XPost: linux.debian.bugs.dist

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Control: affects -1 + src:sqlite3

Hi RMs,

[ Reason ]
There's a security issue where the number of aggregate terms could
exceed the number of columns available. This could lead to a memory
corruption issue. This update fixes this vulnerability.
This issue was found by Google and it's said that threat actors may
already know about this and use it in their attack. As such, this is
considered a critical security issue. See: https://thehackernews.com/2025/07/google-ai-big-sleep-stops-exploitation.html

[ Impact ]
Very minimal, the change is small and quite straightforward.

[ Tests ]
Local self user testing. Including reverse dependency package tests.

[ Risks ]
I don't see any.

[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing

ZGlmZiAtTnJ1IHNxbGl0ZTMtMy40Ni4xL2RlYmlhbi9jaGFuZ2Vsb2cgc3FsaXRlMy0zLjQ2LjEv ZGViaWFuL2NoYW5nZWxvZwotLS0gc3FsaXRlMy0zLjQ2LjEvZGViaWFuL2NoYW5nZWxvZwkyMDI1 LTA1LTI4IDA3OjAyOjU2LjAwMDAwMDAwMCArMDIwMAorKysgc3FsaXRlMy0zLjQ2LjEvZGViaWFu L2NoYW5nZWxvZwkyMDI1LTA3LTI1IDIxOjA0OjM0LjAwMDAwMDAwMCArMDIwMApAQCAtMSwzICsx LDEwIEBACitzcWxpdGUzICgzLjQ2LjEtNykgdW5zdGFibGU7IHVyZ2VuY3k9aGlnaAorCisgICog QmFja3BvcnQgdXBzdHJlYW0gc2VjdXJpdHkgZml4IGZvciBDVkUtMjAyNS02OTY1OiB0aGUgbnVt YmVyIG9mIGFnZ3JlZ2F0ZQorICAgIHRlcm1zIGNvdWxkIGV4Y2VlZCB0aGUgbnVtYmVyIG9mIGNv bHVtbnMgYXZhaWxhYmxlIChjbG9zZXM6ICMxMTA5Mzc5KS4KKworIC0tIExhc3psbyBCb3N6b3Jt ZW55aSAoR0NTKSA8Z2NzQGRlYmlhbi5vcmc+ICBGcmksIDI1IEp1bCAyMDI1IDIxOjA0OjM0ICsw MjAwCisKIHNxbGl0ZTMgKDMuNDYuMS02KSB1bnN0YWJsZTsgdXJnZW5jeT1tZWRpdW0KIAogICAq IENvcnJlY3QgdmVyc2lvbiBvZiBzcWxpdGUzRGJwYWdlUmVnaXN0ZXJAQmFzZSBsaWJyYXJ5IHN5 bWJvbC4KZGlmZiAtTnJ1IHNxbGl0ZTMtMy40Ni4xL2RlYmlhbi9wYXRjaGVzLzUyLUNWRS0yMDI1 LTY5NjUucGF0Y2ggc3FsaXRlMy0zLjQ2LjEvZGViaWFuL3BhdGNoZXMvNTItQ1ZFLTIwMjUtNjk2 NS5wYXRjaAotLS0gc3FsaXRlMy0zLjQ2LjEvZGViaWFuL3BhdGNoZXMvNTItQ1ZFLTIwMjUtNjk2 NS5wYXRjaAkxOTcwLTAxLTAxIDAxOjAwOjAwLjAwMDAwMDAwMCArMDEwMAorKysgc3FsaXRlMy0z LjQ2LjEvZGViaWFuL3BhdGNoZXMvNTItQ1ZFLTIwMjUtNjk2NS5wYXRjaAkyMDI1LTA3LTI1IDIx OjA0OjM0LjAwMDAwMDAwMCArMDIwMApAQCAtMCwwICsxLDEyOCBAQAorSW5kZXg6IHNxbGl0ZTMv