From c081c1b8470a81835592e0d5093fc92e477f4302 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Fri, 24 Apr 2026 07:58:13 +0530 Subject: [PATCH] [AutoPR- Security] Patch sqlite for CVE-2025-70873 [HIGH] (#16728) (cherry picked from commit 9a74efa889230ae997d3c273ff08c9e5a9129249) --- SPECS/sqlite/CVE-2025-70873.patch | 28 +++++++++++++++++++ SPECS/sqlite/sqlite.spec | 6 +++- .../manifests/package/pkggen_core_aarch64.txt | 6 ++-- .../manifests/package/pkggen_core_x86_64.txt | 6 ++-- .../manifests/package/toolchain_aarch64.txt | 8 +++--- .../manifests/package/toolchain_x86_64.txt | 8 +++--- 6 files changed, 47 insertions(+), 15 deletions(-) create mode 100644 SPECS/sqlite/CVE-2025-70873.patch diff --git a/SPECS/sqlite/CVE-2025-70873.patch b/SPECS/sqlite/CVE-2025-70873.patch new file mode 100644 index 00000000000..767dccf5b85 --- /dev/null +++ b/SPECS/sqlite/CVE-2025-70873.patch @@ -0,0 +1,28 @@ +From 0832f5004d3865c226a45a9dd408950e2e267482 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Fri, 17 Apr 2026 18:41:44 +0000 +Subject: [PATCH] zipfile: return only bytes actually inflated; add + SQLITE_HAVE_ZLIB feature flag to configure per upstream patch + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/sqlite/sqlite/commit/5a05c59d4d75c03f23d5fb70feac9f789954bf8a.patch +--- + shell.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shell.c b/shell.c +index d423278..ea204a2 100644 +--- a/shell.c ++++ b/shell.c +@@ -7681,7 +7681,7 @@ static void zipfileInflate( + if( err!=Z_STREAM_END ){ + zipfileCtxErrorMsg(pCtx, "inflate() failed (%d)", err); + }else{ +- sqlite3_result_blob(pCtx, aRes, nOut, zipfileFree); ++ sqlite3_result_blob(pCtx, aRes, (int)str.total_out, zipfileFree); + aRes = 0; + } + } +-- +2.45.4 + diff --git a/SPECS/sqlite/sqlite.spec b/SPECS/sqlite/sqlite.spec index ea50ad4421a..ed1519dd8c0 100644 --- a/SPECS/sqlite/sqlite.spec +++ b/SPECS/sqlite/sqlite.spec @@ -2,7 +2,7 @@ Summary: A portable, high level programming interface to various calling conventions Name: sqlite Version: 3.39.2 -Release: 4%{?dist} +Release: 5%{?dist} License: Public Domain Vendor: Microsoft Corporation Distribution: Mariner @@ -15,6 +15,7 @@ Patch1: CVE-2022-46908.patch Patch2: CVE-2023-7104.patch Patch3: CVE-2025-7458.patch Patch4: CVE-2025-6965.patch +Patch5: CVE-2025-70873.patch Requires: sqlite-libs = %{version}-%{release} Provides: sqlite3 @@ -85,6 +86,9 @@ make %{?_smp_mflags} check %{_libdir}/libsqlite3.so.0.8.6 %changelog +* Fri Apr 17 2026 Azure Linux Security Servicing Account - 3.39.2-5 +- Patch for CVE-2025-70873 + * Mon Aug 04 2025 Kshitiz Godara - 3.39.2-4 - Address CVE-2025-6965 and CVE-2025-7458 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index b98419227af..2ee7e91092d 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -84,9 +84,9 @@ bison-3.7.6-2.cm2.aarch64.rpm popt-1.18-1.cm2.aarch64.rpm popt-devel-1.18-1.cm2.aarch64.rpm popt-lang-1.18-1.cm2.aarch64.rpm -sqlite-3.39.2-4.cm2.aarch64.rpm -sqlite-devel-3.39.2-4.cm2.aarch64.rpm -sqlite-libs-3.39.2-4.cm2.aarch64.rpm +sqlite-3.39.2-5.cm2.aarch64.rpm +sqlite-devel-3.39.2-5.cm2.aarch64.rpm +sqlite-libs-3.39.2-5.cm2.aarch64.rpm elfutils-0.186-2.cm2.aarch64.rpm elfutils-default-yama-scope-0.186-2.cm2.noarch.rpm elfutils-devel-0.186-2.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 695e424d649..cdf631f442d 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -84,9 +84,9 @@ bison-3.7.6-2.cm2.x86_64.rpm popt-1.18-1.cm2.x86_64.rpm popt-devel-1.18-1.cm2.x86_64.rpm popt-lang-1.18-1.cm2.x86_64.rpm -sqlite-3.39.2-4.cm2.x86_64.rpm -sqlite-devel-3.39.2-4.cm2.x86_64.rpm -sqlite-libs-3.39.2-4.cm2.x86_64.rpm +sqlite-3.39.2-5.cm2.x86_64.rpm +sqlite-devel-3.39.2-5.cm2.x86_64.rpm +sqlite-libs-3.39.2-5.cm2.x86_64.rpm elfutils-0.186-2.cm2.x86_64.rpm elfutils-default-yama-scope-0.186-2.cm2.noarch.rpm elfutils-devel-0.186-2.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 33c0da74608..54d66a3d143 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -548,10 +548,10 @@ sed-lang-4.8-3.cm2.aarch64.rpm slang-2.3.2-4.cm2.aarch64.rpm slang-debuginfo-2.3.2-4.cm2.aarch64.rpm slang-devel-2.3.2-4.cm2.aarch64.rpm -sqlite-3.39.2-4.cm2.aarch64.rpm -sqlite-debuginfo-3.39.2-4.cm2.aarch64.rpm -sqlite-devel-3.39.2-4.cm2.aarch64.rpm -sqlite-libs-3.39.2-4.cm2.aarch64.rpm +sqlite-3.39.2-5.cm2.aarch64.rpm +sqlite-debuginfo-3.39.2-5.cm2.aarch64.rpm +sqlite-devel-3.39.2-5.cm2.aarch64.rpm +sqlite-libs-3.39.2-5.cm2.aarch64.rpm swig-4.0.2-3.cm2.aarch64.rpm swig-debuginfo-4.0.2-3.cm2.aarch64.rpm systemd-bootstrap-250.3-14.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 502ad0fd8c6..194d83181ea 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -554,10 +554,10 @@ sed-lang-4.8-3.cm2.x86_64.rpm slang-2.3.2-4.cm2.x86_64.rpm slang-debuginfo-2.3.2-4.cm2.x86_64.rpm slang-devel-2.3.2-4.cm2.x86_64.rpm -sqlite-3.39.2-4.cm2.x86_64.rpm -sqlite-debuginfo-3.39.2-4.cm2.x86_64.rpm -sqlite-devel-3.39.2-4.cm2.x86_64.rpm -sqlite-libs-3.39.2-4.cm2.x86_64.rpm +sqlite-3.39.2-5.cm2.x86_64.rpm +sqlite-debuginfo-3.39.2-5.cm2.x86_64.rpm +sqlite-devel-3.39.2-5.cm2.x86_64.rpm +sqlite-libs-3.39.2-5.cm2.x86_64.rpm swig-4.0.2-3.cm2.x86_64.rpm swig-debuginfo-4.0.2-3.cm2.x86_64.rpm systemd-bootstrap-250.3-14.cm2.x86_64.rpm