Your message dated Tue, 09 Sep 2025 17:50:45 +0000
with message-id <[email protected]>
and subject line Bug#1114609: fixed in sqlite3 3.46.1-8
has caused the Debian Bug report #1114609,
regarding sqlite3: CVE-2025-7709
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1114609: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114609
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: sqlite3
Version: 3.46.1-7
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi Laszlo,
The following vulnerability was published for sqlite3.
CVE-2025-7709[0]:
| Integer Overflow in FTS5 Extension
I think the issue is as well present before bd0e3ed522a1 ("Use
flexible arrays whereever appropriate in FTS5.") which is afaics only
in version-3.50.0 onwards itself. This would be somehow inline with
[1] which claims at least 3.49.1 is affected as well.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-7709
https://www.cve.org/CVERecord?id=CVE-2025-7709
[1]
https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g
[2] https://sqlite.org/src/info/63595b74956a9391
https://github.com/sqlite/sqlite/commit/192d0ff8ccf0bf55776a5930cdc64e25f87299d6
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: sqlite3
Source-Version: 3.46.1-8
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
sqlite3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated sqlite3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 09 Sep 2025 18:47:18 +0200
Source: sqlite3
Architecture: source
Version: 3.46.1-8
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1114609
Changes:
sqlite3 (3.46.1-8) unstable; urgency=high
.
* Backport upstream security fix for CVE-2025-7709: integer overflow in the
FTS5 extension (closes: #1114609).
* No longer compile with the SQLITE_ENABLE_FTS3_TOKENIZER option.
Checksums-Sha1:
fa3258e4f6c557ea70237f20d2c526d720d15db2 2632 sqlite3_3.46.1-8.dsc
ee2620cfd18adb965d3a4a8c6feb2e975a45f13c 35784 sqlite3_3.46.1-8.debian.tar.xz
Checksums-Sha256:
a1ef47e97e4a8c8a8fb80c7e6964e4d36ba336f9dbef1020eaf9f974bebb30aa 2632
sqlite3_3.46.1-8.dsc
d7b65dbe504523a4ed6aa88307680700b30417c7b73e4752521994a8131c3fcf 35784
sqlite3_3.46.1-8.debian.tar.xz
Files:
92af977b1dbe8b04f2fd6ec4b664db43 2632 devel optional sqlite3_3.46.1-8.dsc
fe37e952cb20e43a858169c65d01aff3 35784 devel optional
sqlite3_3.46.1-8.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmjAZR4ACgkQ3OMQ54ZM
yL+r1g/9FhTCrEln4IE9hOnmMRZEW5tP2RA8zQRbUejCAbxIL86mscN97wTbr9VG
m7MQq7fYuvIU47MBSfQwGCgkw3PrJV+nH3psCHL9n4e5vER9FI6RjLArY3zsbkUj
8fykUsiqN8RzlXWAoZfvgX8OvTRi13VxP71RE/CRs6ijV07EmdvOHr52AHl/3pqV
jIl/ce4Pdckd0E2wW05YWzSN0pw2BBqcj/ft36taZjpwRTEVsG55wQuifwftR2vV
J/XhNgm+rj4/OOeuGsIrB0c+3UPlou9j/3VD4BS/KFWvTnI5G9VnLOhKoPgkoGxy
3Jy4M0neX4Z59kyXrSRTIcmbWrwAhOZusHbzjPl0EwvTopLWI/Ogk5PnjpQ/PtGm
uotS3KiLuKeon+lswHJimz0JXDuQN380nv95bTuiOEZMkFGwV8XrqVhe3BQJJb97
FHM6qYaBs7vcVl4JEPpvVidP5sU1rpRSH0xjTf78JOVmlwhyk8fsH8CqlVTJW2Lp
Fj8B41KwEn7+whPT1uggy5yNSpjJZTzHrAqo1AGwL0qRO5X2CUejzjOiWOiDexZt
7ahDg4DK0gcGGkfXwJfTvCgwQDTd9ljZkG+OwSmx1pJNHZ7/6X45dlGpChl/nRhv
xBy8uT5HGmsid+V19bOhg17wkNrVCU8CI3akUW68qARpKiGETtI=
=PJG5
-----END PGP SIGNATURE-----
pgpVDsCAnbliG.pgp
Description: PGP signature
--- End Message ---
