Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:sqlite3 User: [email protected] Usertags: pu
Hi RMs, There's a security fix for sqlite3 which doesn't warrant a DSA and a packaging glitch fix. [ Reason ] The security fix is an integer overflow in the FTS5 extension, not in the library itself. The risk is an out of bounds write, but the data is only partially controlled. Packaging misses the pkgconf build dependency to link the ICU library to the ICU extension of the sqlite3. This fixes the extension loading. [ Impact ] Users of the FTS5 will be totally safe from a possible - yet hard to exploit - security problem. The ICU extension will be loadable and users can start to use it. [ Tests ] Local testing confirms the update is correct. The security fix is in sqlite3 3.46.1-8 since last September, the ICU extension is just uploaded with the sqlite3 3.46.1-9 package version. [ Risks ] I do not know any. The security fix basically is a one liner, extending the variable type to be a 64 bit wide one. The pkgconf build dependency only affects the ICU extension and the library dependency correctly added to it by debhelper. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issues are verified as fixed in unstable Thanks, Laszlo/GCS
diff -Nru sqlite3-3.46.1/debian/changelog sqlite3-3.46.1/debian/changelog --- sqlite3-3.46.1/debian/changelog 2025-07-25 21:04:34.000000000 +0200 +++ sqlite3-3.46.1/debian/changelog 2026-01-22 19:19:00.000000000 +0100 @@ -1,3 +1,12 @@ +sqlite3 (3.46.1-7+deb13u1) trixie; urgency=medium + + * Backport upstream security fix for CVE-2025-7709: integer overflow in the + FTS5 extension (closes: #1114609). + * Add pkgconf build dependency to fix link problem with ICU extension + (closes: #1099724). + + -- Laszlo Boszormenyi (GCS) <[email protected]> Thu, 22 Jan 2026 19:19:00 +0100 + sqlite3 (3.46.1-7) unstable; urgency=high * Backport upstream security fix for CVE-2025-6965: the number of aggregate diff -Nru sqlite3-3.46.1/debian/control sqlite3-3.46.1/debian/control --- sqlite3-3.46.1/debian/control 2025-04-09 16:39:52.000000000 +0200 +++ sqlite3-3.46.1/debian/control 2026-01-22 19:19:00.000000000 +0100 @@ -2,7 +2,7 @@ Section: devel Priority: optional Maintainer: Laszlo Boszormenyi (GCS) <[email protected]> -Build-Depends: debhelper-compat (= 13), autoconf (>= 2.59), libtool (>= 1.5.2), automake, chrpath, lynx, libreadline-dev, tcl8.6-dev, libicu-dev +Build-Depends: debhelper-compat (= 13), autoconf (>= 2.59), libtool (>= 1.5.2), automake, pkgconf, chrpath, lynx, libreadline-dev, tcl8.6-dev, libicu-dev Build-Conflicts: tcl8.4, tcl8.4-dev, tcl8.5, tcl8.5-dev Standards-Version: 4.7.0 Rules-Requires-Root: no diff -Nru sqlite3-3.46.1/debian/patches/53-CVE-2025-7709.patch sqlite3-3.46.1/debian/patches/53-CVE-2025-7709.patch --- sqlite3-3.46.1/debian/patches/53-CVE-2025-7709.patch 1970-01-01 01:00:00.000000000 +0100 +++ sqlite3-3.46.1/debian/patches/53-CVE-2025-7709.patch 2026-01-22 19:19:00.000000000 +0100 @@ -0,0 +1,24 @@ +Description: fix CVE-2025-7709 + An integer overflow exists in the FTS5 extension. This change fixes this. +Author: Laszlo Boszormenyi (GCS) <[email protected]> +Bug-Debian: https://bugs.debian.org/1114609 +Origin: upstream, https://sqlite.org/src/info/63595b74956a9391 +Forwarded: not-needed +Last-Update: 2025-09-07 + +--- + +--- a/ext/fts5/fts5_index.c ++++ b/ext/fts5/fts5_index.c +@@ -1933,9 +1933,9 @@ static void fts5SegIterSetNext(Fts5Index + ** leave an error in the Fts5Index object. + */ + static void fts5SegIterAllocTombstone(Fts5Index *p, Fts5SegIter *pIter){ +- const int nTomb = pIter->pSeg->nPgTombstone; ++ const i64 nTomb = (i64)pIter->pSeg->nPgTombstone; + if( nTomb>0 ){ +- int nByte = nTomb * sizeof(Fts5Data*) + sizeof(Fts5TombstoneArray); ++ i64 nByte = nTomb * sizeof(Fts5Data*) + sizeof(Fts5TombstoneArray); + Fts5TombstoneArray *pNew; + pNew = (Fts5TombstoneArray*)sqlite3Fts5MallocZero(&p->rc, nByte); + if( pNew ){ diff -Nru sqlite3-3.46.1/debian/patches/series sqlite3-3.46.1/debian/patches/series --- sqlite3-3.46.1/debian/patches/series 2025-07-25 21:04:34.000000000 +0200 +++ sqlite3-3.46.1/debian/patches/series 2026-01-22 19:19:00.000000000 +0100 @@ -11,3 +11,4 @@ 50-CVE-2025-29087.patch 51-CVE-2025-29088.patch 52-CVE-2025-6965.patch +53-CVE-2025-7709.patch
