[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1112124: marked as done (bookworm-pu: sqlite3/3.40.1-2+deb12u2)

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1112124,
regarding bookworm-pu: sqlite3/3.40.1-2+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1112124: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112124
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Shani Yosef <shani.yosef@echohq.com>
Control: affects -1 + src:sqlite3

Hi RMs,

[ Reason ]
A security fix that might be exploited, but as far the security team
goes, doesn't warrant a DSA. Then an optimization error which might
produce invalid data.

[ Impact ]
The first issue can lead to a memory corruption issue, the second
might generate invalid data. Any of these might cause application
crashes and/or database corruption.

[ Tests ]
Local testing and the two fixes are part of Trixie + Sid as well.

[ Risks ]
I do not think there is any risk. I've already backported these fixes
for Trixie as well, there are no issues.

[ Checklist ]
  [x] *all* changes are documents in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in bookworm
  [x] the issue is verified as fixed in unstable

Thanks for considering,
Laszlo/GCS

diff -Nru sqlite3-3.40.1/debian/changelog sqlite3-3.40.1/debian/changelog
--- sqlite3-3.40.1/debian/changelog	2024-11-02 21:03:43.000000000 +0100
+++ sqlite3-3.40.1/debian/changelog	2025-08-26 18:18:10.000000000 +0200
@@ -1,3 +1,15 @@
+sqlite3 (3.40.1-2+deb12u2) bookworm; urgency=medium
+
+  [ Shani Yosef <shani.yosef@echohq.com> ]
+  * Backport upstream security fix for CVE-2025-6965: the number of aggregate
+    terms could exceed the number of columns available (closes: #1109379).
+
+  [ Laszlo Boszormenyi (GCS) ]
+  * Fix a bug in the NOT NULL/IS NULL optimization that can cause invalid
+    data.
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 26 Aug 2025 18:18:10 +0200
+
 sqlite3 (3.40.1-2+deb12u1) bookworm; urgency=medium
 
