1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-16 15:57:04 +00:00
Commit Graph

20 Commits

Author SHA1 Message Date
Vijay Anusuri 78749ad27d sqlite3: Fix CVE-2025-70873
Pick patch as per [1]

[1] https://sqlite.org/src/info/3d459f1fb1bd1b5e
[2] https://sqlite.org/forum/forumpost/761eac3c82
[3] https://gist.github.com/cnwangjihe/f496393f30f5ecec5b18c8f5ab072054

(From OE-Core rev: c83cd0147548921f87d4167f6a4a7c58ddc8600f)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-04-10 11:53:18 +01:00
Steve Sakoman d655701622 Revert "sqlite3: patch CVE-2025-7458"
We have found that since this patch SELECT queries with
COUNT(DISTINCT(column)) seem to cause sqlite to segfault

This reverts commit 4d5093e5103016c08b3a32fd83b1ec9edd87cd5a.

Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-09-01 08:25:16 -07:00
Peter Marko bedacbb603 sqlite3: patch CVE-2025-7458
Pick patch [1] listed in [2].
Also pick another patch which is precondition to this one introducing
variable needed for the check.

[1] https://sqlite.org/src/info/12ad822d9b827777
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-7458

(From OE-Core rev: 4d5093e5103016c08b3a32fd83b1ec9edd87cd5a)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-08-08 06:30:56 -07:00
Vijay Anusuri bc3d85398a sqlite3: Fix CVE-2025-6965
Upstream-Status: Backport from https://github.com/sqlite/sqlite/commit/c52e9d97d485a3eb168e3f8f3674a7bc4b419703

(From OE-Core rev: b4a2f74ba0b40abcdf56c4b58cae5f7ce145d511)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-08-04 06:40:00 -07:00
Peter Marko ade4d1829a sqlite3: patch CVE-2025-29088
Pick commit [1] mentioned in [2].

[1] https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-29088

(From OE-Core rev: 70d2d56f89d6f4589d65a0b4f0cbda20d2172167)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-05-02 08:12:41 -07:00
Vrushti Dabhi dd123d8eda sqlite3: Rename patch for CVE-2022-35737
The patch "0001-sqlite-Increased-the-size-of-loop-variables-in-the-printf-implementation.patch"
fixes CVE-2022-35737.

(From OE-Core rev: 9a875873e566a6673a65a8264fd0868c568e2a2c)

Signed-off-by: Vrushti Dabhi <vrushti.dabhi@einfochips.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2024-09-07 05:38:17 -07:00
Vrushti Dabhi bf6aca4b29 sqlite3: CVE-ID correction for CVE-2023-7104
- The commit [https://sqlite.org/src/info/0e4e7a05c4204b47]
  ("Fix a buffer overread in the sessions extension that could occur when processing a corrupt changeset.")
  fixes CVE-2023-7104 instead of CVE-2022-46908.
- Hence, corrected the CVE-ID in CVE-2023-7104.patch.
- Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-7104

(From OE-Core rev: 9d7f21f3d0ae24d0005076396e9a929bb32d648e)

Signed-off-by: Vrushti Dabhi <vrushti.dabhi@einfochips.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2024-09-07 05:38:17 -07:00
Peter Marko 76d570000e sqlite3: backport patch for CVE-2023-7104
Backport https://sqlite.org/src/info/0e4e7a05c4204b47

(From OE-Core rev: 31fb83ac3dcd2dd55b184de22a296ab4dc150d2e)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2024-01-21 08:50:38 -10:00
Vijay Anusuri 4f488ca49e sqlite3: CVE-2023-36191 CLI fault on missing -nonce
Upstream-Status: Backport [https://sqlite.org/src/info/cd24178bbaad4a1d]

(From OE-Core rev: 663713b2f95dee1e70f8921ece23b21d84d93805)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2023-07-21 06:27:34 -10:00
Vivek Kumbhar bbe38cd637 sqlite: fix CVE-2022-46908 safe mode authorizer callback allows disallowed UDFs.
(From OE-Core rev: 18641988caa131436f75dd3c279ce5af3380481a)

Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2023-01-06 17:33:23 +00:00
ghassaneben 51fa770857 sqlite: fix CVE-2022-35737
Increase the size of loop variables in the printf() implementation to avoid integer overflow on multi-gigabyte string arguments. CVE-2022-35737.

This bug fix refers to: CVE-2022-35737 and it's a backport of a fix added in sqlite 3.39.2 (2022-07-21).

(From OE-Core rev: fdc82b2314b580c0135c16b7278ebf8786311dec)

Signed-off-by: Ghassane Ben El Aattar <ghassaneb.aattar@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2022-09-03 13:09:49 +01:00
Wang Mingyu c15d342e45 sqlite: upgrade 3.31.1 -> 3.32.1
CVE-2020-11655.patch
CVE-2020-11656.patch
CVE-2020-9327.patch
removed since they are included in 3.32.1

(From OE-Core rev: 7ee8501146ceccdbd07104903694a435b75c0606)

Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-06-04 13:27:32 +01:00
Sakib Sajal b3f5f7f10a sqlite: backport CVE fixes
Fixes CVE-2020-11655 and CVE-2020-11656

(From OE-Core rev: 3b06a6c73f4e49c6d00f758423c2e8865ec2de00)

Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-05-03 15:41:40 +01:00
Anuj Mittal 0a9ce59fda sqlite3: fix CVE-2020-9327
(From OE-Core rev: 6acb9746744536019d5c04ce482a873916aac99f)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-10 23:20:33 +00:00
Maxin B. John 266694886e sqlite3: upgrade to 3.21.0
Remove upstreamed patch:
        1. sqlite3-fix-CVE-2017-13685.patch

(From OE-Core rev: 483711e676cd063a873179bdb2daedf56de0aa75)

Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-11-21 13:06:11 +00:00
Wenzong Fan 55db269ae9 sqlite3: fix CVE-2017-13685
The dump_callback function in SQLite 3.20.0 allows remote attackers to
cause a denial of service (EXC_BAD_ACCESS and application crash) via a
crafted file.

Backport patch to fix the issue. Some references:
https://sqlite.org/src/info/02f0f4c54f2819b3
http://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg105314.html

(From OE-Core rev: 9b9f566d2042f2b393de88506d2da964bc4d17b0)

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-10-16 23:52:44 +01:00
Maxin B. John 6c4e5e0ffb sqlite3: upgrade to 3.16.2
3.15.2 -> 3.16.2

1. Updated the SRC_URI for releases in 2017
2. Removed the following revert patch as the fix is present in this release:
        a) 0001-revert-ad601c7962-that-brings-2-increase-of-build-ti.patch

[YOCTO #10695]

(From OE-Core rev: 05317fe9f11565d40b84ad71300b39c990a53f6d)

Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-01-16 18:05:13 +00:00
Jianxun Zhang 7052400cea sqlite3: Revert ad601c7962 from 3.14.1 amalgamation package
It turns out this change between 3.12.2 and 3.13 introduces
a 2% increase of build time based on statistic data in
bz10367.

The added patch is forged by diffing the new sqlite3.c
generated from reverting the change in raw source of sqlite3
project, and then manually migrate the delta to a sqlite3.c
from the 3.14.1 tarball package because what recipes reference
is actually a generated C code (amalgamation) release package
and we cannot apply the real change to 3.14.1 cleanly due to
so many changes happened.

Fixes [YOCTO #10367]

(From OE-Core rev: dda0c80019b181a5e323a82d346f86c6fffb6756)

Signed-off-by: Jianxun Zhang <jianxun.zhang@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-10-15 10:01:43 +01:00
Kai Kang 351c69a022 sqlite: 3.8.10.2 -> 3.9.0
Upgrade sqlite from 3.8.10.2 to 3.9.0.

* update python function to get right SRC_URI
* drop 0001-using-the-dynamic-library.patch which use dynamic library
  that it is done that way in new version

(From OE-Core rev: a23ddbd2e197cfa1ebc829e0d83b8997dc24cec7)

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2015-11-16 11:39:32 +00:00
Roy Li b5ba70b47f sqlite3: upgrade to 3.8.10
upgrade to include CVE fixes:
    CVE-2015-3414
    CVE-2015-3415
    CVE-2015-3416

(From OE-Core rev: 346505144a18b738846b9d5bc6f146426d3572ba)

Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2015-05-20 21:41:10 +01:00