Your message dated Sat, 14 Mar 2026 11:48:36 +0000
with message-id <[email protected]>
and subject line Released with 13.4
has caused the Debian Bug report #1126332,
regarding trixie-pu: package sqlite3/3.46.1-7+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126332: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126332
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:sqlite3
User: [email protected]
Usertags: pu
Hi RMs,
There's a security fix for sqlite3 which doesn't warrant a DSA and a
packaging glitch fix.
[ Reason ]
The security fix is an integer overflow in the FTS5 extension, not in
the library itself. The risk is an out of bounds write, but the data
is only partially controlled.
Packaging misses the pkgconf build dependency to link the ICU library
to the ICU extension of the sqlite3. This fixes the extension loading.
[ Impact ]
Users of the FTS5 will be totally safe from a possible - yet hard to
exploit - security problem. The ICU extension will be loadable and
users can start to use it.
[ Tests ]
Local testing confirms the update is correct. The security fix is in
sqlite3 3.46.1-8 since last September, the ICU extension is just
uploaded with the sqlite3 3.46.1-9 package version.
[ Risks ]
I do not know any. The security fix basically is a one liner,
extending the variable type to be a 64 bit wide one. The pkgconf build
dependency only affects the ICU extension and the library dependency
correctly added to it by debhelper.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issues are verified as fixed in unstable
Thanks,
Laszlo/GCS
diff -Nru sqlite3-3.46.1/debian/changelog sqlite3-3.46.1/debian/changelog
--- sqlite3-3.46.1/debian/changelog 2025-07-25 21:04:34.000000000 +0200
+++ sqlite3-3.46.1/debian/changelog 2026-01-22 19:19:00.000000000 +0100
@@ -1,3 +1,12 @@
+sqlite3 (3.46.1-7+deb13u1) trixie; urgency=medium
+
+ * Backport upstream security fix for CVE-2025-7709: integer overflow in the
+ FTS5 extension (closes: #1114609).
+ * Add pkgconf build dependency to fix link problem with ICU extension
+ (closes: #1099724).
+
+ -- Laszlo Boszormenyi (GCS) <[email protected]> Thu, 22 Jan 2026 19:19:00 +0100
+
sqlite3 (3.46.1-7) unstable; urgency=high
* Backport upstream security fix for CVE-2025-6965: the number of aggregate
diff -Nru sqlite3-3.46.1/debian/control sqlite3-3.46.1/debian/control
--- sqlite3-3.46.1/debian/control 2025-04-09 16:39:52.000000000 +0200
+++ sqlite3-3.46.1/debian/control 2026-01-22 19:19:00.000000000 +0100
@@ -2,7 +2,7 @@
Section: devel
Priority: optional
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
-Build-Depends: debhelper-compat (= 13), autoconf (>= 2.59), libtool (>= 1.5.2), automake, chrpath, lynx, libreadline-dev, tcl8.6-dev, libicu-dev
+Build-Depends: debhelper-compat (= 13), autoconf (>= 2.59), libtool (>= 1.5.2), automake, pkgconf, chrpath, lynx, libreadline-dev, tcl8.6-dev, libicu-dev
Build-Conflicts: tcl8.4, tcl8.4-dev, tcl8.5, tcl8.5-dev
Standards-Version: 4.7.0
Rules-Requires-Root: no
diff -Nru sqlite3-3.46.1/debian/patches/53-CVE-2025-7709.patch sqlite3-3.46.1/debian/patches/53-CVE-2025-7709.patch
--- sqlite3-3.46.1/debian/patches/53-CVE-2025-7709.patch 1970-01-01 01:00:00.000000000 +0100
+++ sqlite3-3.46.1/debian/patches/53-CVE-2025-7709.patch 2026-01-22 19:19:00.000000000 +0100
@@ -0,0 +1,24 @@
+Description: fix CVE-2025-7709
+ An integer overflow exists in the FTS5 extension. This change fixes this.
+Author: Laszlo Boszormenyi (GCS) <[email protected]>
+Bug-Debian: https://bugs.debian.org/1114609
+Origin: upstream, https://sqlite.org/src/info/63595b74956a9391
+Forwarded: not-needed
+Last-Update: 2025-09-07
+
+---
+
+--- a/ext/fts5/fts5_index.c
++++ b/ext/fts5/fts5_index.c
+@@ -1933,9 +1933,9 @@ static void fts5SegIterSetNext(Fts5Index
+ ** leave an error in the Fts5Index object.
+ */
+ static void fts5SegIterAllocTombstone(Fts5Index *p, Fts5SegIter *pIter){
+- const int nTomb = pIter->pSeg->nPgTombstone;
++ const i64 nTomb = (i64)pIter->pSeg->nPgTombstone;
+ if( nTomb>0 ){
+- int nByte = nTomb * sizeof(Fts5Data*) + sizeof(Fts5TombstoneArray);
++ i64 nByte = nTomb * sizeof(Fts5Data*) + sizeof(Fts5TombstoneArray);
+ Fts5TombstoneArray *pNew;
+ pNew = (Fts5TombstoneArray*)sqlite3Fts5MallocZero(&p->rc, nByte);
+ if( pNew ){
diff -Nru sqlite3-3.46.1/debian/patches/series sqlite3-3.46.1/debian/patches/series
--- sqlite3-3.46.1/debian/patches/series 2025-07-25 21:04:34.000000000 +0200
+++ sqlite3-3.46.1/debian/patches/series 2026-01-22 19:19:00.000000000 +0100
@@ -11,3 +11,4 @@
50-CVE-2025-29087.patch
51-CVE-2025-29088.patch
52-CVE-2025-6965.patch
+53-CVE-2025-7709.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.4
This update has been released as part of Debian 13.4.
--- End Message ---