   * Non-maintainer upload.
diff -Nru sqlite3-3.40.1/debian/patches/41-fix_a_bug_in_the_NOT_NULL-IS_NULL_optimization.patch sqlite3-3.40.1/debian/patches/41-fix_a_bug_in_the_NOT_NULL-IS_NULL_optimization.patch
--- sqlite3-3.40.1/debian/patches/41-fix_a_bug_in_the_NOT_NULL-IS_NULL_optimization.patch	1970-01-01 01:00:00.000000000 +0100
+++ sqlite3-3.40.1/debian/patches/41-fix_a_bug_in_the_NOT_NULL-IS_NULL_optimization.patch	2025-05-24 15:52:55.000000000 +0200
@@ -0,0 +1,58 @@
+Index: sqlite3/src/expr.c
+==================================================================
+--- sqlite3/src/expr.c
++++ sqlite3/src/expr.c
+@@ -5279,15 +5279,15 @@
+     case TK_ISNULL:
+     case TK_NOTNULL: {
+       assert( TK_ISNULL==OP_IsNull );   testcase( op==TK_ISNULL );
+       assert( TK_NOTNULL==OP_NotNull ); testcase( op==TK_NOTNULL );
+       r1 = sqlite3ExprCodeTemp(pParse, pExpr->pLeft, &regFree1);
+-      sqlite3VdbeTypeofColumn(v, r1);
++      assert( regFree1==0 || regFree1==r1 );
++      if( regFree1 ) sqlite3VdbeTypeofColumn(v, r1);
+       sqlite3VdbeAddOp2(v, op, r1, dest);
+       VdbeCoverageIf(v, op==TK_ISNULL);
+       VdbeCoverageIf(v, op==TK_NOTNULL);
+-      testcase( regFree1==0 );
+       break;
+     }
+     case TK_BETWEEN: {
+       testcase( jumpIfNull==0 );
+       exprCodeBetween(pParse, pExpr, dest, sqlite3ExprIfTrue, jumpIfNull);
+@@ -5454,15 +5454,15 @@
+       break;
+     }
+     case TK_ISNULL:
+     case TK_NOTNULL: {
+       r1 = sqlite3ExprCodeTemp(pParse, pExpr->pLeft, &regFree1);
+-      sqlite3VdbeTypeofColumn(v, r1);
++      assert( regFree1==0 || regFree1==r1 );
++      if( regFree1 ) sqlite3VdbeTypeofColumn(v, r1);
+       sqlite3VdbeAddOp2(v, op, r1, dest);
+       testcase( op==TK_ISNULL );   VdbeCoverageIf(v, op==TK_ISNULL);
+       testcase( op==TK_NOTNULL );  VdbeCoverageIf(v, op==TK_NOTNULL);
+-      testcase( regFree1==0 );
+       break;
+     }
+     case TK_BETWEEN: {
+       testcase( jumpIfNull==0 );
+       exprCodeBetween(pParse, pExpr, dest, sqlite3ExprIfFalse, jumpIfNull);
+
+Index: sqlite3/src/vdbe.c
+==================================================================
+--- sqlite3/src/vdbe.c
++++ sqlite3/src/vdbe.c
+@@ -3545,10 +3545,11 @@
+       }
+     }else{
+       zHdr += sqlite3PutVarint(zHdr, serial_type);
+       if( pRec->n ){
+         assert( pRec->z!=0 );
++        assert( pRec->z!=(const char*)sqlite3CtypeMap );
+         memcpy(zPayload, pRec->z, pRec->n);
+         zPayload += pRec->n;
+       }
+     }
+     if( pRec==pLast ) break;
+
diff -Nru sqlite3-3.40.1/debian/patches/42-CVE-2025-6965.patch sqlite3-3.40.1/debian/patches/42-CVE-2025-6965.patch
--- sqlite3-3.40.1/debian/patches/42-CVE-2025-6965.patch	1970-01-01 01:00:00.000000000 +0100
+++ sqlite3-3.40.1/debian/patches/42-CVE-2025-6965.patch	2025-08-26 18:13:12.000000000 +0200
@@ -0,0 +1,117 @@
+From c52e9d97d485a3eb168e3f8f3674a7bc4b419703 Mon Sep 17 00:00:00 2001
+From: drh <>
+Date: Fri, 27 Jun 2025 19:02:21 +0000
+Subject: [PATCH] Raise an error right away if the number of aggregate terms in
+ a query exceeds the maximum number of columns.
+
+FossilOrigin-Name: 5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8
+---
+ manifest        | 16 ++++++++--------
+ manifest.uuid   |  2 +-
+ src/expr.c      | 16 +++++++++++++++-
+ src/sqliteInt.h | 10 +++++-----
+ 4 files changed, 29 insertions(+), 15 deletions(-)
+
+Customized by us to be applied to the sqlite3 version 3.40.1
+
+diff --git a/src/expr.c b/src/expr.c
+index 7a4e59f28d..cdae3169b2 100644
+--- a/src/expr.c
++++ b/src/expr.c
+@@ -6277,6 +6277,8 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+             ** is not an entry there already.
+             */
+             int k;
++            int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
++            assert( mxTerm <= SMXV(i16) );
+             pCol = pAggInfo->aCol;
+             for(k=0; k<pAggInfo->nColumn; k++, pCol++){
+               if( pCol->iTable==pExpr->iTable
+@@ -6289,6 +6291,10 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+             if( (k>=pAggInfo->nColumn)
+              && (k = addAggInfoColumn(pParse->db, pAggInfo))>=0 
+             ){
++              if( k>mxTerm ){
++                sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
++                k = mxTerm;
++              }
