Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:sqlite3 User: [email protected] Usertags: pu
Hi SRMs, [ Reason ] There are two low priority security issues in sqlite3, both have the same root cause. The fix for these is easy. [ Impact ] Users will be safe from these attacks, which may compromise their systems. [ Tests ] Build and some basic testing. [ Risks ] Very small as the change is small and quite straight forward. Only correct the check. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issues are verified as fixed in unstable Thanks, Laszlo/GCS
diff -Nru sqlite3-3.46.1/debian/changelog sqlite3-3.46.1/debian/changelog --- sqlite3-3.46.1/debian/changelog 2026-01-22 19:19:00.000000000 +0100 +++ sqlite3-3.46.1/debian/changelog 2026-06-14 14:32:03.000000000 +0200 @@ -1,3 +1,12 @@ +sqlite3 (3.46.1-7+deb13u2) trixie; urgency=medium + + * Backport upstream security fix for CVE-2026-11822: memory corruption + vulnerabilities in the FTS5 full-text search extension. + * Backport upstream security fix for CVE-2026-11824: heap-based buffer + overflow vulnerability in the FTS5 full-text search extension. + + -- Laszlo Boszormenyi (GCS) <[email protected]> Sun, 14 Jun 2026 14:32:03 +0200 + sqlite3 (3.46.1-7+deb13u1) trixie; urgency=medium * Backport upstream security fix for CVE-2025-7709: integer overflow in the diff -Nru sqlite3-3.46.1/debian/patches/54-CVE-2026-11822_CVE-2026-11824.patch sqlite3-3.46.1/debian/patches/54-CVE-2026-11822_CVE-2026-11824.patch --- sqlite3-3.46.1/debian/patches/54-CVE-2026-11822_CVE-2026-11824.patch 1970-01-01 01:00:00.000000000 +0100 +++ sqlite3-3.46.1/debian/patches/54-CVE-2026-11822_CVE-2026-11824.patch 2026-06-14 14:32:03.000000000 +0200 @@ -0,0 +1,106 @@ +From 79db323ce14923a1bcc7b3b72679003c14c1cd7f Mon Sep 17 00:00:00 2001 +From: dan <Dan Kennedy> +Date: Mon, 11 May 2026 11:12:06 +0000 +Subject: [PATCH] Fix potential buffer overwrite that could occur in fts5 when + processing corrupt records. + +FossilOrigin-Name: 4a5ad516ea93926c0d5206b4d72c3675905d2bf666b27a649256b93eb95c671b +--- + ext/fts5/fts5_index.c | 2 +- + ext/fts5/test/fts5corruptA.test | 72 +++++++++++++++++++++++++++++++++ + manifest | 15 +++---- + manifest.uuid | 2 +- + 4 files changed, 82 insertions(+), 9 deletions(-) + create mode 100644 ext/fts5/test/fts5corruptA.test + +diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c +index 164d613881..29be766042 100644 +--- a/ext/fts5/fts5_index.c ++++ b/ext/fts5/fts5_index.c +@@ -873,7 +873,7 @@ static void fts5DataRelease(Fts5Data *pD + static Fts5Data *fts5LeafRead(Fts5Index *p, i64 iRowid){ + Fts5Data *pRet = fts5DataRead(p, iRowid); + if( pRet ){ +- if( pRet->nn<4 || pRet->szLeaf>pRet->nn ){ ++ if( pRet->szLeaf<4 || pRet->szLeaf>pRet->nn ){ + p->rc = FTS5_CORRUPT; + fts5DataRelease(pRet); + pRet = 0; +diff --git a/ext/fts5/test/fts5corruptA.test b/ext/fts5/test/fts5corruptA.test +new file mode 100644 +index 0000000000..838cded578 +--- /dev/null ++++ b/ext/fts5/test/fts5corruptA.test +@@ -0,0 +1,72 @@ ++# 2026 May 11 ++# ++# The author disclaims copyright to this source code. In place of ++# a legal notice, here is a blessing: ++# ++# May you do good and not evil. ++# May you find forgiveness for yourself and forgive others. ++# May you share freely, never taking more than you give. ++# ++#*********************************************************************** ++# ++ ++source [file join [file dirname [info script]] fts5_common.tcl] ++set testprefix fts5corruptA ++ ++# If SQLITE_ENABLE_FTS5 is not defined, omit this file. ++ifcapable !fts5 { ++ finish_test ++ return ++} ++sqlite3_fts5_may_be_corrupt 1 ++ ++do_execsql_test 1.0 { ++ CREATE VIRTUAL TABLE t USING fts5(x, detail='full'); ++ INSERT INTO t(t, rank) VALUES('pgsz', 32); ++} ++ ++set big [string repeat "a " 200] ++do_execsql_test 1.1 { ++ INSERT INTO t(rowid, x) VALUES(1, $big) ++} ++ ++do_test 1.2 { ++ db eval { ++ SELECT min(rowid) AS base_rowid, count(*) AS page_count FROM t_data ++ WHERE rowid>1000 ++ } {} ++} {} ++ ++do_test 1.3 { ++ for {set ii 0} {$ii < 5} {incr ii} { ++ db eval { ++ INSERT INTO t_data(rowid, block) ++ VALUES( $base_rowid + $page_count + $ii, zeroblob(4) ); ++ } ++ } ++ db eval { ++ INSERT INTO t_data(rowid, block) ++ VALUES( $base_rowid + $page_count + 5, ++ unhex('00000080' || 'CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC') ); ++ } ++ set {} {} ++} {} ++ ++db close ++ ++do_test 1.4 { ++ set hex [hexio_read test.db 0 [file size test.db]] ++ ++ set off [string first "023061018310" $hex] ++ set hex [string replace $hex $off [expr $off+11] 023061018370] ++ hexio_write test.db 0 $hex ++} {6144} ++ ++sqlite3 db test.db ++ ++do_catchsql_test 1.5 { ++ SELECT rowid FROM t WHERE t MATCH 'a' ++} {1 {fts5: corruption found reading blob 137438953481 from table "t"}} ++ ++sqlite3_fts5_may_be_corrupt 0 ++finish_test diff -Nru sqlite3-3.46.1/debian/patches/series sqlite3-3.46.1/debian/patches/series --- sqlite3-3.46.1/debian/patches/series 2026-01-22 19:19:00.000000000 +0100 +++ sqlite3-3.46.1/debian/patches/series 2026-06-14 14:32:03.000000000 +0200 @@ -12,3 +12,4 @@ 51-CVE-2025-29088.patch 52-CVE-2025-6965.patch 53-CVE-2025-7709.patch +54-CVE-2026-11822_CVE-2026-11824.patch

