Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:sqlite3
User: [email protected]
Usertags: pu

Hi SRMs,

[ Reason ]
There are two low priority security issues in sqlite3, both have the
same root cause. The fix for these is easy.

[ Impact ]
Users will be safe from these attacks, which may compromise their systems.

[ Tests ]
Build and some basic testing.

[ Risks ]
Very small as the change is small and quite straight forward. Only
correct the check.

[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issues are verified as fixed in unstable

Thanks,
Laszlo/GCS
diff -Nru sqlite3-3.46.1/debian/changelog sqlite3-3.46.1/debian/changelog
--- sqlite3-3.46.1/debian/changelog	2026-01-22 19:19:00.000000000 +0100
+++ sqlite3-3.46.1/debian/changelog	2026-06-14 14:32:03.000000000 +0200
@@ -1,3 +1,12 @@
+sqlite3 (3.46.1-7+deb13u2) trixie; urgency=medium
+
+  * Backport upstream security fix for CVE-2026-11822: memory corruption
+    vulnerabilities in the FTS5 full-text search extension.
+  * Backport upstream security fix for CVE-2026-11824: heap-based buffer
+    overflow vulnerability in the FTS5 full-text search extension.
+
+ -- Laszlo Boszormenyi (GCS) <[email protected]>  Sun, 14 Jun 2026 14:32:03 +0200
+
 sqlite3 (3.46.1-7+deb13u1) trixie; urgency=medium
 
   * Backport upstream security fix for CVE-2025-7709: integer overflow in the
diff -Nru sqlite3-3.46.1/debian/patches/54-CVE-2026-11822_CVE-2026-11824.patch sqlite3-3.46.1/debian/patches/54-CVE-2026-11822_CVE-2026-11824.patch
--- sqlite3-3.46.1/debian/patches/54-CVE-2026-11822_CVE-2026-11824.patch	1970-01-01 01:00:00.000000000 +0100
+++ sqlite3-3.46.1/debian/patches/54-CVE-2026-11822_CVE-2026-11824.patch	2026-06-14 14:32:03.000000000 +0200
@@ -0,0 +1,106 @@
+From 79db323ce14923a1bcc7b3b72679003c14c1cd7f Mon Sep 17 00:00:00 2001
+From: dan <Dan Kennedy>
+Date: Mon, 11 May 2026 11:12:06 +0000
+Subject: [PATCH] Fix potential buffer overwrite that could occur in fts5 when
+ processing corrupt records.
+
+FossilOrigin-Name: 4a5ad516ea93926c0d5206b4d72c3675905d2bf666b27a649256b93eb95c671b
+---
+ ext/fts5/fts5_index.c           |  2 +-
+ ext/fts5/test/fts5corruptA.test | 72 +++++++++++++++++++++++++++++++++
+ manifest                        | 15 +++----
+ manifest.uuid                   |  2 +-
+ 4 files changed, 82 insertions(+), 9 deletions(-)
+ create mode 100644 ext/fts5/test/fts5corruptA.test
+
+diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c
+index 164d613881..29be766042 100644
+--- a/ext/fts5/fts5_index.c
++++ b/ext/fts5/fts5_index.c
+@@ -873,7 +873,7 @@ static void fts5DataRelease(Fts5Data *pD
+ static Fts5Data *fts5LeafRead(Fts5Index *p, i64 iRowid){
+   Fts5Data *pRet = fts5DataRead(p, iRowid);
+   if( pRet ){
+-    if( pRet->nn<4 || pRet->szLeaf>pRet->nn ){
++    if( pRet->szLeaf<4 || pRet->szLeaf>pRet->nn ){
+       p->rc = FTS5_CORRUPT;
+       fts5DataRelease(pRet);
+       pRet = 0;
+diff --git a/ext/fts5/test/fts5corruptA.test b/ext/fts5/test/fts5corruptA.test
+new file mode 100644
+index 0000000000..838cded578
+--- /dev/null
++++ b/ext/fts5/test/fts5corruptA.test
+@@ -0,0 +1,72 @@
++# 2026 May 11
++#
++# The author disclaims copyright to this source code.  In place of
++# a legal notice, here is a blessing:
++#
++#    May you do good and not evil.
++#    May you find forgiveness for yourself and forgive others.
++#    May you share freely, never taking more than you give.
++#
++#***********************************************************************
++#
++
++source [file join [file dirname [info script]] fts5_common.tcl]
++set testprefix fts5corruptA
++
++# If SQLITE_ENABLE_FTS5 is not defined, omit this file.
++ifcapable !fts5 {
++  finish_test
++  return
++}
++sqlite3_fts5_may_be_corrupt 1
++
++do_execsql_test 1.0 {
++  CREATE VIRTUAL TABLE t USING fts5(x, detail='full');
++  INSERT INTO t(t, rank) VALUES('pgsz', 32);
++}
++
++set big [string repeat "a " 200]
++do_execsql_test 1.1 {
++  INSERT INTO t(rowid, x) VALUES(1, $big)
++}
++
++do_test 1.2 {
++  db eval { 
++      SELECT min(rowid) AS base_rowid, count(*) AS page_count FROM t_data
++      WHERE rowid>1000
++  } {}
++} {}
++
++do_test 1.3 {
++  for {set ii 0} {$ii < 5} {incr ii} {
++    db eval { 
++      INSERT INTO t_data(rowid, block) 
++      VALUES( $base_rowid + $page_count + $ii, zeroblob(4) );
++    }
++  }
++  db eval { 
++    INSERT INTO t_data(rowid, block) 
++      VALUES( $base_rowid + $page_count + 5, 
++      unhex('00000080' || 'CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC') );
++  }
++  set {} {}
++} {}
++
++db close
++
++do_test 1.4 {
++  set hex [hexio_read test.db 0 [file size test.db]]
++
++  set off [string first "023061018310" $hex]
++  set hex [string replace $hex $off [expr $off+11] 023061018370]
++  hexio_write test.db 0 $hex
++} {6144}
++
++sqlite3 db test.db
++
++do_catchsql_test 1.5 {
++  SELECT rowid FROM t WHERE t MATCH 'a'
++} {1 {fts5: corruption found reading blob 137438953481 from table "t"}}
++
++sqlite3_fts5_may_be_corrupt 0
++finish_test
diff -Nru sqlite3-3.46.1/debian/patches/series sqlite3-3.46.1/debian/patches/series
--- sqlite3-3.46.1/debian/patches/series	2026-01-22 19:19:00.000000000 +0100
+++ sqlite3-3.46.1/debian/patches/series	2026-06-14 14:32:03.000000000 +0200
@@ -12,3 +12,4 @@
 51-CVE-2025-29088.patch
 52-CVE-2025-6965.patch
 53-CVE-2025-7709.patch
+54-CVE-2026-11822_CVE-2026-11824.patch

Reply via email to