+               pCol = &pAggInfo->aCol[k];
+               assert( ExprUseYTab(pExpr) );
+               pCol->pTab = pExpr->y.pTab;
+@@ -6327,6 +6333,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+             if( pExpr->op==TK_COLUMN ){
+               pExpr->op = TK_AGG_COLUMN;
+             }
++            assert( k <= SMXV(pExpr->iAgg) );
+             pExpr->iAgg = (i16)k;
+             break;
+           } /* endif pExpr->iTable==pItem->iCursor */
+@@ -6342,13 +6349,19 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+         ** function that is already in the pAggInfo structure
+         */
+         struct AggInfo_func *pItem = pAggInfo->aFunc;
++        int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
++        assert( mxTerm <= SMXV(i16) );
+         for(i=0; i<pAggInfo->nFunc; i++, pItem++){
+           if( pItem->pFExpr==pExpr ) break;
+           if( sqlite3ExprCompare(0, pItem->pFExpr, pExpr, -1)==0 ){
+             break;
+           }
+         }
+-        if( i>=pAggInfo->nFunc ){
++        if( i>mxTerm ){
++          sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
++          i = mxTerm;
++          assert( i<pAggInfo->nFunc );
++        }else if( i>=pAggInfo->nFunc ){
+           /* pExpr is original.  Make a new entry in pAggInfo->aFunc[]
+           */
+           u8 enc = ENC(pParse->db);
+@@ -6373,6 +6386,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+         */
+         assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) );
+         ExprSetVVAProperty(pExpr, EP_NoReduce);
++        assert( i <= SMXV(pExpr->iAgg) );
+         pExpr->iAgg = (i16)i;
+         pExpr->pAggInfo = pAggInfo;
+         return WRC_Prune;
+diff --git a/src/sqliteInt.h b/src/sqliteInt.h
+index e4b74f6d0b..f9bed00234 100644
+--- a/src/sqliteInt.h
++++ b/src/sqliteInt.h
+@@ -941,6 +941,15 @@ typedef INT16_TYPE LogEst;
+ #define LARGEST_UINT64 (0xffffffff|(((u64)0xffffffff)<<32))
+ #define SMALLEST_INT64 (((i64)-1) - LARGEST_INT64)
+
++/*
++** Macro SMXV(n) return the maximum value that can be held in variable n,
++** assuming n is a signed integer type.  UMXV(n) is similar for unsigned
++** integer types.
++*/
++#define SMXV(n) ((((i64)1)<<(sizeof(n)*8-1))-1)
++#define UMXV(n) ((((i64)1)<<(sizeof(n)*8))-1)
++
++
+ /*
+ ** Round up a number to the next larger multiple of 8.  This is used
+ ** to force 8-byte alignment on 64-bit architectures.
+@@ -2718,7 +2727,7 @@ struct AggInfo {
+                           ** than the source table */
+   int sortingIdx;         /* Cursor number of the sorting index */
+   int sortingIdxPTab;     /* Cursor number of pseudo-table */
+-  int nSortingColumn;     /* Number of columns in the sorting index */
++  u32 nSortingColumn;     /* Number of columns in the sorting index */
+   int mnReg, mxReg;       /* Range of registers allocated for aCol and aFunc */
+   ExprList *pGroupBy;     /* The group by clause */
+   struct AggInfo_col {    /* For each column used in source tables */
+@@ -2726,8 +2735,8 @@ struct AggInfo {
+     Expr *pCExpr;            /* The original expression */
+     int iTable;              /* Cursor number of the source table */
+     int iMem;                /* Memory location that acts as accumulator */
+-    i16 iColumn;             /* Column number within the source table */
+-    i16 iSorterColumn;       /* Column number in the sorting index */
++    int iColumn;             /* Column number within the source table */
++    int iSorterColumn;       /* Column number in the sorting index */
+   } *aCol;
+   int nColumn;            /* Number of used entries in aCol[] */
+   int nAccumulator;       /* Number of columns that show through to the output.
diff -Nru sqlite3-3.40.1/debian/patches/series sqlite3-3.40.1/debian/patches/series
--- sqlite3-3.40.1/debian/patches/series	2024-11-02 21:03:43.000000000 +0100
+++ sqlite3-3.40.1/debian/patches/series	2025-08-26 18:18:06.000000000 +0200
@@ -7,6 +7,8 @@
 32-dynamic_link.patch
 02-use-packaged-lempar.c.patch
 40-amalgamation_configure.patch
+41-fix_a_bug_in_the_NOT_NULL-IS_NULL_optimization.patch
+42-CVE-2025-6965.patch
 0001-Fix-a-buffer-overread-in-the-sessions-extension-that.patch
 0002-Avoid-a-stack-overflow-that-could-be-caused-by-a-rec.patch
 0003-Fix-a-technically-undefined-signed-integer-overflow-.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: