Re: [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458

[Niko Mauno <niko.mauno@vaisala.com>]

We have found that since this patch SELECT queries with COUNT(DISTINCT(column)) seem to cause sqlite to segfault. E.g.

# sqlite3 :memory: 'create table foo (x int); select count(distinct(x)) from foo;'
Segmentation fault (core dumped)

-Niko

On 5.8.2025 19.43, Steve Sakoman via lists.openembedded.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
> 
> Pick patch [1] listed in [2].
> Also pick another patch which is precondition to this one introducing
> variable needed for the check.
> 
> [1] https://sqlite.org/src/info/12ad822d9b827777
> [2] https://nvd.nist.gov/vuln/detail/CVE-2025-7458
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>   ...mpts-to-improve-the-detection-of-cov.patch | 91 +++++++++++++++++++
>   .../sqlite/files/CVE-2025-7458.patch          | 32 +++++++
>   meta/recipes-support/sqlite/sqlite3_3.38.5.bb |  2 +
>   3 files changed, 125 insertions(+)
>   create mode 100644 meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
>   create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> 
> diff --git a/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
> new file mode 100644
> index 0000000000..8fb037bb0f
> --- /dev/null
> +++ b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
> @@ -0,0 +1,91 @@
> +From f55a7dad195994f2bb24db7df0a0515502386fe2 Mon Sep 17 00:00:00 2001
> +From: drh <>
> +Date: Sat, 22 Oct 2022 14:16:02 +0000
> +Subject: [PATCH] This branch attempts to improve the detection of covering
> + indexes.  This first check-in merely improves a parameter name to
> + sqlite3WhereBegin() to be more descriptive of what it contains, and ensures
> + that a subroutine is not inlines so that sqlite3WhereBegin() runs slightly
> + faster.
> +
> +FossilOrigin-Name: cadf5f6bb1ce0492ef858ada476288e8057afd3609caa18b09c818d3845d7244
> +
> +Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/f55a7dad195994f2bb24db7df0a0515502386fe2]
> +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> +---
> + sqlite3.c | 28 +++++++++++++---------------
> + 1 file changed, 13 insertions(+), 15 deletions(-)
> +
> +diff --git a/sqlite3.c b/sqlite3.c
> +index 4cbc2d0..b7ed991 100644
> +--- a/sqlite3.c
> ++++ b/sqlite3.c
> +@@ -147371,9 +147371,7 @@ struct WhereInfo {
> +   ExprList *pOrderBy;       /* The ORDER BY clause or NULL */
> +   ExprList *pResultSet;     /* Result set of the query */
> +   Expr *pWhere;             /* The complete WHERE clause */
> +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> +-  Select *pLimit;           /* Used to access LIMIT expr/registers for vtabs */
> +-#endif
> ++  Select *pSelect;          /* The entire SELECT statement containing WHERE */
> +   int aiCurOnePass[2];      /* OP_OpenWrite cursors for the ONEPASS opt */
> +   int iContinue;            /* Jump here to continue with next record */
> +   int iBreak;               /* Jump here to break out of the loop */
> +@@ -149070,9 +149068,9 @@ SQLITE_PRIVATE Bitmask sqlite3WhereCodeOneLoopStart(
> +          && pLoop->u.vtab.bOmitOffset
> +         ){
> +           assert( pTerm->eOperator==WO_AUX );
> +-          assert( pWInfo->pLimit!=0 );
> +-          assert( pWInfo->pLimit->iOffset>0 );
> +-          sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pLimit->iOffset);
> ++          assert( pWInfo->pSelect!=0 );
> ++          assert( pWInfo->pSelect->iOffset>0 );
> ++          sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pSelect->iOffset);
> +           VdbeComment((v,"Zero OFFSET counter"));
> +         }
> +       }
> +@@ -151830,10 +151828,10 @@ static void whereAddLimitExpr(
> + ** exist only so that they may be passed to the xBestIndex method of the
> + ** single virtual table in the FROM clause of the SELECT.
> + */
> +-SQLITE_PRIVATE void sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
> +-  assert( p==0 || (p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0) );
> +-  if( (p && p->pLimit)                                          /* 1 */
> +-   && (p->selFlags & (SF_Distinct|SF_Aggregate))==0             /* 2 */
> ++SQLITE_PRIVATE void SQLITE_NOINLINE sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
> ++  assert( p!=0 && p->pLimit!=0 );                 /* 1 -- checked by caller */
> ++  assert( p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0 );
> ++  if( (p->selFlags & (SF_Distinct|SF_Aggregate))==0             /* 2 */
> +    && (p->pSrc->nSrc==1 && IsVirtual(p->pSrc->a[0].pTab))       /* 3 */
> +   ){
> +     ExprList *pOrderBy = p->pOrderBy;
> +@@ -157427,7 +157425,7 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
> +   Expr *pWhere,           /* The WHERE clause */
> +   ExprList *pOrderBy,     /* An ORDER BY (or GROUP BY) clause, or NULL */
> +   ExprList *pResultSet,   /* Query result set.  Req'd for DISTINCT */
> +-  Select *pLimit,         /* Use this LIMIT/OFFSET clause, if any */
> ++  Select *pSelect,        /* The entire SELECT statement */
> +   u16 wctrlFlags,         /* The WHERE_* flags defined in sqliteInt.h */
> +   int iAuxArg             /* If WHERE_OR_SUBCLAUSE is set, index cursor number
> +                           ** If WHERE_USE_LIMIT, then the limit amount */
> +@@ -157504,9 +157502,7 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
> +   pWInfo->wctrlFlags = wctrlFlags;
> +   pWInfo->iLimit = iAuxArg;
> +   pWInfo->savedNQueryLoop = pParse->nQueryLoop;
> +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> +-  pWInfo->pLimit = pLimit;
> +-#endif
> ++  pWInfo->pSelect = pSelect;
> +   memset(&pWInfo->nOBSat, 0,
> +          offsetof(WhereInfo,sWC) - offsetof(WhereInfo,nOBSat));
> +   memset(&pWInfo->a[0], 0, sizeof(WhereLoop)+nTabList*sizeof(WhereLevel));
> +@@ -157575,7 +157571,9 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
> +
> +   /* Analyze all of the subexpressions. */
> +   sqlite3WhereExprAnalyze(pTabList, &pWInfo->sWC);
> +-  sqlite3WhereAddLimit(&pWInfo->sWC, pLimit);
> ++  if( pSelect && pSelect->pLimit ){
> ++    sqlite3WhereAddLimit(&pWInfo->sWC, pSelect);
> ++  }
> +   if( db->mallocFailed ) goto whereBeginError;
> +
> +   /* Special case: WHERE terms that do not refer to any tables in the join
> diff --git a/meta/recipes-support/sqlite/files/CVE-2025-7458.patch b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> new file mode 100644
> index 0000000000..6b041d9332
> --- /dev/null
> +++ b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> @@ -0,0 +1,32 @@
> +From b816ca9994e03a8bc829b49452b8158a731e81a9 Mon Sep 17 00:00:00 2001
> +From: drh <>
> +Date: Thu, 16 Mar 2023 20:54:29 +0000
> +Subject: [PATCH] Correctly handle SELECT DISTINCT ... ORDER BY when all of the
> + result set terms are constant and there are more result set terms than ORDER
> + BY terms. Fix for these tickets: [c36cdb4afd504dc1], [4051a7f931d9ba24],
> + [d6fd512f50513ab7].
> +
> +FossilOrigin-Name: 12ad822d9b827777526ca5ed5bf3e678d600294fc9b5c25482dfff2a021328a4
> +
> +CVE: CVE-2025-7458
> +Upstream-Status: Backport [github.com/sqlite/sqlite/commit/b816ca9994e03a8bc829b49452b8158a731e81a9]
> +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> +---
> + sqlite3.c | 4 ++++
> + 1 file changed, 4 insertions(+)
> +
> +diff --git a/sqlite3.c b/sqlite3.c
> +index 19d0438..6d92184 100644
> +--- a/sqlite3.c
> ++++ b/sqlite3.c
> +@@ -156989,6 +156989,10 @@ static int wherePathSolver(WhereInfo *pWInfo, LogEst nRowEst){
> +       if( pFrom->isOrdered==pWInfo->pOrderBy->nExpr ){
> +         pWInfo->eDistinct = WHERE_DISTINCT_ORDERED;
> +       }
> ++      if( pWInfo->pSelect->pOrderBy
> ++       && pWInfo->nOBSat > pWInfo->pSelect->pOrderBy->nExpr ){
> ++        pWInfo->nOBSat = pWInfo->pSelect->pOrderBy->nExpr;
> ++      }
> +     }else{
> +       pWInfo->nOBSat = pFrom->isOrdered;
> +       pWInfo->revMask = pFrom->revLoop;
> diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> index 656e2d8bd8..86d9b4b33b 100644
> --- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> +++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> @@ -10,6 +10,8 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \
>              file://CVE-2023-7104.patch \
>              file://CVE-2025-29088.patch \
>              file://CVE-2025-6965.patch \
> +           file://0001-This-branch-attempts-to-improve-the-detection-of-cov.patch \
> +           file://CVE-2025-7458.patch \
>              "
>   SRC_URI[sha256sum] = "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
>   
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#221481): https://lists.openembedded.org/g/openembedded-core/message/221481
> Mute This Topic: https://lists.openembedded.org/mt/114551672/3618471
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [niko.mauno@vaisala.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>