iAgg = (i16)k;
+ }
+
+ /*
+ ** This is the xExprCallback for a tree walker. It is used to
+@@ -6890,17 +6897,23 @@
+ ){
+ /* Check to see if pExpr is a duplicate of another aggregate
+ ** function that is already in the pAggInfo structure
+ */
+ struct AggInfo_func *pItem = pAggInfo->aFunc;
++ int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
++ assert( mxTerm <= SMXV(i16) );
+ for(i=0; i<pAggInfo->nFunc; i++, pItem++){
+ if( NEVER(pItem->pFExpr==pExpr) ) break;
+ if( sqlite3ExprCompare(0, pItem->pFExpr, pExpr, -1)==0 ){
+ break;
+ }
+ }
+- if( i>=pAggInfo->nFunc ){
++ if( i>mxTerm ){
++ sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
++ i = mxTerm;
++ assert( i<pAggInfo->nFunc );
++ }else if( i>=pAggInfo->nFunc ){
+ /* pExpr is original. Make a new entry in pAggInfo->aFunc[]
+ */
+ u8 enc = ENC(pParse->db);
+ i = addAggInfoFunc(pParse->db, pAggInfo);
+ if( i>=0 ){
+@@ -6950,10 +6963,11 @@
+ }
+ /* Make pExpr point to the appropriate pAggInfo->aFunc[] entry
+ */
+ assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) );
+ ExprSetVVAProperty(pExpr, EP_NoReduce);
++ assert( i <= SMXV(pExpr->iAgg) );
+ pExpr->iAgg = (i16)i;
+ pExpr->pAggInfo = pAggInfo;
+ return WRC_Prune;
+ }else{
+ return WRC_Continue;
+
+Index: sqlite3/src/sqliteInt.h
+==================================================================
+--- sqlite3/src/sqliteInt.h
++++ sqlite3/src/sqliteInt.h
+@@ -1008,6 +1008,14 @@ typedef INT16_TYPE LogEst;
+ #define SMALLEST_INT64 (((i64)-1) - LARGEST_INT64)
+
+ /*
++** Macro SMXV(n) return the maximum value that can be held in variable n,
++** assuming n is a signed integer type. UMXV(n) is similar for unsigned
++** integer types.
++*/
++#define SMXV(n) ((((i64)1)<<(sizeof(n)*8-1))-1)
++#define UMXV(n) ((((i64)1)<<(sizeof(n)*8))-1)
++
++/*
+ ** Round up a number to the next larger multiple of 8. This is used
+ ** to force 8-byte alignment on 64-bit architectures.
+ **
+@@ -2869,21 +2869,21 @@
+ struct AggInfo {
+ u8 directMode; /* Direct rendering mode means take data directly
+ ** from source tables rather than from accumulators */
+ u8 useSortingIdx; /* In direct mode, reference the sorting index rather
+ ** than the source table */
+- u16 nSortingColumn; /* Number of columns in the sorting index */
++ u32 nSortingColumn; /* Number of columns in the sorting index */
+ int sortingIdx; /* Cursor number of the sorting index */
+ int sortingIdxPTab; /* Cursor number of pseudo-table */
+ int iFirstReg; /* First register in range for aCol[] and aFunc[] */
+ ExprList *pGroupBy; /* The group by clause */
+ struct AggInfo_col { /* For each column used in source tables */
+ Table *pTab; /* Source table */
+ Expr *pCExpr; /* The original expression */
+ int iTable; /* Cursor number of the source table */
+- i16 iColumn; /* Column number within the source table */
+- i16 iSorterColumn; /* Column number in the sorting index */
++ int iColumn; /* Column number within the source table */
++ int iSorterColumn; /* Column number in the sorting index */
+ } *aCol;
+ int nColumn; /* Number of used entries in aCol[] */
+ int nAccumulator; /* Number of columns that show through to the output.
+ ** Additional columns are used only as parameters to
+ ** aggregate functions */
+
diff -Nru sqlite3-3.46.1/debian/patches/series sqlite3-3.46.1/debian/patches/series
--- sqlite3-3.46.1/debian/patches/series 2025-05-24 15:36:17.000000000 +0200
+++ sqlite3-3.46.1/debian/patches/series 2025-07-25 21:04:34.000000000 +0200
@@ -10,3 +10,4 @@
41-fix_a_bug_in_the_NOT_NULL-IS_NULL_optimization.patch
50-CVE-2025-29087.patch
51-CVE-2025-29088.patch
+52-CVE-2025-6965.patch
Reply to: