* [OE-core][kirkstone 1/4] avahi: fix CVE-2024-52615
2025-08-05 16:43 [OE-core][kirkstone 0/4] Patch review Steve Sakoman
@ 2025-08-05 16:43 ` Steve Sakoman
2025-08-05 16:43 ` [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458 Steve Sakoman
` (2 subsequent siblings)
3 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-08-05 16:43 UTC (permalink / raw)
To: openembedded-core
From: Zhang Peng <peng.zhang1.cn@windriver.com>
CVE-2024-52615:
A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area
DNS queries. This issue simplifies attacks where malicious DNS responses are injected.
Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-52615]
[https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g]
Upstream patches:
[https://github.com/avahi/avahi/commit/4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942]
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-connectivity/avahi/avahi_0.8.bb | 1 +
.../avahi/files/CVE-2024-52615.patch | 228 ++++++++++++++++++
2 files changed, 229 insertions(+)
create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index b3739ad2c0..20b2791ef3 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -36,6 +36,7 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}
file://CVE-2023-38472.patch \
file://CVE-2023-38473.patch \
file://CVE-2024-52616.patch \
+ file://CVE-2024-52615.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch b/meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch
new file mode 100644
index 0000000000..9737f52837
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch
@@ -0,0 +1,228 @@
+From 4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 27 Nov 2024 18:07:32 +0100
+Subject: [PATCH] core/wide-area: fix for CVE-2024-52615
+
+CVE: CVE-2024-52615
+Upstream-Status: Backport [https://github.com/avahi/avahi/commit/4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ avahi-core/wide-area.c | 128 ++++++++++++++++++++++-------------------
+ 1 file changed, 69 insertions(+), 59 deletions(-)
+
+diff --git a/avahi-core/wide-area.c b/avahi-core/wide-area.c
+index 00a15056e..06df7afc6 100644
+--- a/avahi-core/wide-area.c
++++ b/avahi-core/wide-area.c
+@@ -81,6 +81,10 @@ struct AvahiWideAreaLookup {
+
+ AvahiAddress dns_server_used;
+
++ int fd;
++ AvahiWatch *watch;
++ AvahiProtocol proto;
++
+ AVAHI_LLIST_FIELDS(AvahiWideAreaLookup, lookups);
+ AVAHI_LLIST_FIELDS(AvahiWideAreaLookup, by_key);
+ };
+@@ -88,9 +92,6 @@ struct AvahiWideAreaLookup {
+ struct AvahiWideAreaLookupEngine {
+ AvahiServer *server;
+
+- int fd_ipv4, fd_ipv6;
+- AvahiWatch *watch_ipv4, *watch_ipv6;
+-
+ /* Cache */
+ AVAHI_LLIST_HEAD(AvahiWideAreaCacheEntry, cache);
+ AvahiHashmap *cache_by_key;
+@@ -125,35 +126,67 @@ static AvahiWideAreaLookup* find_lookup(AvahiWideAreaLookupEngine *e, uint16_t i
+ return l;
+ }
+
++static void socket_event(AVAHI_GCC_UNUSED AvahiWatch *w, int fd, AVAHI_GCC_UNUSED AvahiWatchEvent events, void *userdata);
++
+ static int send_to_dns_server(AvahiWideAreaLookup *l, AvahiDnsPacket *p) {
++ AvahiWideAreaLookupEngine *e;
+ AvahiAddress *a;
++ AvahiServer *s;
++ AvahiWatch *w;
++ int r;
+
+ assert(l);
+ assert(p);
+
+- if (l->engine->n_dns_servers <= 0)
++ e = l->engine;
++ assert(e);
++
++ s = e->server;
++ assert(s);
++
++ if (e->n_dns_servers <= 0)
+ return -1;
+
+- assert(l->engine->current_dns_server < l->engine->n_dns_servers);
++ assert(e->current_dns_server < e->n_dns_servers);
+
+- a = &l->engine->dns_servers[l->engine->current_dns_server];
++ a = &e->dns_servers[e->current_dns_server];
+ l->dns_server_used = *a;
+
+- if (a->proto == AVAHI_PROTO_INET) {
++ if (l->fd >= 0) {
++ /* We are reusing lookup object and sending packet to another server so let's cleanup before we establish connection to new server. */
++ s->poll_api->watch_free(l->watch);
++ l->watch = NULL;
+
+- if (l->engine->fd_ipv4 < 0)
+- return -1;
++ close(l->fd);
++ l->fd = -EBADF;
++ }
+
+- return avahi_send_dns_packet_ipv4(l->engine->fd_ipv4, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv4, AVAHI_DNS_PORT);
++ assert(a->proto == AVAHI_PROTO_INET || a->proto == AVAHI_PROTO_INET6);
+
+- } else {
+- assert(a->proto == AVAHI_PROTO_INET6);
++ if (a->proto == AVAHI_PROTO_INET)
++ r = s->config.use_ipv4 ? avahi_open_unicast_socket_ipv4() : -1;
++ else
++ r = s->config.use_ipv6 ? avahi_open_unicast_socket_ipv6() : -1;
+
+- if (l->engine->fd_ipv6 < 0)
+- return -1;
++ if (r < 0) {
++ avahi_log_error(__FILE__ ": Failed to create socket for wide area lookup");
++ return -1;
++ }
+
+- return avahi_send_dns_packet_ipv6(l->engine->fd_ipv6, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv6, AVAHI_DNS_PORT);
++ w = s->poll_api->watch_new(s->poll_api, r, AVAHI_WATCH_IN, socket_event, l);
++ if (!w) {
++ close(r);
++ avahi_log_error(__FILE__ ": Failed to create socket watch for wide area lookup");
++ return -1;
+ }
++
++ l->fd = r;
++ l->watch = w;
++ l->proto = a->proto;
++
++ return a->proto == AVAHI_PROTO_INET ?
++ avahi_send_dns_packet_ipv4(l->fd, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv4, AVAHI_DNS_PORT):
++ avahi_send_dns_packet_ipv6(l->fd, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv6, AVAHI_DNS_PORT);
+ }
+
+ static void next_dns_server(AvahiWideAreaLookupEngine *e) {
+@@ -246,6 +279,9 @@ AvahiWideAreaLookup *avahi_wide_area_lookup_new(
+ l->dead = 0;
+ l->key = avahi_key_ref(key);
+ l->cname_key = avahi_key_new_cname(l->key);
++ l->fd = -EBADF;
++ l->watch = NULL;
++ l->proto = AVAHI_PROTO_UNSPEC;
+ l->callback = callback;
+ l->userdata = userdata;
+
+@@ -314,6 +350,12 @@ static void lookup_destroy(AvahiWideAreaLookup *l) {
+ if (l->cname_key)
+ avahi_key_unref(l->cname_key);
+
++ if (l->watch)
++ l->engine->server->poll_api->watch_free(l->watch);
++
++ if (l->fd >= 0)
++ close(l->fd);
++
+ avahi_free(l);
+ }
+
+@@ -572,14 +614,20 @@ static void handle_packet(AvahiWideAreaLookupEngine *e, AvahiDnsPacket *p) {
+ }
+
+ static void socket_event(AVAHI_GCC_UNUSED AvahiWatch *w, int fd, AVAHI_GCC_UNUSED AvahiWatchEvent events, void *userdata) {
+- AvahiWideAreaLookupEngine *e = userdata;
++ AvahiWideAreaLookup *l = userdata;
++ AvahiWideAreaLookupEngine *e = l->engine;
+ AvahiDnsPacket *p = NULL;
+
+- if (fd == e->fd_ipv4)
+- p = avahi_recv_dns_packet_ipv4(e->fd_ipv4, NULL, NULL, NULL, NULL, NULL);
++ assert(l);
++ assert(e);
++ assert(l->fd == fd);
++
++ if (l->proto == AVAHI_PROTO_INET)
++ p = avahi_recv_dns_packet_ipv4(l->fd, NULL, NULL, NULL, NULL, NULL);
+ else {
+- assert(fd == e->fd_ipv6);
+- p = avahi_recv_dns_packet_ipv6(e->fd_ipv6, NULL, NULL, NULL, NULL, NULL);
++ assert(l->proto == AVAHI_PROTO_INET6);
++
++ p = avahi_recv_dns_packet_ipv6(l->fd, NULL, NULL, NULL, NULL, NULL);
+ }
+
+ if (p) {
+@@ -598,32 +646,6 @@ AvahiWideAreaLookupEngine *avahi_wide_area_engine_new(AvahiServer *s) {
+ e->server = s;
+ e->cleanup_dead = 0;
+
+- /* Create sockets */
+- e->fd_ipv4 = s->config.use_ipv4 ? avahi_open_unicast_socket_ipv4() : -1;
+- e->fd_ipv6 = s->config.use_ipv6 ? avahi_open_unicast_socket_ipv6() : -1;
+-
+- if (e->fd_ipv4 < 0 && e->fd_ipv6 < 0) {
+- avahi_log_error(__FILE__": Failed to create wide area sockets: %s", strerror(errno));
+-
+- if (e->fd_ipv6 >= 0)
+- close(e->fd_ipv6);
+-
+- if (e->fd_ipv4 >= 0)
+- close(e->fd_ipv4);
+-
+- avahi_free(e);
+- return NULL;
+- }
+-
+- /* Create watches */
+-
+- e->watch_ipv4 = e->watch_ipv6 = NULL;
+-
+- if (e->fd_ipv4 >= 0)
+- e->watch_ipv4 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv4, AVAHI_WATCH_IN, socket_event, e);
+- if (e->fd_ipv6 >= 0)
+- e->watch_ipv6 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv6, AVAHI_WATCH_IN, socket_event, e);
+-
+ e->n_dns_servers = e->current_dns_server = 0;
+
+ /* Initialize cache */
+@@ -651,18 +673,6 @@ void avahi_wide_area_engine_free(AvahiWideAreaLookupEngine *e) {
+ avahi_hashmap_free(e->lookups_by_id);
+ avahi_hashmap_free(e->lookups_by_key);
+
+- if (e->watch_ipv4)
+- e->server->poll_api->watch_free(e->watch_ipv4);
+-
+- if (e->watch_ipv6)
+- e->server->poll_api->watch_free(e->watch_ipv6);
+-
+- if (e->fd_ipv6 >= 0)
+- close(e->fd_ipv6);
+-
+- if (e->fd_ipv4 >= 0)
+- close(e->fd_ipv4);
+-
+ avahi_free(e);
+ }
+
+@@ -680,7 +690,7 @@ void avahi_wide_area_set_servers(AvahiWideAreaLookupEngine *e, const AvahiAddres
+
+ if (a) {
+ for (e->n_dns_servers = 0; n > 0 && e->n_dns_servers < AVAHI_WIDE_AREA_SERVERS_MAX; a++, n--)
+- if ((a->proto == AVAHI_PROTO_INET && e->fd_ipv4 >= 0) || (a->proto == AVAHI_PROTO_INET6 && e->fd_ipv6 >= 0))
++ if (a->proto == AVAHI_PROTO_INET || a->proto == AVAHI_PROTO_INET6)
+ e->dns_servers[e->n_dns_servers++] = *a;
+ } else {
+ assert(n == 0);
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread* [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458
2025-08-05 16:43 [OE-core][kirkstone 0/4] Patch review Steve Sakoman
2025-08-05 16:43 ` [OE-core][kirkstone 1/4] avahi: fix CVE-2024-52615 Steve Sakoman
@ 2025-08-05 16:43 ` Steve Sakoman
2025-08-29 11:25 ` Niko Mauno
2025-08-05 16:43 ` [OE-core][kirkstone 3/4] sqlite3: ignore CVE-2025-3277 Steve Sakoman
2025-08-05 16:43 ` [OE-core][kirkstone 4/4] glibc: stable 2.35 branch updates Steve Sakoman
3 siblings, 1 reply; 19+ messages in thread
From: Steve Sakoman @ 2025-08-05 16:43 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch [1] listed in [2].
Also pick another patch which is precondition to this one introducing
variable needed for the check.
[1] https://sqlite.org/src/info/12ad822d9b827777
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-7458
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...mpts-to-improve-the-detection-of-cov.patch | 91 +++++++++++++++++++
.../sqlite/files/CVE-2025-7458.patch | 32 +++++++
meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 2 +
3 files changed, 125 insertions(+)
create mode 100644 meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-7458.patch
diff --git a/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
new file mode 100644
index 0000000000..8fb037bb0f
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
@@ -0,0 +1,91 @@
+From f55a7dad195994f2bb24db7df0a0515502386fe2 Mon Sep 17 00:00:00 2001
+From: drh <>
+Date: Sat, 22 Oct 2022 14:16:02 +0000
+Subject: [PATCH] This branch attempts to improve the detection of covering
+ indexes. This first check-in merely improves a parameter name to
+ sqlite3WhereBegin() to be more descriptive of what it contains, and ensures
+ that a subroutine is not inlines so that sqlite3WhereBegin() runs slightly
+ faster.
+
+FossilOrigin-Name: cadf5f6bb1ce0492ef858ada476288e8057afd3609caa18b09c818d3845d7244
+
+Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/f55a7dad195994f2bb24db7df0a0515502386fe2]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ sqlite3.c | 28 +++++++++++++---------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 4cbc2d0..b7ed991 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -147371,9 +147371,7 @@ struct WhereInfo {
+ ExprList *pOrderBy; /* The ORDER BY clause or NULL */
+ ExprList *pResultSet; /* Result set of the query */
+ Expr *pWhere; /* The complete WHERE clause */
+-#ifndef SQLITE_OMIT_VIRTUALTABLE
+- Select *pLimit; /* Used to access LIMIT expr/registers for vtabs */
+-#endif
++ Select *pSelect; /* The entire SELECT statement containing WHERE */
+ int aiCurOnePass[2]; /* OP_OpenWrite cursors for the ONEPASS opt */
+ int iContinue; /* Jump here to continue with next record */
+ int iBreak; /* Jump here to break out of the loop */
+@@ -149070,9 +149068,9 @@ SQLITE_PRIVATE Bitmask sqlite3WhereCodeOneLoopStart(
+ && pLoop->u.vtab.bOmitOffset
+ ){
+ assert( pTerm->eOperator==WO_AUX );
+- assert( pWInfo->pLimit!=0 );
+- assert( pWInfo->pLimit->iOffset>0 );
+- sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pLimit->iOffset);
++ assert( pWInfo->pSelect!=0 );
++ assert( pWInfo->pSelect->iOffset>0 );
++ sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pSelect->iOffset);
+ VdbeComment((v,"Zero OFFSET counter"));
+ }
+ }
+@@ -151830,10 +151828,10 @@ static void whereAddLimitExpr(
+ ** exist only so that they may be passed to the xBestIndex method of the
+ ** single virtual table in the FROM clause of the SELECT.
+ */
+-SQLITE_PRIVATE void sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
+- assert( p==0 || (p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0) );
+- if( (p && p->pLimit) /* 1 */
+- && (p->selFlags & (SF_Distinct|SF_Aggregate))==0 /* 2 */
++SQLITE_PRIVATE void SQLITE_NOINLINE sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
++ assert( p!=0 && p->pLimit!=0 ); /* 1 -- checked by caller */
++ assert( p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0 );
++ if( (p->selFlags & (SF_Distinct|SF_Aggregate))==0 /* 2 */
+ && (p->pSrc->nSrc==1 && IsVirtual(p->pSrc->a[0].pTab)) /* 3 */
+ ){
+ ExprList *pOrderBy = p->pOrderBy;
+@@ -157427,7 +157425,7 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
+ Expr *pWhere, /* The WHERE clause */
+ ExprList *pOrderBy, /* An ORDER BY (or GROUP BY) clause, or NULL */
+ ExprList *pResultSet, /* Query result set. Req'd for DISTINCT */
+- Select *pLimit, /* Use this LIMIT/OFFSET clause, if any */
++ Select *pSelect, /* The entire SELECT statement */
+ u16 wctrlFlags, /* The WHERE_* flags defined in sqliteInt.h */
+ int iAuxArg /* If WHERE_OR_SUBCLAUSE is set, index cursor number
+ ** If WHERE_USE_LIMIT, then the limit amount */
+@@ -157504,9 +157502,7 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
+ pWInfo->wctrlFlags = wctrlFlags;
+ pWInfo->iLimit = iAuxArg;
+ pWInfo->savedNQueryLoop = pParse->nQueryLoop;
+-#ifndef SQLITE_OMIT_VIRTUALTABLE
+- pWInfo->pLimit = pLimit;
+-#endif
++ pWInfo->pSelect = pSelect;
+ memset(&pWInfo->nOBSat, 0,
+ offsetof(WhereInfo,sWC) - offsetof(WhereInfo,nOBSat));
+ memset(&pWInfo->a[0], 0, sizeof(WhereLoop)+nTabList*sizeof(WhereLevel));
+@@ -157575,7 +157571,9 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
+
+ /* Analyze all of the subexpressions. */
+ sqlite3WhereExprAnalyze(pTabList, &pWInfo->sWC);
+- sqlite3WhereAddLimit(&pWInfo->sWC, pLimit);
++ if( pSelect && pSelect->pLimit ){
++ sqlite3WhereAddLimit(&pWInfo->sWC, pSelect);
++ }
+ if( db->mallocFailed ) goto whereBeginError;
+
+ /* Special case: WHERE terms that do not refer to any tables in the join
diff --git a/meta/recipes-support/sqlite/files/CVE-2025-7458.patch b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
new file mode 100644
index 0000000000..6b041d9332
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
@@ -0,0 +1,32 @@
+From b816ca9994e03a8bc829b49452b8158a731e81a9 Mon Sep 17 00:00:00 2001
+From: drh <>
+Date: Thu, 16 Mar 2023 20:54:29 +0000
+Subject: [PATCH] Correctly handle SELECT DISTINCT ... ORDER BY when all of the
+ result set terms are constant and there are more result set terms than ORDER
+ BY terms. Fix for these tickets: [c36cdb4afd504dc1], [4051a7f931d9ba24],
+ [d6fd512f50513ab7].
+
+FossilOrigin-Name: 12ad822d9b827777526ca5ed5bf3e678d600294fc9b5c25482dfff2a021328a4
+
+CVE: CVE-2025-7458
+Upstream-Status: Backport [github.com/sqlite/sqlite/commit/b816ca9994e03a8bc829b49452b8158a731e81a9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ sqlite3.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 19d0438..6d92184 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -156989,6 +156989,10 @@ static int wherePathSolver(WhereInfo *pWInfo, LogEst nRowEst){
+ if( pFrom->isOrdered==pWInfo->pOrderBy->nExpr ){
+ pWInfo->eDistinct = WHERE_DISTINCT_ORDERED;
+ }
++ if( pWInfo->pSelect->pOrderBy
++ && pWInfo->nOBSat > pWInfo->pSelect->pOrderBy->nExpr ){
++ pWInfo->nOBSat = pWInfo->pSelect->pOrderBy->nExpr;
++ }
+ }else{
+ pWInfo->nOBSat = pFrom->isOrdered;
+ pWInfo->revMask = pFrom->revLoop;
diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
index 656e2d8bd8..86d9b4b33b 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
@@ -10,6 +10,8 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \
file://CVE-2023-7104.patch \
file://CVE-2025-29088.patch \
file://CVE-2025-6965.patch \
+ file://0001-This-branch-attempts-to-improve-the-detection-of-cov.patch \
+ file://CVE-2025-7458.patch \
"
SRC_URI[sha256sum] = "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread* Re: [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458
2025-08-05 16:43 ` [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458 Steve Sakoman
@ 2025-08-29 11:25 ` Niko Mauno
2025-08-29 15:37 ` Steve Sakoman
0 siblings, 1 reply; 19+ messages in thread
From: Niko Mauno @ 2025-08-29 11:25 UTC (permalink / raw)
To: steve, openembedded-core
We have found that since this patch SELECT queries with COUNT(DISTINCT(column)) seem to cause sqlite to segfault. E.g.
# sqlite3 :memory: 'create table foo (x int); select count(distinct(x)) from foo;'
Segmentation fault (core dumped)
-Niko
On 5.8.2025 19.43, Steve Sakoman via lists.openembedded.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
>
> Pick patch [1] listed in [2].
> Also pick another patch which is precondition to this one introducing
> variable needed for the check.
>
> [1] https://sqlite.org/src/info/12ad822d9b827777
> [2] https://nvd.nist.gov/vuln/detail/CVE-2025-7458
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
> ...mpts-to-improve-the-detection-of-cov.patch | 91 +++++++++++++++++++
> .../sqlite/files/CVE-2025-7458.patch | 32 +++++++
> meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 2 +
> 3 files changed, 125 insertions(+)
> create mode 100644 meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
> create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-7458.patch
>
> diff --git a/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
> new file mode 100644
> index 0000000000..8fb037bb0f
> --- /dev/null
> +++ b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
> @@ -0,0 +1,91 @@
> +From f55a7dad195994f2bb24db7df0a0515502386fe2 Mon Sep 17 00:00:00 2001
> +From: drh <>
> +Date: Sat, 22 Oct 2022 14:16:02 +0000
> +Subject: [PATCH] This branch attempts to improve the detection of covering
> + indexes. This first check-in merely improves a parameter name to
> + sqlite3WhereBegin() to be more descriptive of what it contains, and ensures
> + that a subroutine is not inlines so that sqlite3WhereBegin() runs slightly
> + faster.
> +
> +FossilOrigin-Name: cadf5f6bb1ce0492ef858ada476288e8057afd3609caa18b09c818d3845d7244
> +
> +Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/f55a7dad195994f2bb24db7df0a0515502386fe2]
> +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> +---
> + sqlite3.c | 28 +++++++++++++---------------
> + 1 file changed, 13 insertions(+), 15 deletions(-)
> +
> +diff --git a/sqlite3.c b/sqlite3.c
> +index 4cbc2d0..b7ed991 100644
> +--- a/sqlite3.c
> ++++ b/sqlite3.c
> +@@ -147371,9 +147371,7 @@ struct WhereInfo {
> + ExprList *pOrderBy; /* The ORDER BY clause or NULL */
> + ExprList *pResultSet; /* Result set of the query */
> + Expr *pWhere; /* The complete WHERE clause */
> +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> +- Select *pLimit; /* Used to access LIMIT expr/registers for vtabs */
> +-#endif
> ++ Select *pSelect; /* The entire SELECT statement containing WHERE */
> + int aiCurOnePass[2]; /* OP_OpenWrite cursors for the ONEPASS opt */
> + int iContinue; /* Jump here to continue with next record */
> + int iBreak; /* Jump here to break out of the loop */
> +@@ -149070,9 +149068,9 @@ SQLITE_PRIVATE Bitmask sqlite3WhereCodeOneLoopStart(
> + && pLoop->u.vtab.bOmitOffset
> + ){
> + assert( pTerm->eOperator==WO_AUX );
> +- assert( pWInfo->pLimit!=0 );
> +- assert( pWInfo->pLimit->iOffset>0 );
> +- sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pLimit->iOffset);
> ++ assert( pWInfo->pSelect!=0 );
> ++ assert( pWInfo->pSelect->iOffset>0 );
> ++ sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pSelect->iOffset);
> + VdbeComment((v,"Zero OFFSET counter"));
> + }
> + }
> +@@ -151830,10 +151828,10 @@ static void whereAddLimitExpr(
> + ** exist only so that they may be passed to the xBestIndex method of the
> + ** single virtual table in the FROM clause of the SELECT.
> + */
> +-SQLITE_PRIVATE void sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
> +- assert( p==0 || (p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0) );
> +- if( (p && p->pLimit) /* 1 */
> +- && (p->selFlags & (SF_Distinct|SF_Aggregate))==0 /* 2 */
> ++SQLITE_PRIVATE void SQLITE_NOINLINE sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
> ++ assert( p!=0 && p->pLimit!=0 ); /* 1 -- checked by caller */
> ++ assert( p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0 );
> ++ if( (p->selFlags & (SF_Distinct|SF_Aggregate))==0 /* 2 */
> + && (p->pSrc->nSrc==1 && IsVirtual(p->pSrc->a[0].pTab)) /* 3 */
> + ){
> + ExprList *pOrderBy = p->pOrderBy;
> +@@ -157427,7 +157425,7 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
> + Expr *pWhere, /* The WHERE clause */
> + ExprList *pOrderBy, /* An ORDER BY (or GROUP BY) clause, or NULL */
> + ExprList *pResultSet, /* Query result set. Req'd for DISTINCT */
> +- Select *pLimit, /* Use this LIMIT/OFFSET clause, if any */
> ++ Select *pSelect, /* The entire SELECT statement */
> + u16 wctrlFlags, /* The WHERE_* flags defined in sqliteInt.h */
> + int iAuxArg /* If WHERE_OR_SUBCLAUSE is set, index cursor number
> + ** If WHERE_USE_LIMIT, then the limit amount */
> +@@ -157504,9 +157502,7 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
> + pWInfo->wctrlFlags = wctrlFlags;
> + pWInfo->iLimit = iAuxArg;
> + pWInfo->savedNQueryLoop = pParse->nQueryLoop;
> +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> +- pWInfo->pLimit = pLimit;
> +-#endif
> ++ pWInfo->pSelect = pSelect;
> + memset(&pWInfo->nOBSat, 0,
> + offsetof(WhereInfo,sWC) - offsetof(WhereInfo,nOBSat));
> + memset(&pWInfo->a[0], 0, sizeof(WhereLoop)+nTabList*sizeof(WhereLevel));
> +@@ -157575,7 +157571,9 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
> +
> + /* Analyze all of the subexpressions. */
> + sqlite3WhereExprAnalyze(pTabList, &pWInfo->sWC);
> +- sqlite3WhereAddLimit(&pWInfo->sWC, pLimit);
> ++ if( pSelect && pSelect->pLimit ){
> ++ sqlite3WhereAddLimit(&pWInfo->sWC, pSelect);
> ++ }
> + if( db->mallocFailed ) goto whereBeginError;
> +
> + /* Special case: WHERE terms that do not refer to any tables in the join
> diff --git a/meta/recipes-support/sqlite/files/CVE-2025-7458.patch b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> new file mode 100644
> index 0000000000..6b041d9332
> --- /dev/null
> +++ b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> @@ -0,0 +1,32 @@
> +From b816ca9994e03a8bc829b49452b8158a731e81a9 Mon Sep 17 00:00:00 2001
> +From: drh <>
> +Date: Thu, 16 Mar 2023 20:54:29 +0000
> +Subject: [PATCH] Correctly handle SELECT DISTINCT ... ORDER BY when all of the
> + result set terms are constant and there are more result set terms than ORDER
> + BY terms. Fix for these tickets: [c36cdb4afd504dc1], [4051a7f931d9ba24],
> + [d6fd512f50513ab7].
> +
> +FossilOrigin-Name: 12ad822d9b827777526ca5ed5bf3e678d600294fc9b5c25482dfff2a021328a4
> +
> +CVE: CVE-2025-7458
> +Upstream-Status: Backport [github.com/sqlite/sqlite/commit/b816ca9994e03a8bc829b49452b8158a731e81a9]
> +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> +---
> + sqlite3.c | 4 ++++
> + 1 file changed, 4 insertions(+)
> +
> +diff --git a/sqlite3.c b/sqlite3.c
> +index 19d0438..6d92184 100644
> +--- a/sqlite3.c
> ++++ b/sqlite3.c
> +@@ -156989,6 +156989,10 @@ static int wherePathSolver(WhereInfo *pWInfo, LogEst nRowEst){
> + if( pFrom->isOrdered==pWInfo->pOrderBy->nExpr ){
> + pWInfo->eDistinct = WHERE_DISTINCT_ORDERED;
> + }
> ++ if( pWInfo->pSelect->pOrderBy
> ++ && pWInfo->nOBSat > pWInfo->pSelect->pOrderBy->nExpr ){
> ++ pWInfo->nOBSat = pWInfo->pSelect->pOrderBy->nExpr;
> ++ }
> + }else{
> + pWInfo->nOBSat = pFrom->isOrdered;
> + pWInfo->revMask = pFrom->revLoop;
> diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> index 656e2d8bd8..86d9b4b33b 100644
> --- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> +++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> @@ -10,6 +10,8 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \
> file://CVE-2023-7104.patch \
> file://CVE-2025-29088.patch \
> file://CVE-2025-6965.patch \
> + file://0001-This-branch-attempts-to-improve-the-detection-of-cov.patch \
> + file://CVE-2025-7458.patch \
> "
> SRC_URI[sha256sum] = "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
>
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#221481): https://lists.openembedded.org/g/openembedded-core/message/221481
> Mute This Topic: https://lists.openembedded.org/mt/114551672/3618471
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [niko.mauno@vaisala.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 19+ messages in thread* Re: [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458
2025-08-29 11:25 ` Niko Mauno
@ 2025-08-29 15:37 ` Steve Sakoman
2025-08-31 21:12 ` Marko, Peter
0 siblings, 1 reply; 19+ messages in thread
From: Steve Sakoman @ 2025-08-29 15:37 UTC (permalink / raw)
To: Marko, Peter; +Cc: openembedded-core, Niko Mauno
On Fri, Aug 29, 2025 at 4:25 AM Niko Mauno <niko.mauno@vaisala.com> wrote:
>
> We have found that since this patch SELECT queries with COUNT(DISTINCT(column)) seem to cause sqlite to segfault. E.g.
>
> # sqlite3 :memory: 'create table foo (x int); select count(distinct(x)) from foo;'
> Segmentation fault (core dumped)
Hi Peter,
Could you check this to see if you can reproduce it?
If so, we should revert this patch.
Steve
> On 5.8.2025 19.43, Steve Sakoman via lists.openembedded.org wrote:
> > From: Peter Marko <peter.marko@siemens.com>
> >
> > Pick patch [1] listed in [2].
> > Also pick another patch which is precondition to this one introducing
> > variable needed for the check.
> >
> > [1] https://sqlite.org/src/info/12ad822d9b827777
> > [2] https://nvd.nist.gov/vuln/detail/CVE-2025-7458
> >
> > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> > ...mpts-to-improve-the-detection-of-cov.patch | 91 +++++++++++++++++++
> > .../sqlite/files/CVE-2025-7458.patch | 32 +++++++
> > meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 2 +
> > 3 files changed, 125 insertions(+)
> > create mode 100644 meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
> > create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> >
> > diff --git a/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
> > new file mode 100644
> > index 0000000000..8fb037bb0f
> > --- /dev/null
> > +++ b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
> > @@ -0,0 +1,91 @@
> > +From f55a7dad195994f2bb24db7df0a0515502386fe2 Mon Sep 17 00:00:00 2001
> > +From: drh <>
> > +Date: Sat, 22 Oct 2022 14:16:02 +0000
> > +Subject: [PATCH] This branch attempts to improve the detection of covering
> > + indexes. This first check-in merely improves a parameter name to
> > + sqlite3WhereBegin() to be more descriptive of what it contains, and ensures
> > + that a subroutine is not inlines so that sqlite3WhereBegin() runs slightly
> > + faster.
> > +
> > +FossilOrigin-Name: cadf5f6bb1ce0492ef858ada476288e8057afd3609caa18b09c818d3845d7244
> > +
> > +Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/f55a7dad195994f2bb24db7df0a0515502386fe2]
> > +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > +---
> > + sqlite3.c | 28 +++++++++++++---------------
> > + 1 file changed, 13 insertions(+), 15 deletions(-)
> > +
> > +diff --git a/sqlite3.c b/sqlite3.c
> > +index 4cbc2d0..b7ed991 100644
> > +--- a/sqlite3.c
> > ++++ b/sqlite3.c
> > +@@ -147371,9 +147371,7 @@ struct WhereInfo {
> > + ExprList *pOrderBy; /* The ORDER BY clause or NULL */
> > + ExprList *pResultSet; /* Result set of the query */
> > + Expr *pWhere; /* The complete WHERE clause */
> > +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> > +- Select *pLimit; /* Used to access LIMIT expr/registers for vtabs */
> > +-#endif
> > ++ Select *pSelect; /* The entire SELECT statement containing WHERE */
> > + int aiCurOnePass[2]; /* OP_OpenWrite cursors for the ONEPASS opt */
> > + int iContinue; /* Jump here to continue with next record */
> > + int iBreak; /* Jump here to break out of the loop */
> > +@@ -149070,9 +149068,9 @@ SQLITE_PRIVATE Bitmask sqlite3WhereCodeOneLoopStart(
> > + && pLoop->u.vtab.bOmitOffset
> > + ){
> > + assert( pTerm->eOperator==WO_AUX );
> > +- assert( pWInfo->pLimit!=0 );
> > +- assert( pWInfo->pLimit->iOffset>0 );
> > +- sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pLimit->iOffset);
> > ++ assert( pWInfo->pSelect!=0 );
> > ++ assert( pWInfo->pSelect->iOffset>0 );
> > ++ sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pSelect->iOffset);
> > + VdbeComment((v,"Zero OFFSET counter"));
> > + }
> > + }
> > +@@ -151830,10 +151828,10 @@ static void whereAddLimitExpr(
> > + ** exist only so that they may be passed to the xBestIndex method of the
> > + ** single virtual table in the FROM clause of the SELECT.
> > + */
> > +-SQLITE_PRIVATE void sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
> > +- assert( p==0 || (p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0) );
> > +- if( (p && p->pLimit) /* 1 */
> > +- && (p->selFlags & (SF_Distinct|SF_Aggregate))==0 /* 2 */
> > ++SQLITE_PRIVATE void SQLITE_NOINLINE sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
> > ++ assert( p!=0 && p->pLimit!=0 ); /* 1 -- checked by caller */
> > ++ assert( p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0 );
> > ++ if( (p->selFlags & (SF_Distinct|SF_Aggregate))==0 /* 2 */
> > + && (p->pSrc->nSrc==1 && IsVirtual(p->pSrc->a[0].pTab)) /* 3 */
> > + ){
> > + ExprList *pOrderBy = p->pOrderBy;
> > +@@ -157427,7 +157425,7 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
> > + Expr *pWhere, /* The WHERE clause */
> > + ExprList *pOrderBy, /* An ORDER BY (or GROUP BY) clause, or NULL */
> > + ExprList *pResultSet, /* Query result set. Req'd for DISTINCT */
> > +- Select *pLimit, /* Use this LIMIT/OFFSET clause, if any */
> > ++ Select *pSelect, /* The entire SELECT statement */
> > + u16 wctrlFlags, /* The WHERE_* flags defined in sqliteInt.h */
> > + int iAuxArg /* If WHERE_OR_SUBCLAUSE is set, index cursor number
> > + ** If WHERE_USE_LIMIT, then the limit amount */
> > +@@ -157504,9 +157502,7 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
> > + pWInfo->wctrlFlags = wctrlFlags;
> > + pWInfo->iLimit = iAuxArg;
> > + pWInfo->savedNQueryLoop = pParse->nQueryLoop;
> > +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> > +- pWInfo->pLimit = pLimit;
> > +-#endif
> > ++ pWInfo->pSelect = pSelect;
> > + memset(&pWInfo->nOBSat, 0,
> > + offsetof(WhereInfo,sWC) - offsetof(WhereInfo,nOBSat));
> > + memset(&pWInfo->a[0], 0, sizeof(WhereLoop)+nTabList*sizeof(WhereLevel));
> > +@@ -157575,7 +157571,9 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
> > +
> > + /* Analyze all of the subexpressions. */
> > + sqlite3WhereExprAnalyze(pTabList, &pWInfo->sWC);
> > +- sqlite3WhereAddLimit(&pWInfo->sWC, pLimit);
> > ++ if( pSelect && pSelect->pLimit ){
> > ++ sqlite3WhereAddLimit(&pWInfo->sWC, pSelect);
> > ++ }
> > + if( db->mallocFailed ) goto whereBeginError;
> > +
> > + /* Special case: WHERE terms that do not refer to any tables in the join
> > diff --git a/meta/recipes-support/sqlite/files/CVE-2025-7458.patch b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > new file mode 100644
> > index 0000000000..6b041d9332
> > --- /dev/null
> > +++ b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > @@ -0,0 +1,32 @@
> > +From b816ca9994e03a8bc829b49452b8158a731e81a9 Mon Sep 17 00:00:00 2001
> > +From: drh <>
> > +Date: Thu, 16 Mar 2023 20:54:29 +0000
> > +Subject: [PATCH] Correctly handle SELECT DISTINCT ... ORDER BY when all of the
> > + result set terms are constant and there are more result set terms than ORDER
> > + BY terms. Fix for these tickets: [c36cdb4afd504dc1], [4051a7f931d9ba24],
> > + [d6fd512f50513ab7].
> > +
> > +FossilOrigin-Name: 12ad822d9b827777526ca5ed5bf3e678d600294fc9b5c25482dfff2a021328a4
> > +
> > +CVE: CVE-2025-7458
> > +Upstream-Status: Backport [github.com/sqlite/sqlite/commit/b816ca9994e03a8bc829b49452b8158a731e81a9]
> > +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > +---
> > + sqlite3.c | 4 ++++
> > + 1 file changed, 4 insertions(+)
> > +
> > +diff --git a/sqlite3.c b/sqlite3.c
> > +index 19d0438..6d92184 100644
> > +--- a/sqlite3.c
> > ++++ b/sqlite3.c
> > +@@ -156989,6 +156989,10 @@ static int wherePathSolver(WhereInfo *pWInfo, LogEst nRowEst){
> > + if( pFrom->isOrdered==pWInfo->pOrderBy->nExpr ){
> > + pWInfo->eDistinct = WHERE_DISTINCT_ORDERED;
> > + }
> > ++ if( pWInfo->pSelect->pOrderBy
> > ++ && pWInfo->nOBSat > pWInfo->pSelect->pOrderBy->nExpr ){
> > ++ pWInfo->nOBSat = pWInfo->pSelect->pOrderBy->nExpr;
> > ++ }
> > + }else{
> > + pWInfo->nOBSat = pFrom->isOrdered;
> > + pWInfo->revMask = pFrom->revLoop;
> > diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > index 656e2d8bd8..86d9b4b33b 100644
> > --- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > +++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > @@ -10,6 +10,8 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \
> > file://CVE-2023-7104.patch \
> > file://CVE-2025-29088.patch \
> > file://CVE-2025-6965.patch \
> > + file://0001-This-branch-attempts-to-improve-the-detection-of-cov.patch \
> > + file://CVE-2025-7458.patch \
> > "
> > SRC_URI[sha256sum] = "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
> >
> >
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#221481): https://lists.openembedded.org/g/openembedded-core/message/221481
> > Mute This Topic: https://lists.openembedded.org/mt/114551672/3618471
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [niko.mauno@vaisala.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
^ permalink raw reply [flat|nested] 19+ messages in thread* RE: [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458
2025-08-29 15:37 ` Steve Sakoman
@ 2025-08-31 21:12 ` Marko, Peter
2025-09-03 22:34 ` Marko, Peter
0 siblings, 1 reply; 19+ messages in thread
From: Marko, Peter @ 2025-08-31 21:12 UTC (permalink / raw)
To: Steve Sakoman; +Cc: openembedded-core@lists.openembedded.org, Niko Mauno
> -----Original Message-----
> From: Steve Sakoman <steve@sakoman.com>
> Sent: Friday, August 29, 2025 17:38
> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Cc: openembedded-core@lists.openembedded.org; Niko Mauno
> <niko.mauno@vaisala.com>
> Subject: Re: [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458
>
> On Fri, Aug 29, 2025 at 4:25 AM Niko Mauno <niko.mauno@vaisala.com> wrote:
> >
> > We have found that since this patch SELECT queries with
> COUNT(DISTINCT(column)) seem to cause sqlite to segfault. E.g.
> >
> > # sqlite3 :memory: 'create table foo (x int); select count(distinct(x)) from foo;'
> > Segmentation fault (core dumped)
>
> Hi Peter,
>
> Could you check this to see if you can reproduce it?
I'll be offline for next two weeks, please revert and I'll check it when I'm back.
>
> If so, we should revert this patch.
>
> Steve
>
> > On 5.8.2025 19.43, Steve Sakoman via lists.openembedded.org wrote:
> > > From: Peter Marko <peter.marko@siemens.com>
> > >
> > > Pick patch [1] listed in [2].
> > > Also pick another patch which is precondition to this one introducing
> > > variable needed for the check.
> > >
> > > [1] https://sqlite.org/src/info/12ad822d9b827777
> > > [2] https://nvd.nist.gov/vuln/detail/CVE-2025-7458
> > >
> > > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > > ---
> > > ...mpts-to-improve-the-detection-of-cov.patch | 91 +++++++++++++++++++
> > > .../sqlite/files/CVE-2025-7458.patch | 32 +++++++
> > > meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 2 +
> > > 3 files changed, 125 insertions(+)
> > > create mode 100644 meta/recipes-support/sqlite/files/0001-This-branch-
> attempts-to-improve-the-detection-of-cov.patch
> > > create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > >
> > > diff --git a/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-
> improve-the-detection-of-cov.patch b/meta/recipes-support/sqlite/files/0001-This-
> branch-attempts-to-improve-the-detection-of-cov.patch
> > > new file mode 100644
> > > index 0000000000..8fb037bb0f
> > > --- /dev/null
> > > +++ b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-
> improve-the-detection-of-cov.patch
> > > @@ -0,0 +1,91 @@
> > > +From f55a7dad195994f2bb24db7df0a0515502386fe2 Mon Sep 17 00:00:00
> 2001
> > > +From: drh <>
> > > +Date: Sat, 22 Oct 2022 14:16:02 +0000
> > > +Subject: [PATCH] This branch attempts to improve the detection of covering
> > > + indexes. This first check-in merely improves a parameter name to
> > > + sqlite3WhereBegin() to be more descriptive of what it contains, and ensures
> > > + that a subroutine is not inlines so that sqlite3WhereBegin() runs slightly
> > > + faster.
> > > +
> > > +FossilOrigin-Name:
> cadf5f6bb1ce0492ef858ada476288e8057afd3609caa18b09c818d3845d7244
> > > +
> > > +Upstream-Status: Backport
> [https://github.com/sqlite/sqlite/commit/f55a7dad195994f2bb24db7df0a051550238
> 6fe2]
> > > +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > +---
> > > + sqlite3.c | 28 +++++++++++++---------------
> > > + 1 file changed, 13 insertions(+), 15 deletions(-)
> > > +
> > > +diff --git a/sqlite3.c b/sqlite3.c
> > > +index 4cbc2d0..b7ed991 100644
> > > +--- a/sqlite3.c
> > > ++++ b/sqlite3.c
> > > +@@ -147371,9 +147371,7 @@ struct WhereInfo {
> > > + ExprList *pOrderBy; /* The ORDER BY clause or NULL */
> > > + ExprList *pResultSet; /* Result set of the query */
> > > + Expr *pWhere; /* The complete WHERE clause */
> > > +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> > > +- Select *pLimit; /* Used to access LIMIT expr/registers for vtabs */
> > > +-#endif
> > > ++ Select *pSelect; /* The entire SELECT statement containing
> WHERE */
> > > + int aiCurOnePass[2]; /* OP_OpenWrite cursors for the ONEPASS opt */
> > > + int iContinue; /* Jump here to continue with next record */
> > > + int iBreak; /* Jump here to break out of the loop */
> > > +@@ -149070,9 +149068,9 @@ SQLITE_PRIVATE Bitmask
> sqlite3WhereCodeOneLoopStart(
> > > + && pLoop->u.vtab.bOmitOffset
> > > + ){
> > > + assert( pTerm->eOperator==WO_AUX );
> > > +- assert( pWInfo->pLimit!=0 );
> > > +- assert( pWInfo->pLimit->iOffset>0 );
> > > +- sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pLimit->iOffset);
> > > ++ assert( pWInfo->pSelect!=0 );
> > > ++ assert( pWInfo->pSelect->iOffset>0 );
> > > ++ sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pSelect->iOffset);
> > > + VdbeComment((v,"Zero OFFSET counter"));
> > > + }
> > > + }
> > > +@@ -151830,10 +151828,10 @@ static void whereAddLimitExpr(
> > > + ** exist only so that they may be passed to the xBestIndex method of the
> > > + ** single virtual table in the FROM clause of the SELECT.
> > > + */
> > > +-SQLITE_PRIVATE void sqlite3WhereAddLimit(WhereClause *pWC, Select
> *p){
> > > +- assert( p==0 || (p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0)
> );
> > > +- if( (p && p->pLimit) /* 1 */
> > > +- && (p->selFlags & (SF_Distinct|SF_Aggregate))==0 /* 2 */
> > > ++SQLITE_PRIVATE void SQLITE_NOINLINE
> sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
> > > ++ assert( p!=0 && p->pLimit!=0 ); /* 1 -- checked by caller */
> > > ++ assert( p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0 );
> > > ++ if( (p->selFlags & (SF_Distinct|SF_Aggregate))==0 /* 2 */
> > > + && (p->pSrc->nSrc==1 && IsVirtual(p->pSrc->a[0].pTab)) /* 3 */
> > > + ){
> > > + ExprList *pOrderBy = p->pOrderBy;
> > > +@@ -157427,7 +157425,7 @@ SQLITE_PRIVATE WhereInfo
> *sqlite3WhereBegin(
> > > + Expr *pWhere, /* The WHERE clause */
> > > + ExprList *pOrderBy, /* An ORDER BY (or GROUP BY) clause, or NULL
> */
> > > + ExprList *pResultSet, /* Query result set. Req'd for DISTINCT */
> > > +- Select *pLimit, /* Use this LIMIT/OFFSET clause, if any */
> > > ++ Select *pSelect, /* The entire SELECT statement */
> > > + u16 wctrlFlags, /* The WHERE_* flags defined in sqliteInt.h */
> > > + int iAuxArg /* If WHERE_OR_SUBCLAUSE is set, index cursor
> number
> > > + ** If WHERE_USE_LIMIT, then the limit amount */
> > > +@@ -157504,9 +157502,7 @@ SQLITE_PRIVATE WhereInfo
> *sqlite3WhereBegin(
> > > + pWInfo->wctrlFlags = wctrlFlags;
> > > + pWInfo->iLimit = iAuxArg;
> > > + pWInfo->savedNQueryLoop = pParse->nQueryLoop;
> > > +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> > > +- pWInfo->pLimit = pLimit;
> > > +-#endif
> > > ++ pWInfo->pSelect = pSelect;
> > > + memset(&pWInfo->nOBSat, 0,
> > > + offsetof(WhereInfo,sWC) - offsetof(WhereInfo,nOBSat));
> > > + memset(&pWInfo->a[0], 0,
> sizeof(WhereLoop)+nTabList*sizeof(WhereLevel));
> > > +@@ -157575,7 +157571,9 @@ SQLITE_PRIVATE WhereInfo
> *sqlite3WhereBegin(
> > > +
> > > + /* Analyze all of the subexpressions. */
> > > + sqlite3WhereExprAnalyze(pTabList, &pWInfo->sWC);
> > > +- sqlite3WhereAddLimit(&pWInfo->sWC, pLimit);
> > > ++ if( pSelect && pSelect->pLimit ){
> > > ++ sqlite3WhereAddLimit(&pWInfo->sWC, pSelect);
> > > ++ }
> > > + if( db->mallocFailed ) goto whereBeginError;
> > > +
> > > + /* Special case: WHERE terms that do not refer to any tables in the join
> > > diff --git a/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > > new file mode 100644
> > > index 0000000000..6b041d9332
> > > --- /dev/null
> > > +++ b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > > @@ -0,0 +1,32 @@
> > > +From b816ca9994e03a8bc829b49452b8158a731e81a9 Mon Sep 17 00:00:00
> 2001
> > > +From: drh <>
> > > +Date: Thu, 16 Mar 2023 20:54:29 +0000
> > > +Subject: [PATCH] Correctly handle SELECT DISTINCT ... ORDER BY when
> all of the
> > > + result set terms are constant and there are more result set terms than
> ORDER
> > > + BY terms. Fix for these tickets: [c36cdb4afd504dc1], [4051a7f931d9ba24],
> > > + [d6fd512f50513ab7].
> > > +
> > > +FossilOrigin-Name:
> 12ad822d9b827777526ca5ed5bf3e678d600294fc9b5c25482dfff2a021328a4
> > > +
> > > +CVE: CVE-2025-7458
> > > +Upstream-Status: Backport
> [github.com/sqlite/sqlite/commit/b816ca9994e03a8bc829b49452b8158a731e81a9]
> > > +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > +---
> > > + sqlite3.c | 4 ++++
> > > + 1 file changed, 4 insertions(+)
> > > +
> > > +diff --git a/sqlite3.c b/sqlite3.c
> > > +index 19d0438..6d92184 100644
> > > +--- a/sqlite3.c
> > > ++++ b/sqlite3.c
> > > +@@ -156989,6 +156989,10 @@ static int wherePathSolver(WhereInfo
> *pWInfo, LogEst nRowEst){
> > > + if( pFrom->isOrdered==pWInfo->pOrderBy->nExpr ){
> > > + pWInfo->eDistinct = WHERE_DISTINCT_ORDERED;
> > > + }
> > > ++ if( pWInfo->pSelect->pOrderBy
> > > ++ && pWInfo->nOBSat > pWInfo->pSelect->pOrderBy->nExpr ){
> > > ++ pWInfo->nOBSat = pWInfo->pSelect->pOrderBy->nExpr;
> > > ++ }
> > > + }else{
> > > + pWInfo->nOBSat = pFrom->isOrdered;
> > > + pWInfo->revMask = pFrom->revLoop;
> > > diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-
> support/sqlite/sqlite3_3.38.5.bb
> > > index 656e2d8bd8..86d9b4b33b 100644
> > > --- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > > +++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > > @@ -10,6 +10,8 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-
> ${SQLITE_PV}.tar.gz \
> > > file://CVE-2023-7104.patch \
> > > file://CVE-2025-29088.patch \
> > > file://CVE-2025-6965.patch \
> > > + file://0001-This-branch-attempts-to-improve-the-detection-of-
> cov.patch \
> > > + file://CVE-2025-7458.patch \
> > > "
> > > SRC_URI[sha256sum] =
> "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
> > >
> > >
> > >
> > >
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > > Links: You receive all messages sent to this group.
> > > View/Reply Online (#221481):
> https://lists.openembedded.org/g/openembedded-core/message/221481
> > > Mute This Topic: https://lists.openembedded.org/mt/114551672/3618471
> > > Group Owner: openembedded-core+owner@lists.openembedded.org
> > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
> [niko.mauno@vaisala.com]
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > >
> >
^ permalink raw reply [flat|nested] 19+ messages in thread* RE: [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458
2025-08-31 21:12 ` Marko, Peter
@ 2025-09-03 22:34 ` Marko, Peter
2025-09-03 23:03 ` Steve Sakoman
0 siblings, 1 reply; 19+ messages in thread
From: Marko, Peter @ 2025-09-03 22:34 UTC (permalink / raw)
To: Steve Sakoman; +Cc: openembedded-core@lists.openembedded.org, Niko Mauno
I have looked at the problem and reverting was the correct action.
Trying to identify missing patch I realized that the CVE does not affect our version,
so I'd have to backport additional patches which would first introduce the CVE and then fix it.
Sorry for this inconvenience.
Peter
> -----Original Message-----
> From: Marko, Peter (FT D EU SK BFS1)
> Sent: Sunday, August 31, 2025 23:12
> To: Steve Sakoman <steve@sakoman.com>
> Cc: openembedded-core@lists.openembedded.org; Niko Mauno
> <niko.mauno@vaisala.com>
> Subject: RE: [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458
>
>
>
> > -----Original Message-----
> > From: Steve Sakoman <steve@sakoman.com>
> > Sent: Friday, August 29, 2025 17:38
> > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> > Cc: openembedded-core@lists.openembedded.org; Niko Mauno
> > <niko.mauno@vaisala.com>
> > Subject: Re: [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458
> >
> > On Fri, Aug 29, 2025 at 4:25 AM Niko Mauno <niko.mauno@vaisala.com>
> wrote:
> > >
> > > We have found that since this patch SELECT queries with
> > COUNT(DISTINCT(column)) seem to cause sqlite to segfault. E.g.
> > >
> > > # sqlite3 :memory: 'create table foo (x int); select count(distinct(x)) from foo;'
> > > Segmentation fault (core dumped)
> >
> > Hi Peter,
> >
> > Could you check this to see if you can reproduce it?
>
> I'll be offline for next two weeks, please revert and I'll check it when I'm back.
>
> >
> > If so, we should revert this patch.
> >
> > Steve
> >
> > > On 5.8.2025 19.43, Steve Sakoman via lists.openembedded.org wrote:
> > > > From: Peter Marko <peter.marko@siemens.com>
> > > >
> > > > Pick patch [1] listed in [2].
> > > > Also pick another patch which is precondition to this one introducing
> > > > variable needed for the check.
> > > >
> > > > [1] https://sqlite.org/src/info/12ad822d9b827777
> > > > [2] https://nvd.nist.gov/vuln/detail/CVE-2025-7458
> > > >
> > > > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > > > ---
> > > > ...mpts-to-improve-the-detection-of-cov.patch | 91
> +++++++++++++++++++
> > > > .../sqlite/files/CVE-2025-7458.patch | 32 +++++++
> > > > meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 2 +
> > > > 3 files changed, 125 insertions(+)
> > > > create mode 100644 meta/recipes-support/sqlite/files/0001-This-branch-
> > attempts-to-improve-the-detection-of-cov.patch
> > > > create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-
> 7458.patch
> > > >
> > > > diff --git a/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-
> > improve-the-detection-of-cov.patch b/meta/recipes-support/sqlite/files/0001-
> This-
> > branch-attempts-to-improve-the-detection-of-cov.patch
> > > > new file mode 100644
> > > > index 0000000000..8fb037bb0f
> > > > --- /dev/null
> > > > +++ b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-
> > improve-the-detection-of-cov.patch
> > > > @@ -0,0 +1,91 @@
> > > > +From f55a7dad195994f2bb24db7df0a0515502386fe2 Mon Sep 17 00:00:00
> > 2001
> > > > +From: drh <>
> > > > +Date: Sat, 22 Oct 2022 14:16:02 +0000
> > > > +Subject: [PATCH] This branch attempts to improve the detection of
> covering
> > > > + indexes. This first check-in merely improves a parameter name to
> > > > + sqlite3WhereBegin() to be more descriptive of what it contains, and
> ensures
> > > > + that a subroutine is not inlines so that sqlite3WhereBegin() runs slightly
> > > > + faster.
> > > > +
> > > > +FossilOrigin-Name:
> > cadf5f6bb1ce0492ef858ada476288e8057afd3609caa18b09c818d3845d7244
> > > > +
> > > > +Upstream-Status: Backport
> >
> [https://github.com/sqlite/sqlite/commit/f55a7dad195994f2bb24db7df0a051550238
> > 6fe2]
> > > > +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > > +---
> > > > + sqlite3.c | 28 +++++++++++++---------------
> > > > + 1 file changed, 13 insertions(+), 15 deletions(-)
> > > > +
> > > > +diff --git a/sqlite3.c b/sqlite3.c
> > > > +index 4cbc2d0..b7ed991 100644
> > > > +--- a/sqlite3.c
> > > > ++++ b/sqlite3.c
> > > > +@@ -147371,9 +147371,7 @@ struct WhereInfo {
> > > > + ExprList *pOrderBy; /* The ORDER BY clause or NULL */
> > > > + ExprList *pResultSet; /* Result set of the query */
> > > > + Expr *pWhere; /* The complete WHERE clause */
> > > > +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> > > > +- Select *pLimit; /* Used to access LIMIT expr/registers for vtabs */
> > > > +-#endif
> > > > ++ Select *pSelect; /* The entire SELECT statement containing
> > WHERE */
> > > > + int aiCurOnePass[2]; /* OP_OpenWrite cursors for the ONEPASS opt
> */
> > > > + int iContinue; /* Jump here to continue with next record */
> > > > + int iBreak; /* Jump here to break out of the loop */
> > > > +@@ -149070,9 +149068,9 @@ SQLITE_PRIVATE Bitmask
> > sqlite3WhereCodeOneLoopStart(
> > > > + && pLoop->u.vtab.bOmitOffset
> > > > + ){
> > > > + assert( pTerm->eOperator==WO_AUX );
> > > > +- assert( pWInfo->pLimit!=0 );
> > > > +- assert( pWInfo->pLimit->iOffset>0 );
> > > > +- sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pLimit->iOffset);
> > > > ++ assert( pWInfo->pSelect!=0 );
> > > > ++ assert( pWInfo->pSelect->iOffset>0 );
> > > > ++ sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pSelect->iOffset);
> > > > + VdbeComment((v,"Zero OFFSET counter"));
> > > > + }
> > > > + }
> > > > +@@ -151830,10 +151828,10 @@ static void whereAddLimitExpr(
> > > > + ** exist only so that they may be passed to the xBestIndex method of the
> > > > + ** single virtual table in the FROM clause of the SELECT.
> > > > + */
> > > > +-SQLITE_PRIVATE void sqlite3WhereAddLimit(WhereClause *pWC,
> Select
> > *p){
> > > > +- assert( p==0 || (p->pGroupBy==0 && (p->selFlags &
> SF_Aggregate)==0)
> > );
> > > > +- if( (p && p->pLimit) /* 1 */
> > > > +- && (p->selFlags & (SF_Distinct|SF_Aggregate))==0 /* 2 */
> > > > ++SQLITE_PRIVATE void SQLITE_NOINLINE
> > sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
> > > > ++ assert( p!=0 && p->pLimit!=0 ); /* 1 -- checked by caller */
> > > > ++ assert( p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0 );
> > > > ++ if( (p->selFlags & (SF_Distinct|SF_Aggregate))==0 /* 2 */
> > > > + && (p->pSrc->nSrc==1 && IsVirtual(p->pSrc->a[0].pTab)) /* 3 */
> > > > + ){
> > > > + ExprList *pOrderBy = p->pOrderBy;
> > > > +@@ -157427,7 +157425,7 @@ SQLITE_PRIVATE WhereInfo
> > *sqlite3WhereBegin(
> > > > + Expr *pWhere, /* The WHERE clause */
> > > > + ExprList *pOrderBy, /* An ORDER BY (or GROUP BY) clause, or
> NULL
> > */
> > > > + ExprList *pResultSet, /* Query result set. Req'd for DISTINCT */
> > > > +- Select *pLimit, /* Use this LIMIT/OFFSET clause, if any */
> > > > ++ Select *pSelect, /* The entire SELECT statement */
> > > > + u16 wctrlFlags, /* The WHERE_* flags defined in sqliteInt.h */
> > > > + int iAuxArg /* If WHERE_OR_SUBCLAUSE is set, index cursor
> > number
> > > > + ** If WHERE_USE_LIMIT, then the limit amount */
> > > > +@@ -157504,9 +157502,7 @@ SQLITE_PRIVATE WhereInfo
> > *sqlite3WhereBegin(
> > > > + pWInfo->wctrlFlags = wctrlFlags;
> > > > + pWInfo->iLimit = iAuxArg;
> > > > + pWInfo->savedNQueryLoop = pParse->nQueryLoop;
> > > > +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> > > > +- pWInfo->pLimit = pLimit;
> > > > +-#endif
> > > > ++ pWInfo->pSelect = pSelect;
> > > > + memset(&pWInfo->nOBSat, 0,
> > > > + offsetof(WhereInfo,sWC) - offsetof(WhereInfo,nOBSat));
> > > > + memset(&pWInfo->a[0], 0,
> > sizeof(WhereLoop)+nTabList*sizeof(WhereLevel));
> > > > +@@ -157575,7 +157571,9 @@ SQLITE_PRIVATE WhereInfo
> > *sqlite3WhereBegin(
> > > > +
> > > > + /* Analyze all of the subexpressions. */
> > > > + sqlite3WhereExprAnalyze(pTabList, &pWInfo->sWC);
> > > > +- sqlite3WhereAddLimit(&pWInfo->sWC, pLimit);
> > > > ++ if( pSelect && pSelect->pLimit ){
> > > > ++ sqlite3WhereAddLimit(&pWInfo->sWC, pSelect);
> > > > ++ }
> > > > + if( db->mallocFailed ) goto whereBeginError;
> > > > +
> > > > + /* Special case: WHERE terms that do not refer to any tables in the join
> > > > diff --git a/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > > > new file mode 100644
> > > > index 0000000000..6b041d9332
> > > > --- /dev/null
> > > > +++ b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > > > @@ -0,0 +1,32 @@
> > > > +From b816ca9994e03a8bc829b49452b8158a731e81a9 Mon Sep 17
> 00:00:00
> > 2001
> > > > +From: drh <>
> > > > +Date: Thu, 16 Mar 2023 20:54:29 +0000
> > > > +Subject: [PATCH] Correctly handle SELECT DISTINCT ... ORDER BY
> when
> > all of the
> > > > + result set terms are constant and there are more result set terms than
> > ORDER
> > > > + BY terms. Fix for these tickets: [c36cdb4afd504dc1], [4051a7f931d9ba24],
> > > > + [d6fd512f50513ab7].
> > > > +
> > > > +FossilOrigin-Name:
> > 12ad822d9b827777526ca5ed5bf3e678d600294fc9b5c25482dfff2a021328a4
> > > > +
> > > > +CVE: CVE-2025-7458
> > > > +Upstream-Status: Backport
> >
> [github.com/sqlite/sqlite/commit/b816ca9994e03a8bc829b49452b8158a731e81a9]
> > > > +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > > +---
> > > > + sqlite3.c | 4 ++++
> > > > + 1 file changed, 4 insertions(+)
> > > > +
> > > > +diff --git a/sqlite3.c b/sqlite3.c
> > > > +index 19d0438..6d92184 100644
> > > > +--- a/sqlite3.c
> > > > ++++ b/sqlite3.c
> > > > +@@ -156989,6 +156989,10 @@ static int wherePathSolver(WhereInfo
> > *pWInfo, LogEst nRowEst){
> > > > + if( pFrom->isOrdered==pWInfo->pOrderBy->nExpr ){
> > > > + pWInfo->eDistinct = WHERE_DISTINCT_ORDERED;
> > > > + }
> > > > ++ if( pWInfo->pSelect->pOrderBy
> > > > ++ && pWInfo->nOBSat > pWInfo->pSelect->pOrderBy->nExpr ){
> > > > ++ pWInfo->nOBSat = pWInfo->pSelect->pOrderBy->nExpr;
> > > > ++ }
> > > > + }else{
> > > > + pWInfo->nOBSat = pFrom->isOrdered;
> > > > + pWInfo->revMask = pFrom->revLoop;
> > > > diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-
> > support/sqlite/sqlite3_3.38.5.bb
> > > > index 656e2d8bd8..86d9b4b33b 100644
> > > > --- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > > > +++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > > > @@ -10,6 +10,8 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-
> autoconf-
> > ${SQLITE_PV}.tar.gz \
> > > > file://CVE-2023-7104.patch \
> > > > file://CVE-2025-29088.patch \
> > > > file://CVE-2025-6965.patch \
> > > > + file://0001-This-branch-attempts-to-improve-the-detection-of-
> > cov.patch \
> > > > + file://CVE-2025-7458.patch \
> > > > "
> > > > SRC_URI[sha256sum] =
> > "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
> > > >
> > > >
> > > >
> > > >
> > > > -=-=-=-=-=-=-=-=-=-=-=-
> > > > Links: You receive all messages sent to this group.
> > > > View/Reply Online (#221481):
> > https://lists.openembedded.org/g/openembedded-core/message/221481
> > > > Mute This Topic: https://lists.openembedded.org/mt/114551672/3618471
> > > > Group Owner: openembedded-core+owner@lists.openembedded.org
> > > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
> > [niko.mauno@vaisala.com]
> > > > -=-=-=-=-=-=-=-=-=-=-=-
> > > >
> > >
^ permalink raw reply [flat|nested] 19+ messages in thread* Re: [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458
2025-09-03 22:34 ` Marko, Peter
@ 2025-09-03 23:03 ` Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-09-03 23:03 UTC (permalink / raw)
To: Marko, Peter; +Cc: Patches and discussions about the oe-core layer, Niko Mauno
[-- Attachment #1: Type: text/plain, Size: 12655 bytes --]
On Wed, Sep 3, 2025, 3:34 PM Marko, Peter <Peter.Marko@siemens.com> wrote:
> I have looked at the problem and reverting was the correct action.
> Trying to identify missing patch I realized that the CVE does not affect
> our version,
> so I'd have to backport additional patches which would first introduce the
> CVE and then fix it
>
Thanks for investigating!
Steve
> Sorry for this inconvenience.
>
> Peter
>
> > -----Original Message-----
> > From: Marko, Peter (FT D EU SK BFS1)
> > Sent: Sunday, August 31, 2025 23:12
> > To: Steve Sakoman <steve@sakoman.com>
> > Cc: openembedded-core@lists.openembedded.org; Niko Mauno
> > <niko.mauno@vaisala.com>
> > Subject: RE: [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458
> >
> >
> >
> > > -----Original Message-----
> > > From: Steve Sakoman <steve@sakoman.com>
> > > Sent: Friday, August 29, 2025 17:38
> > > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> > > Cc: openembedded-core@lists.openembedded.org; Niko Mauno
> > > <niko.mauno@vaisala.com>
> > > Subject: Re: [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458
> > >
> > > On Fri, Aug 29, 2025 at 4:25 AM Niko Mauno <niko.mauno@vaisala.com>
> > wrote:
> > > >
> > > > We have found that since this patch SELECT queries with
> > > COUNT(DISTINCT(column)) seem to cause sqlite to segfault. E.g.
> > > >
> > > > # sqlite3 :memory: 'create table foo (x int); select
> count(distinct(x)) from foo;'
> > > > Segmentation fault (core dumped)
> > >
> > > Hi Peter,
> > >
> > > Could you check this to see if you can reproduce it?
> >
> > I'll be offline for next two weeks, please revert and I'll check it when
> I'm back.
> >
> > >
> > > If so, we should revert this patch.
> > >
> > > Steve
> > >
> > > > On 5.8.2025 19.43, Steve Sakoman via lists.openembedded.org wrote:
> > > > > From: Peter Marko <peter.marko@siemens.com>
> > > > >
> > > > > Pick patch [1] listed in [2].
> > > > > Also pick another patch which is precondition to this one
> introducing
> > > > > variable needed for the check.
> > > > >
> > > > > [1] https://sqlite.org/src/info/12ad822d9b827777
> > > > > [2] https://nvd.nist.gov/vuln/detail/CVE-2025-7458
> > > > >
> > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > > > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > > > > ---
> > > > > ...mpts-to-improve-the-detection-of-cov.patch | 91
> > +++++++++++++++++++
> > > > > .../sqlite/files/CVE-2025-7458.patch | 32 +++++++
> > > > > meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 2 +
> > > > > 3 files changed, 125 insertions(+)
> > > > > create mode 100644
> meta/recipes-support/sqlite/files/0001-This-branch-
> > > attempts-to-improve-the-detection-of-cov.patch
> > > > > create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-
> > 7458.patch
> > > > >
> > > > > diff --git
> a/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-
> > > improve-the-detection-of-cov.patch
> b/meta/recipes-support/sqlite/files/0001-
> > This-
> > > branch-attempts-to-improve-the-detection-of-cov.patch
> > > > > new file mode 100644
> > > > > index 0000000000..8fb037bb0f
> > > > > --- /dev/null
> > > > > +++
> b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-
> > > improve-the-detection-of-cov.patch
> > > > > @@ -0,0 +1,91 @@
> > > > > +From f55a7dad195994f2bb24db7df0a0515502386fe2 Mon Sep 17 00:00:00
> > > 2001
> > > > > +From: drh <>
> > > > > +Date: Sat, 22 Oct 2022 14:16:02 +0000
> > > > > +Subject: [PATCH] This branch attempts to improve the detection of
> > covering
> > > > > + indexes. This first check-in merely improves a parameter name to
> > > > > + sqlite3WhereBegin() to be more descriptive of what it contains,
> and
> > ensures
> > > > > + that a subroutine is not inlines so that sqlite3WhereBegin()
> runs slightly
> > > > > + faster.
> > > > > +
> > > > > +FossilOrigin-Name:
> > > cadf5f6bb1ce0492ef858ada476288e8057afd3609caa18b09c818d3845d7244
> > > > > +
> > > > > +Upstream-Status: Backport
> > >
> > [
> https://github.com/sqlite/sqlite/commit/f55a7dad195994f2bb24db7df0a051550238
> > > 6fe2]
> > > > > +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > > > +---
> > > > > + sqlite3.c | 28 +++++++++++++---------------
> > > > > + 1 file changed, 13 insertions(+), 15 deletions(-)
> > > > > +
> > > > > +diff --git a/sqlite3.c b/sqlite3.c
> > > > > +index 4cbc2d0..b7ed991 100644
> > > > > +--- a/sqlite3.c
> > > > > ++++ b/sqlite3.c
> > > > > +@@ -147371,9 +147371,7 @@ struct WhereInfo {
> > > > > + ExprList *pOrderBy; /* The ORDER BY clause or NULL */
> > > > > + ExprList *pResultSet; /* Result set of the query */
> > > > > + Expr *pWhere; /* The complete WHERE clause */
> > > > > +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> > > > > +- Select *pLimit; /* Used to access LIMIT
> expr/registers for vtabs */
> > > > > +-#endif
> > > > > ++ Select *pSelect; /* The entire SELECT statement
> containing
> > > WHERE */
> > > > > + int aiCurOnePass[2]; /* OP_OpenWrite cursors for the
> ONEPASS opt
> > */
> > > > > + int iContinue; /* Jump here to continue with next
> record */
> > > > > + int iBreak; /* Jump here to break out of the
> loop */
> > > > > +@@ -149070,9 +149068,9 @@ SQLITE_PRIVATE Bitmask
> > > sqlite3WhereCodeOneLoopStart(
> > > > > + && pLoop->u.vtab.bOmitOffset
> > > > > + ){
> > > > > + assert( pTerm->eOperator==WO_AUX );
> > > > > +- assert( pWInfo->pLimit!=0 );
> > > > > +- assert( pWInfo->pLimit->iOffset>0 );
> > > > > +- sqlite3VdbeAddOp2(v, OP_Integer, 0,
> pWInfo->pLimit->iOffset);
> > > > > ++ assert( pWInfo->pSelect!=0 );
> > > > > ++ assert( pWInfo->pSelect->iOffset>0 );
> > > > > ++ sqlite3VdbeAddOp2(v, OP_Integer, 0,
> pWInfo->pSelect->iOffset);
> > > > > + VdbeComment((v,"Zero OFFSET counter"));
> > > > > + }
> > > > > + }
> > > > > +@@ -151830,10 +151828,10 @@ static void whereAddLimitExpr(
> > > > > + ** exist only so that they may be passed to the xBestIndex
> method of the
> > > > > + ** single virtual table in the FROM clause of the SELECT.
> > > > > + */
> > > > > +-SQLITE_PRIVATE void sqlite3WhereAddLimit(WhereClause *pWC,
> > Select
> > > *p){
> > > > > +- assert( p==0 || (p->pGroupBy==0 && (p->selFlags &
> > SF_Aggregate)==0)
> > > );
> > > > > +- if( (p && p->pLimit)
> /* 1 */
> > > > > +- && (p->selFlags & (SF_Distinct|SF_Aggregate))==0
> /* 2 */
> > > > > ++SQLITE_PRIVATE void SQLITE_NOINLINE
> > > sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
> > > > > ++ assert( p!=0 && p->pLimit!=0 ); /* 1 --
> checked by caller */
> > > > > ++ assert( p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0 );
> > > > > ++ if( (p->selFlags & (SF_Distinct|SF_Aggregate))==0
> /* 2 */
> > > > > + && (p->pSrc->nSrc==1 && IsVirtual(p->pSrc->a[0].pTab))
> /* 3 */
> > > > > + ){
> > > > > + ExprList *pOrderBy = p->pOrderBy;
> > > > > +@@ -157427,7 +157425,7 @@ SQLITE_PRIVATE WhereInfo
> > > *sqlite3WhereBegin(
> > > > > + Expr *pWhere, /* The WHERE clause */
> > > > > + ExprList *pOrderBy, /* An ORDER BY (or GROUP BY) clause, or
> > NULL
> > > */
> > > > > + ExprList *pResultSet, /* Query result set. Req'd for
> DISTINCT */
> > > > > +- Select *pLimit, /* Use this LIMIT/OFFSET clause, if
> any */
> > > > > ++ Select *pSelect, /* The entire SELECT statement */
> > > > > + u16 wctrlFlags, /* The WHERE_* flags defined in
> sqliteInt.h */
> > > > > + int iAuxArg /* If WHERE_OR_SUBCLAUSE is set, index
> cursor
> > > number
> > > > > + ** If WHERE_USE_LIMIT, then the limit
> amount */
> > > > > +@@ -157504,9 +157502,7 @@ SQLITE_PRIVATE WhereInfo
> > > *sqlite3WhereBegin(
> > > > > + pWInfo->wctrlFlags = wctrlFlags;
> > > > > + pWInfo->iLimit = iAuxArg;
> > > > > + pWInfo->savedNQueryLoop = pParse->nQueryLoop;
> > > > > +-#ifndef SQLITE_OMIT_VIRTUALTABLE
> > > > > +- pWInfo->pLimit = pLimit;
> > > > > +-#endif
> > > > > ++ pWInfo->pSelect = pSelect;
> > > > > + memset(&pWInfo->nOBSat, 0,
> > > > > + offsetof(WhereInfo,sWC) - offsetof(WhereInfo,nOBSat));
> > > > > + memset(&pWInfo->a[0], 0,
> > > sizeof(WhereLoop)+nTabList*sizeof(WhereLevel));
> > > > > +@@ -157575,7 +157571,9 @@ SQLITE_PRIVATE WhereInfo
> > > *sqlite3WhereBegin(
> > > > > +
> > > > > + /* Analyze all of the subexpressions. */
> > > > > + sqlite3WhereExprAnalyze(pTabList, &pWInfo->sWC);
> > > > > +- sqlite3WhereAddLimit(&pWInfo->sWC, pLimit);
> > > > > ++ if( pSelect && pSelect->pLimit ){
> > > > > ++ sqlite3WhereAddLimit(&pWInfo->sWC, pSelect);
> > > > > ++ }
> > > > > + if( db->mallocFailed ) goto whereBeginError;
> > > > > +
> > > > > + /* Special case: WHERE terms that do not refer to any tables
> in the join
> > > > > diff --git a/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > > b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > > > > new file mode 100644
> > > > > index 0000000000..6b041d9332
> > > > > --- /dev/null
> > > > > +++ b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
> > > > > @@ -0,0 +1,32 @@
> > > > > +From b816ca9994e03a8bc829b49452b8158a731e81a9 Mon Sep 17
> > 00:00:00
> > > 2001
> > > > > +From: drh <>
> > > > > +Date: Thu, 16 Mar 2023 20:54:29 +0000
> > > > > +Subject: [PATCH] Correctly handle SELECT DISTINCT ... ORDER BY
> > when
> > > all of the
> > > > > + result set terms are constant and there are more result set
> terms than
> > > ORDER
> > > > > + BY terms. Fix for these tickets: [c36cdb4afd504dc1],
> [4051a7f931d9ba24],
> > > > > + [d6fd512f50513ab7].
> > > > > +
> > > > > +FossilOrigin-Name:
> > > 12ad822d9b827777526ca5ed5bf3e678d600294fc9b5c25482dfff2a021328a4
> > > > > +
> > > > > +CVE: CVE-2025-7458
> > > > > +Upstream-Status: Backport
> > >
> > [
> github.com/sqlite/sqlite/commit/b816ca9994e03a8bc829b49452b8158a731e81a9]
> > > > > +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > > > +---
> > > > > + sqlite3.c | 4 ++++
> > > > > + 1 file changed, 4 insertions(+)
> > > > > +
> > > > > +diff --git a/sqlite3.c b/sqlite3.c
> > > > > +index 19d0438..6d92184 100644
> > > > > +--- a/sqlite3.c
> > > > > ++++ b/sqlite3.c
> > > > > +@@ -156989,6 +156989,10 @@ static int wherePathSolver(WhereInfo
> > > *pWInfo, LogEst nRowEst){
> > > > > + if( pFrom->isOrdered==pWInfo->pOrderBy->nExpr ){
> > > > > + pWInfo->eDistinct = WHERE_DISTINCT_ORDERED;
> > > > > + }
> > > > > ++ if( pWInfo->pSelect->pOrderBy
> > > > > ++ && pWInfo->nOBSat > pWInfo->pSelect->pOrderBy->nExpr ){
> > > > > ++ pWInfo->nOBSat = pWInfo->pSelect->pOrderBy->nExpr;
> > > > > ++ }
> > > > > + }else{
> > > > > + pWInfo->nOBSat = pFrom->isOrdered;
> > > > > + pWInfo->revMask = pFrom->revLoop;
> > > > > diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> b/meta/recipes-
> > > support/sqlite/sqlite3_3.38.5.bb
> > > > > index 656e2d8bd8..86d9b4b33b 100644
> > > > > --- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > > > > +++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
> > > > > @@ -10,6 +10,8 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-
> > autoconf-
> > > ${SQLITE_PV}.tar.gz \
> > > > > file://CVE-2023-7104.patch \
> > > > > file://CVE-2025-29088.patch \
> > > > > file://CVE-2025-6965.patch \
> > > > > +
> file://0001-This-branch-attempts-to-improve-the-detection-of-
> > > cov.patch \
> > > > > + file://CVE-2025-7458.patch \
> > > > > "
> > > > > SRC_URI[sha256sum] =
> > > "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -=-=-=-=-=-=-=-=-=-=-=-
> > > > > Links: You receive all messages sent to this group.
> > > > > View/Reply Online (#221481):
> > > https://lists.openembedded.org/g/openembedded-core/message/221481
> > > > > Mute This Topic:
> https://lists.openembedded.org/mt/114551672/3618471
> > > > > Group Owner: openembedded-core+owner@lists.openembedded.org
> > > > > Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub
> > > [niko.mauno@vaisala.com]
> > > > > -=-=-=-=-=-=-=-=-=-=-=-
> > > > >
> > > >
>
[-- Attachment #2: Type: text/html, Size: 20119 bytes --]
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][kirkstone 3/4] sqlite3: ignore CVE-2025-3277
2025-08-05 16:43 [OE-core][kirkstone 0/4] Patch review Steve Sakoman
2025-08-05 16:43 ` [OE-core][kirkstone 1/4] avahi: fix CVE-2024-52615 Steve Sakoman
2025-08-05 16:43 ` [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458 Steve Sakoman
@ 2025-08-05 16:43 ` Steve Sakoman
2025-08-05 16:43 ` [OE-core][kirkstone 4/4] glibc: stable 2.35 branch updates Steve Sakoman
3 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-08-05 16:43 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
The vulnerable code was introduced in 3.44.0 via [1].
(See fix commit [2])
Also Debian says "not vulnerabele yet for 3.40.1 in [3]
[1] https://github.com/sqlite/sqlite/commit/e1e67abc5cf67f931aab1e471eda23d73f51d456
[2] https://sqlite.org/src/info/498e3f1cf57f164f
[3] https://security-tracker.debian.org/tracker/CVE-2025-3277
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
index 86d9b4b33b..280342204a 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
@@ -21,3 +21,5 @@ CVE_CHECK_IGNORE += "CVE-2019-19242"
CVE_CHECK_IGNORE += "CVE-2015-3717"
# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
CVE_CHECK_IGNORE += "CVE-2021-36690"
+# Issue was introduced in 3.44.0
+CVE_CHECK_IGNORE += "CVE-2025-3277"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone 4/4] glibc: stable 2.35 branch updates
2025-08-05 16:43 [OE-core][kirkstone 0/4] Patch review Steve Sakoman
` (2 preceding siblings ...)
2025-08-05 16:43 ` [OE-core][kirkstone 3/4] sqlite3: ignore CVE-2025-3277 Steve Sakoman
@ 2025-08-05 16:43 ` Steve Sakoman
3 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-08-05 16:43 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
This is a single commit bump containing only CVE fix
$ git log --oneline d80401002011f470d9c6eb604bf734715e9b3a8c..a66bc3941ff298e474d5f02d0c3303401951141f
a66bc3941f posix: Fix double-free after allocation failure in regcomp (bug 33185)
Test results didn't change except newly added test succeeding.