c3JjL2V4cHIuYworPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09CistLS0gc3FsaXRlMy9zcmMvZXhwci5jCisrKysgc3FsaXRl My9zcmMvZXhwci5jCitAQCAtNjc1NSwxMSArNjc1NSwxMyBAQAorICAgQWdnSW5mbyAqcEFnZ0lu Zm8sICAgLyogVGhlIEFnZ0luZm8gb2JqZWN0IHRvIHNlYXJjaCBhbmQvb3IgbW9kaWZ5ICovCisg ICBFeHByICpwRXhwciAgICAgICAgICAvKiBFeHByIGRlc2NyaWJpbmcgdGhlIGNvbHVtbiB0byBm aW5kIG9yIGluc2VydCAqLworICl7CisgICBzdHJ1Y3QgQWdnSW5mb19jb2wgKnBDb2w7CisgICBp bnQgazsKKysgIGludCBteFRlcm0gPSBwUGFyc2UtPmRiLT5hTGltaXRbU1FMSVRFX0xJTUlUX0NP TFVNTl07CisgCisrICBhc3NlcnQoIG14VGVybSA8PSBTTVhWKGkxNikgKTsKKyAgIGFzc2VydCgg cEFnZ0luZm8tPmlGaXJzdFJlZz09MCApOworICAgcENvbCA9IHBBZ2dJbmZvLT5hQ29sOworICAg Zm9yKGs9MDsgazxwQWdnSW5mby0+bkNvbHVtbjsgaysrLCBwQ29sKyspeworICAgICBpZiggcENv bC0+cENFeHByPT1wRXhwciApIHJldHVybjsKKyAgICAgaWYoIHBDb2wtPmlUYWJsZT09cEV4cHIt PmlUYWJsZQorQEAgLTY3NzIsMTAgKzY3NzQsMTQgQEAKKyAgIGsgPSBhZGRBZ2dJbmZvQ29sdW1u KHBQYXJzZS0+ZGIsIHBBZ2dJbmZvKTsKKyAgIGlmKCBrPDAgKXsKKyAgICAgLyogT09NIG9uIHJl c2l6ZSAqLworICAgICBhc3NlcnQoIHBQYXJzZS0+ZGItPm1hbGxvY0ZhaWxlZCApOworICAgICBy ZXR1cm47CisrICB9CisrICBpZiggaz5teFRlcm0gKXsKKysgICAgc3FsaXRlM0Vycm9yTXNnKHBQ YXJzZSwgIm1vcmUgdGhhbiAlZCBhZ2dyZWdhdGUgdGVybXMiLCBteFRlcm0pOworKyAgICBrID0g bXhUZXJtOworICAgfQorICAgcENvbCA9ICZwQWdnSW5mby0+YUNvbFtrXTsKKyAgIGFzc2VydCgg RXhwclVzZVlUYWIocEV4cHIpICk7CisgICBwQ29sLT5wVGFiID0gcEV4cHItPnkucFRhYjsKKyAg IHBDb2wtPmlUYWJsZSA9IHBFeHByLT5pVGFibGU7CitAQCAtNjgwNiwxMCArNjgxMiwxMSBAQAor ICAgYXNzZXJ0KCBwRXhwci0+cEFnZ0luZm89PTAgfHwgcEV4cHItPnBBZ2dJbmZvPT1wQWdnSW5m byApOworICAgcEV4cHItPnBBZ2dJbmZvID0gcEFnZ0luZm87CisgICBpZiggcEV4cHItPm9wPT1U S19DT0xVTU4gKXsKKyAgICAgcEV4cHItPm9wID0gVEtfQUdHX0NPTFVNTjsKKyAgIH0KKysgIGFz c2VydCggayA8PSBTTVhWKHBFeHByLT5pQWdnKSApOworICAgcEV4cHItPmlBZ2cgPSAoaTE2KWs7 CisgfQorIAorIC8qCisgKiogVGhpcyBpcyB0aGUgeEV4cHJDYWxsYmFjayBmb3IgYSB0cmVlIHdh bGtlci4gIEl0IGlzIHVzZWQgdG8KK0BAIC02ODkwLDE3ICs2ODk3LDIzIEBACisgICAgICAgKXsK KyAgICAgICAgIC8qIENoZWNrIHRvIHNlZSBpZiBwRXhwciBpcyBhIGR1cGxpY2F0ZSBvZiBhbm90 aGVyIGFnZ3JlZ2F0ZQorICAgICAgICAgKiogZnVuY3Rpb24gdGhhdCBpcyBhbHJlYWR5IGluIHRo ZSBwQWdnSW5mbyBzdHJ1Y3R1cmUKKyAgICAgICAgICovCisgICAgICAgICBzdHJ1Y3QgQWdnSW5m b19mdW5jICpwSXRlbSA9IHBBZ2dJbmZvLT5hRnVuYzsKKysgICAgICAgIGludCBteFRlcm0gPSBw UGFyc2UtPmRiLT5hTGltaXRbU1FMSVRFX0xJTUlUX0NPTFVNTl07CisrICAgICAgICBhc3NlcnQo IG14VGVybSA8PSBTTVhWKGkxNikgKTsKKyAgICAgICAgIGZvcihpPTA7IGk8cEFnZ0luZm8tPm5G dW5jOyBpKyssIHBJdGVtKyspeworICAgICAgICAgICBpZiggTkVWRVIocEl0ZW0tPnBGRXhwcj09 cEV4cHIpICkgYnJlYWs7CisgICAgICAgICAgIGlmKCBzcWxpdGUzRXhwckNvbXBhcmUoMCwgcEl0 ZW0tPnBGRXhwciwgcEV4cHIsIC0xKT09MCApeworICAgICAgICAgICAgIGJyZWFrOworICAgICAg ICAgICB9CisgICAgICAgICB9CistICAgICAgICBpZiggaT49cEFnZ0luZm8tPm5GdW5jICl7Cisr ICAgICAgICBpZiggaT5teFRlcm0gKXsKKysgICAgICAgICAgc3FsaXRlM0Vycm9yTXNnKHBQYXJz ZSwgIm1vcmUgdGhhbiAlZCBhZ2dyZWdhdGUgdGVybXMiLCBteFRlcm0pOworKyAgICAgICAgICBp ID0gbXhUZXJtOworKyAgICAgICAgICBhc3NlcnQoIGk8cEFnZ0luZm8tPm5GdW5jICk7CisrICAg ICAgICB9ZWxzZSBpZiggaT49cEFnZ0luZm8tPm5GdW5jICl7CisgICAgICAgICAgIC8qIHBFeHBy IGlzIG9yaWdpbmFsLiAgTWFrZSBhIG5ldyBlbnRyeSBpbiBwQWdnSW5mby0+YUZ1bmNbXQorICAg ICAgICAgICAqLworICAgICAgICAgICB1OCBlbmMgPSBFTkMocFBhcnNlLT5kYik7CisgICAgICAg ICAgIGkgPSBhZGRBZ2dJbmZvRnVuYyhwUGFyc2UtPmRiLCBwQWdnSW5mbyk7CisgICAgICAgICAg IGlmKCBpPj0wICl7CitAQCAtNjk1MCwxMCArNjk2MywxMSBAQAorICAgICAgICAgfQorICAgICAg ICAgLyogTWFrZSBwRXhwciBwb2ludCB0byB0aGUgYXBwcm9wcmlhdGUgcEFnZ0luZm8tPmFGdW5j W10gZW50cnkKKyAgICAgICAgICovCisgICAgICAgICBhc3NlcnQoICFFeHBySGFzUHJvcGVydHko cEV4cHIsIEVQX1Rva2VuT25seXxFUF9SZWR1Y2VkKSApOworICAgICAgICAgRXhwclNldFZWQVBy b3BlcnR5KHBFeHByLCBFUF9Ob1JlZHVjZSk7CisrICAgICAgICBhc3NlcnQoIGkgPD0gU01YVihw RXhwci0+aUFnZykgKTsKKyAgICAgICAgIHBFeHByLT5pQWdnID0gKGkxNilpOworICAgICAgICAg cEV4cHItPnBBZ2dJbmZvID0gcEFnZ0luZm87CisgICAgICAgICByZXR1cm4gV1JDX1BydW5lOwor ICAgICAgIH1lbHNleworICAgICAgICAgcmV0dXJuIFdSQ19Db250aW51ZTsKKworSW5kZXg6IHNx bGl0ZTMvc3JjL3NxbGl0ZUludC5oCis9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KKy0tLSBzcWxpdGUzL3NyYy9zcWxpdGVJ bnQuaAorKysrIHNxbGl0ZTMvc3JjL3NxbGl0ZUludC5oCitAQCAtMTAwOCw2ICsxMDA4LDE0IEBA IHR5cGVkZWYgSU5UMTZfVFlQRSBMb2dFc3Q7CisgI2RlZmluZSBTTUFMTEVTVF9JTlQ2NCAoKChp NjQpLTEpIC0gTEFSR0VTVF9JTlQ2NCkKKyAKKyAvKgorKyoqIE1hY3JvIFNNWFYobikgcmV0dXJu IHRoZSBtYXhpbXVtIHZhbHVlIHRoYXQgY2FuIGJlIGhlbGQgaW4gdmFyaWFibGUgbiwKKysqKiBh c3N1bWluZyBuIGlzIGEgc2lnbmVkIGludGVnZXIgdHlwZS4gIFVNWFYobikgaXMgc2ltaWxhciBm b3IgdW5zaWduZWQKKysqKiBpbnRlZ2VyIHR5cGVzLgorKyovCisrI2RlZmluZSBTTVhWKG4pICgo KChpNjQpMSk8PChzaXplb2YobikqOC0xKSktMSkKKysjZGVmaW5lIFVNWFYobikgKCgoKGk2NCkx KTw8KHNpemVvZihuKSo4KSktMSkKKysKKysvKgorICoqIFJvdW5kIHVwIGEgbnVtYmVyIHRvIHRo ZSBuZXh0IGxhcmdlciBtdWx0aXBsZSBvZiA4LiAgVGhpcyBpcyB1c2VkCisgKiogdG8gZm9yY2Ug OC1ieXRlIGFsaWdubWVudCBvbiA2NC1iaXQgYXJjaGl0ZWN0dXJlcy4KKyAqKgorQEAgLTI4Njks MjEgKzI4NjksMjEgQEAKKyBzdHJ1Y3QgQWdnSW5mbyB7CisgICB1OCBkaXJlY3RNb2RlOyAgICAg ICAgICAvKiBEaXJlY3QgcmVuZGVyaW5nIG1vZGUgbWVhbnMgdGFrZSBkYXRhIGRpcmVjdGx5Cisg ICAgICAgICAgICAgICAgICAgICAgICAgICAqKiBmcm9tIHNvdXJjZSB0YWJsZXMgcmF0aGVyIHRo YW4gZnJvbSBhY2N1bXVsYXRvcnMgKi8KKyAgIHU4IHVzZVNvcnRpbmdJZHg7ICAgICAgIC8qIElu IGRpcmVjdCBtb2RlLCByZWZlcmVuY2UgdGhlIHNvcnRpbmcgaW5kZXggcmF0aGVyCisgICAgICAg ICAgICAgICAgICAgICAgICAgICAqKiB0aGFuIHRoZSBzb3VyY2UgdGFibGUgKi8KKy0gIHUxNiBu U29ydGluZ0NvbHVtbjsgICAgIC8qIE51bWJlciBvZiBjb2x1bW5zIGluIHRoZSBzb3J0aW5nIGlu ZGV4ICovCisrICB1MzIgblNvcnRpbmdDb2x1bW47ICAgICAvKiBOdW1iZXIgb2YgY29sdW1ucyBp biB0aGUgc29ydGluZyBpbmRleCAqLworICAgaW50IHNvcnRpbmdJZHg7ICAgICAgICAgLyogQ3Vy c29yIG51bWJlciBvZiB0aGUgc29ydGluZyBpbmRleCAqLworICAgaW50IHNvcnRpbmdJZHhQVGFi OyAgICAgLyogQ3Vyc29yIG51bWJlciBvZiBwc2V1ZG8tdGFibGUgKi8KKyAgIGludCBpRmlyc3RS ZWc7ICAgICAgICAgIC8qIEZpcnN0IHJlZ2lzdGVyIGluIHJhbmdlIGZvciBhQ29sW10gYW5kIGFG dW5jW10gKi8KKyAgIEV4cHJMaXN0ICpwR3JvdXBCeTsgICAgIC8qIFRoZSBncm91cCBieSBjbGF1 c2UgKi8KKyAgIHN0cnVjdCBBZ2dJbmZvX2NvbCB7ICAgIC8qIEZvciBlYWNoIGNvbHVtbiB1c2Vk IGluIHNvdXJjZSB0YWJsZXMgKi8KKyAgICAgVGFibGUgKnBUYWI7ICAgICAgICAgICAgIC8qIFNv dXJjZSB0YWJsZSAqLworICAgICBFeHByICpwQ0V4cHI7ICAgICAgICAgICAgLyogVGhlIG9yaWdp bmFsIGV4cHJlc3Npb24gKi8KKyAgICAgaW50IGlUYWJsZTsgICAgICAgICAgICAgIC8qIEN1cnNv ciBudW1iZXIgb2YgdGhlIHNvdXJjZSB0YWJsZSAqLworLSAgICBpMTYgaUNvbHVtbjsgICAgICAg ICAgICAgLyogQ29sdW1uIG51bWJlciB3aXRoaW4gdGhlIHNvdXJjZSB0YWJsZSAqLworLSAgICBp MTYgaVNvcnRlckNvbHVtbjsgICAgICAgLyogQ29sdW1uIG51bWJlciBpbiB0aGUgc29ydGluZyBp bmRleCAqLworKyAgICBpbnQgaUNvbHVtbjsgICAgICAgICAgICAgLyogQ29sdW1uIG51bWJlciB3 aXRoaW4gdGhlIHNvdXJjZSB0YWJsZSAqLworKyAgICBpbnQgaVNvcnRlckNvbHVtbjsgICAgICAg LyogQ29sdW1uIG51bWJlciBpbiB0aGUgc29ydGluZyBpbmRleCAqLworICAgfSAqYUNvbDsKKyAg IGludCBuQ29sdW1uOyAgICAgICAgICAgIC8qIE51bWJlciBvZiB1c2VkIGVudHJpZXMgaW4gYUNv bFtdICovCisgICBpbnQgbkFjY3VtdWxhdG9yOyAgICAgICAvKiBOdW1iZXIgb2YgY29sdW1ucyB0 aGF0IHNob3cgdGhyb3VnaCB0byB0aGUgb3V0cHV0LgorICAgICAgICAgICAgICAgICAgICAgICAg ICAgKiogQWRkaXRpb25hbCBjb2x1bW5zIGFyZSB1c2VkIG9ubHkgYXMgcGFyYW1ldGVycyB0bwor ICAgICAgICAgICAgICAgICAgICAgICAgICAgKiogYWdncmVnYXRlIGZ1bmN0aW9ucyAqLworCmRp ZmYgLU5ydSBzcWxpdGUzLTMuNDYuMS9kZWJpYW4vcGF0Y2hlcy9zZXJpZXMgc3FsaXRlMy0zLjQ2 LjEvZGViaWFuL3BhdGNoZXMvc2VyaWVzCi0tLSBzcWxpdGUzLTMuNDYuMS9kZWJpYW4vcGF0Y2hl cy9zZXJpZXMJMjAyNS0wNS0yNCAxNTozNjoxNy4wMDAwMDAwMDAgKzAyMDAKKysrIHNxbGl0ZTMt My40Ni4xL2RlYmlhbi9wYXRjaGVzL3NlcmllcwkyMDI1LTA3LTI1IDIxOjA0OjM0LjAwMDAwMDAw MCArMDIwMApAQCAtMTAsMyArMTAsNCBAQAogNDEtZml4X2FfYnVnX2luX3RoZV9OT1RfTlVMTC1J U19OVUxMX29wdGltaXphdGlvbi5wYXRjaAogNTAtQ1ZFLTIwMjUtMjkwODcucGF0Y2gKIDUxLUNW RS0yMDI1LTI5MDg4LnBhdGNoCis1Mi1DVkUtMjAyNS02OTY1LnBhdGNoCg==

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format...

Your message dated Wed, 30 Jul 2025 18:37:26 +0000
with message-id <[email protected]>
and subject line unblock sqlite3
has caused the Debian Bug report #1110140,
regarding unblock: sqlite3/3.46.1-7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected]
immediately.)


--
1110140: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110140
Debian Bug Tracking System
Contact [email protected] with problems

Received: (at submit) by bugs.debian.org; 30 Jul 2025 15:55:59 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
(2024-03-25) on buxtehude.debian.org
X-Spam-Level:
X-Spam-Status: No, score=-126.1 required=4.0 tests=BAYES_00,
BODY_INCLUDES_CONTROL_AFFECTS,BODY_INCLUDES_PACKAGE,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,
FROMDEVELOPER,HAS_PACKAGE,SPF_HELO_NONE,SPF_NONE,UNPARSEABLE_RELAY,
USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no
version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 163; hammy, 150; neutral, 238; spammy,
0. spammytokens:
hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin,
0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311,
0.000-+--H*RT:311, 0.000-+--H*RT:108
Return-path: <[email protected]>
Received: from stravi