1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109379: sqlite3: CVE-2025-6965

    From =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=@21:1/5 to All on Wed Jul 16 11:30:01 2025
    Package: sqlite3
    X-Debbugs-CC: [email protected]
    Severity: important
    Tags: security

    Hi,

    The following vulnerability was published for sqlite3.

    CVE-2025-6965[0]:
    | There exists a vulnerability in SQLite versions before 3.50.2 where
    | the number of aggregate terms could exceed the number of columns
    | available. This could lead to a memory corruption issue. We
    | recommend upgrading to version 3.50.2 or above.

    https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-6965
    https://www.cve.org/CVERecord?id=CVE-2025-6965

    Please adjust the affected versions in the BTS as needed.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Shani Yosef@21:1/5 to All on Sun Jul 27 14:10:01 2025
    Source: sqlite3
    Version: 3.40.1-2
    Tags: security upstream
    X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>


    I’m writing to suggest a patch for addressing *CVE-2025-6965* in the
    Debian sqlite3 package.


    The vulnerability has been fixed upstream in the following commit:https://github.com/sqlite/sqlite/commit/c52e9d97d485a3eb168e3f8f3674a7bc4b419703

    I’ve already backported the patch to *3.40.1-2+deb12u1* and confirmed
    that it applies cleanly.

    Please find the patch attached, hopefully it can be considered for
    inclusion in the next stable update.

    Please let me know if there's anything else I can do to assist.


    Best regards,
    Shani Yosefechohq.com

    <div dir="ltr"><pre style="padding-top:8px;margin-top:0px;border-top:0px"><font color="#000000">Source: sqlite3
    Version: 3.40.1-2
    Tags: security upstream
    X-Debbugs-Cc: <a href="mailto:[email protected]" target="_blank">[email protected]</a>, Debian Security Team &lt;<a href="mailto:[email protected]" target="_blank">[email protected]</a>&gt;

    </font><p><font color="#000000">I’m writing to suggest a patch for addressing </font><span style="font-family:Menlo,Monaco,&quot;Courier New&quot;,monospace;font-size:12px"><font color="#444444"><b>CVE-2025-6965</b></font></span><span style="color:rgb(
    0,0,0);font-family:Arial,Helvetica,sans-serif"> in the Debian </span><code style="color:rgb(0,0,0)">sqlite3</code><span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif"> package.

    </span></p><p><font color="#000000">The vulnerability has been fixed upstream in the following commit:
    </font><a href="https://github.com/sqlite/sqlite/commit/c52e9d97d485a3eb168e3f8f3674a7bc4b419703" target="_blank" style="color:rgb(0,0,0)">https://github.com/sqlite/sqlite/commit/c52e9d97d485a3eb168e3f8f3674a7bc4b419703</a><font color="#000000">
    </font>
    </p><p style="color:rgb(0,0,0)">I’ve already backported the patch to <i>3.40.1-2+deb12u1</i> and confirmed that it applies cleanly.

    Please find the patch attached, hopefully it can be considered for inclusion in the next stable update.

    Please let me know if there&#39;s anything else I can do to assist.
    </p><p style="color:rgb(0,0,0)">
    Best regards,
    Shani Yosef
    <a href="http://echohq.com">echohq.com</a></p></pre></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)