openRuyi-tutorials/buildroot
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/sqlite: add patch to fix CVE-2025-29087

Browse Source 
This patch was commited upstream, and released as part of sqlite 3.49.1

However, the configuration system changed between sqlite 3.48 and 3.49
from autotools to autosetup, and this has proven challenging to support
in Buildroot (see `git log package/sqlite`), hence why we are still on
sqlite 3.48.

Therefore, until the package build infrastructure correctly supports
building sqlite 3.49, let's simply import the upstream patch to address
the CVE.

Note: the upstream patch is on the orignal sqlite sources. Buildroot is
using the sqlite "amalgamation" source archive, which basically
concatenate all the source files in a single "sqlite3.c" file. So the
patch was reformated to apply correctly on the sqlite release archive.

Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-29087

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien:
 - reformat patch to be applicable on amalgamated sqlite sources
 - add comment in commit log about patch format
 - add "Fixes:" in commit log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit is contained in:
Titouan Christophe
2025-05-07 15:00:44 +02:00
committed by Julien Olivain
parent e3cae9e1ca
commit 835b5659ea
2 changed files with 39 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
package/sqlite/0002-Add-a-typecast-to-avoid-32-bit-integer-overflow-in-t.patch Normal file
View File

@@ -0,0 +1,36 @@
From 1cbb088f4be95e7a02627f64de60653ef2b13ab5 Mon Sep 17 00:00:00 2001
From: drh <>
Date: Sun, 16 Feb 2025 10:57:25 +0000
Subject: [PATCH] Add a typecast to avoid 32-bit integer overflow in the
concat_ws() function with an enormous separator values and many arguments.
Fixes the following CVE:
- CVE-2025-29087: In SQLite 3.44.0 through 3.49.0 before 3.49.1,
the concat_ws() SQL function can cause memory to be
written beyond the end of a malloc-allocated buffer.
For more info see https://nvd.nist.gov/vuln/detail/CVE-2025-29087
Upstream: https://sqlite.org/src/info/498e3f1cf57f164f
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
sqlite3.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sqlite3.c b/sqlite3.c
index 80433f6..8a43734 100644
--- a/sqlite3.c
+++ b/sqlite3.c
@@ -130954,7 +130954,7 @@ static void concatFuncCore(
for(i=0; i<argc; i++){
n += sqlite3_value_bytes(argv[i]);
}
- n += (argc-1)*nSep;
+ n += (argc-1)*(i64)nSep;
z = sqlite3_malloc64(n+1);
if( z==0 ){
sqlite3_result_error_nomem(context);
--
2.49.0

3
package/sqlite/sqlite.mk
View File

@@ -13,6 +13,9 @@ SQLITE_LICENSE_FILES = tea/license.terms
SQLITE_CPE_ID_VENDOR = sqlite
SQLITE_INSTALL_STAGING = YES
# 0002-Add-a-typecast-to-avoid-32-bit-integer-overflow-in-t.patch
SQLITE_IGNORE_CVES = CVE-2025-29087
ifeq ($(BR2_PACKAGE_SQLITE_STAT4),y)
SQLITE_CFLAGS += -DSQLITE_ENABLE_STAT4
endif