(tst-regcomp-bracket-free)
Also add CVE-2025-0395 ignore which was already included in previous
hash bumps.
Also drop an unreferenced patch.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/glibc/glibc-version.inc | 2 +-
.../glibc/glibc/0025-CVE-2025-4802.patch | 250 ------------------
meta/recipes-core/glibc/glibc_2.35.bb | 2 +-
3 files changed, 2 insertions(+), 252 deletions(-)
delete mode 100644 meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch
diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index b269518af4..0b06005b25 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
SRCBRANCH ?= "release/2.35/master"
PV = "2.35"
-SRCREV_glibc ?= "80401002011f470d9c6eb604bf734715e9b3a8c2"
+SRCREV_glibc ?= "a66bc3941ff298e474d5f02d0c3303401951141f"
SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
diff --git a/meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch b/meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch
deleted file mode 100644
index a1197c0318..0000000000
--- a/meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch
+++ /dev/null
@@ -1,250 +0,0 @@
-From 32917e7ee972e7a01127a04454f12ef31dc312ed Mon Sep 17 00:00:00 2001
-From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
-Date: Wed, 11 Jun 2025 03:19:10 -0700
-Subject: [PATCH] elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for
- static
-
-It mimics the ld.so behavior.
-Checked on x86_64-linux-gnu.
-
-[New Test Case]
-elf: Test case for bug 32976
-[https://sourceware.org/bugzilla/show_bug.cgi?id=32976]
-
-Check that LD_LIBRARY_PATH is ignored for AT_SECURE statically
-linked binaries, using support_capture_subprogram_self_sgid.
-
-Upstream-Status: Backport [https://sourceware.org/cgit/glibc/commit/?id=5451fa962cd0a90a0e2ec1d8910a559ace02bba0 &&
- https://sourceware.org/cgit/glibc/commit/?id=d8f7a79335b0d861c12c42aec94c04cd5bb181e2]
-
-CVE: CVE-2025-4802
-
-Co-authored-by: Florian Weimer <fweimer@redhat.com>
-Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
----
- elf/Makefile | 4 ++
- elf/dl-support.c | 46 ++++++++---------
- elf/tst-dlopen-sgid-mod.c | 1 +
- elf/tst-dlopen-sgid.c | 104 ++++++++++++++++++++++++++++++++++++++
- 4 files changed, 132 insertions(+), 23 deletions(-)
- create mode 100644 elf/tst-dlopen-sgid-mod.c
- create mode 100644 elf/tst-dlopen-sgid.c
-
-diff --git a/elf/Makefile b/elf/Makefile
-index 61c41ea6..3ad66ab6 100644
---- a/elf/Makefile
-+++ b/elf/Makefile
-@@ -274,6 +274,7 @@ tests-static-normal := \
- tst-array1-static \
- tst-array5-static \
- tst-dl-iter-static \
-+ tst-dlopen-sgid \
- tst-dst-static \
- tst-env-setuid \
- tst-env-setuid-tunables \
-@@ -807,6 +808,7 @@ modules-names = \
- tst-dlmopen-gethostbyname-mod \
- tst-dlmopen-twice-mod1 \
- tst-dlmopen-twice-mod2 \
-+ tst-dlopen-sgid-mod \
- tst-dlopenfaillinkmod \
- tst-dlopenfailmod1 \
- tst-dlopenfailmod2 \
-@@ -2913,3 +2915,5 @@ $(objpfx)tst-recursive-tls.out: \
- 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15)
- $(objpfx)tst-recursive-tlsmod%.os: tst-recursive-tlsmodN.c
- $(compile-command.c) -DVAR=thread_$* -DFUNC=get_threadvar_$*
-+
-+$(objpfx)tst-dlopen-sgid.out: $(objpfx)tst-dlopen-sgid-mod.so
-diff --git a/elf/dl-support.c b/elf/dl-support.c
-index 09079c12..c2baed69 100644
---- a/elf/dl-support.c
-+++ b/elf/dl-support.c
-@@ -272,8 +272,6 @@ _dl_non_dynamic_init (void)
- _dl_main_map.l_phdr = GL(dl_phdr);
- _dl_main_map.l_phnum = GL(dl_phnum);
-
-- _dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1;
--
- /* Set up the data structures for the system-supplied DSO early,
- so they can influence _dl_init_paths. */
- setup_vdso (NULL, NULL);
-@@ -281,27 +279,6 @@ _dl_non_dynamic_init (void)
- /* With vDSO setup we can initialize the function pointers. */
- setup_vdso_pointers ();
-
-- /* Initialize the data structures for the search paths for shared
-- objects. */
-- _dl_init_paths (getenv ("LD_LIBRARY_PATH"), "LD_LIBRARY_PATH",
-- /* No glibc-hwcaps selection support in statically
-- linked binaries. */
-- NULL, NULL);
--
-- /* Remember the last search directory added at startup. */
-_dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1;- _dl_init_all_dirs = GL(dl_all_dirs);
--
-- _dl_lazy = *(getenv ("LD_BIND_NOW") ?: "") == '\0';
--
-- _dl_bind_not = *(getenv ("LD_BIND_NOT") ?: "") != '\0';
--
-- _dl_dynamic_weak = *(getenv ("LD_DYNAMIC_WEAK") ?: "") == '\0';
--
-- _dl_profile_output = getenv ("LD_PROFILE_OUTPUT");
-- if (_dl_profile_output == NULL || _dl_profile_output[0] == '\0')
-- _dl_profile_output
-- = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0];
--
- if (__libc_enable_secure)
- {
- static const char unsecure_envvars[] =
- setup_vdso_pointers ();
-@@ -324,6 +301,29 @@ _dl_non_dynamic_init (void)
- #endif
- }
-
-+ _dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1;
-+
-+ /* Initialize the data structures for the search paths for shared
-+ objects. */
-+ _dl_init_paths (getenv ("LD_LIBRARY_PATH"), "LD_LIBRARY_PATH",
-+ /* No glibc-hwcaps selection support in statically
-+ linked binaries. */
-+ NULL, NULL);
-+
-+ /* Remember the last search directory added at startup. */
-+ _dl_init_all_dirs = GL(dl_all_dirs);
-+
-+ _dl_lazy = *(getenv ("LD_BIND_NOW") ?: "") == '\0';
-+
-+ _dl_bind_not = *(getenv ("LD_BIND_NOT") ?: "") != '\0';
-+
-+ _dl_dynamic_weak = *(getenv ("LD_DYNAMIC_WEAK") ?: "") == '\0';
-+
-+ _dl_profile_output = getenv ("LD_PROFILE_OUTPUT");
-+ if (_dl_profile_output == NULL || _dl_profile_output[0] == '\0')
-+ _dl_profile_output
-+ = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0];
-+
- #ifdef DL_PLATFORM_INIT
- DL_PLATFORM_INIT;
- #endif
-diff --git a/elf/tst-dlopen-sgid-mod.c b/elf/tst-dlopen-sgid-mod.c
-new file mode 100644
-index 00000000..5eb79eef
---- /dev/null
-+++ b/elf/tst-dlopen-sgid-mod.c
-@@ -0,0 +1 @@
-+/* Opening this object should not succeed. */
-diff --git a/elf/tst-dlopen-sgid.c b/elf/tst-dlopen-sgid.c
-new file mode 100644
-index 00000000..47829a40
---- /dev/null
-+++ b/elf/tst-dlopen-sgid.c
-@@ -0,0 +1,104 @@
-+/* Test case for ignored LD_LIBRARY_PATH in static startug (bug 32976).
-+ Copyright (C) 2025 Free Software Foundation, Inc.
-+ This file is part of the GNU C Library.
-+
-+ The GNU C Library is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU Lesser General Public
-+ License as published by the Free Software Foundation; either
-+ version 2.1 of the License, or (at your option) any later version.
-+
-+ The GNU C Library is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ Lesser General Public License for more details.
-+
-+ You should have received a copy of the GNU Lesser General Public
-+ License along with the GNU C Library; if not, see
-+ <https://www.gnu.org/licenses/>. */
-+
-+#include <dlfcn.h>
-+#include <gnu/lib-names.h>
-+#include <stddef.h>
-+#include <stdint.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <support/capture_subprocess.h>
-+#include <support/check.h>
-+#include <support/support.h>
-+#include <support/temp_file.h>
-+#include <unistd.h>
-+
-+/* This is the name of our test object. Use a custom module for
-+ testing, so that this object does not get picked up from the system
-+ path. */
-+static const char dso_name[] = "tst-dlopen-sgid-mod.so";
-+
-+/* Used to mark the recursive invocation. */
-+static const char magic_argument[] = "run-actual-test";
-+
-+static int
-+do_test (void)
-+{
-+/* Pathname of the directory that receives the shared objects this
-+ test attempts to load. */
-+ char *libdir = support_create_temp_directory ("tst-dlopen-sgid-");
-+
-+ /* This is supposed to be ignored and stripped. */
-+ TEST_COMPARE (setenv ("LD_LIBRARY_PATH", libdir, 1), 0);
-+
-+ /* Copy of libc.so.6. */
-+ {
-+ char *from = xasprintf ("%s/%s", support_objdir_root, LIBC_SO);
-+ char *to = xasprintf ("%s/%s", libdir, LIBC_SO);
-+ add_temp_file (to);
-+ support_copy_file (from, to);
-+ free (to);
-+ free (from);
-+ }
-+
-+ /* Copy of the test object. */
-+ {
-+ char *from = xasprintf ("%s/elf/%s", support_objdir_root, dso_name);
-+ char *to = xasprintf ("%s/%s", libdir, dso_name);
-+ add_temp_file (to);
-+ support_copy_file (from, to);
-+ free (to);
-+ free (from);
-+ }
-+
-+ TEST_COMPARE (support_capture_subprogram_self_sgid (magic_argument), 0);
-+
-+ free (libdir);
-+
-+ return 0;
-+}
-+
-+static void
-+alternative_main (int argc, char **argv)
-+{
-+ if (argc == 2 && strcmp (argv[1], magic_argument) == 0)
-+ {
-+ if (getgid () == getegid ())
-+ /* This can happen if the file system is mounted nosuid. */
-+ FAIL_UNSUPPORTED ("SGID failed: GID and EGID match (%jd)\n",
-+ (intmax_t) getgid ());
-+
-+ /* Should be removed due to SGID. */
-+ TEST_COMPARE_STRING (getenv ("LD_LIBRARY_PATH"), NULL);
-+
-+ TEST_VERIFY (dlopen (dso_name, RTLD_NOW) == NULL);
-+ {
-+ const char *message = dlerror ();
-+ TEST_COMPARE_STRING (message,
-+ "tst-dlopen-sgid-mod.so:"
-+ " cannot open shared object file:"
-+ " No such file or directory");
-+ }
-+
-+ support_record_failure_barrier ();
-+ exit (EXIT_SUCCESS);
-+ }
-+}
-+
-+#define PREPARE alternative_main
-+#include <support/test-driver.c>
---
-2.49.0
-
diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb
index df5f14984a..265dcb9129 100644
--- a/meta/recipes-core/glibc/glibc_2.35.bb
+++ b/meta/recipes-core/glibc/glibc_2.35.bb
@@ -27,7 +27,7 @@ CVE_CHECK_IGNORE += "CVE-2023-4527"
CVE_CHECK_IGNORE += " \
CVE-2023-0687 CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 CVE-2023-5156 \
CVE-2024-2961 CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602 \
- CVE-2025-4802 \
+ CVE-2025-0395 CVE-2025-4802 CVE-2025-8058 \
"
DEPENDS += "gperf-native bison-native"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread