Patch is available at https://people.FreeBSD.org/~sunpoet/patch/databases-sqlite3.txt The proposed commit log is as follows: databases/sqlite3: Update to 3.50.4 - Update WWW - Add LICENSE_FILE - Enable SESSION option by default - Install sqlite_cfg.h - Remove unnecessary substitution - Remove unnecessary double quotation mark Changes: https://www.sqlite.org/changes.html
As this update does fix a security issue (https://vuxml.freebsd.org/freebsd/c5889223-b4e1-11f0-ae9b-b42e991fc52e.html) I guess Importance should also be changed to "Affects Many People".
Somehow I thought I had already added a comment here that the patch compiles and works, but apparently not. Sqlite is important enough in the FreeBSD world that I believe this patch should be prioritized. Is there anything I can do to help?
Thanks for the contribution! While I support the prioritization of the issue, the proposed patch contains unnecessary changes which can also be harmful in edge cases (shell quoting removal, unexplained replacement of += with =). If you'd skipped these changes the patch would also be easier to review.
Created attachment 265233 [details] Simplified version of the previous patch. I've removed all but essential changes to the previous patch from the original poster. The new patch does, however, still retain the sqlite_cfg.h file.
Come on guys, how long do we want to sit on a security update? I'll grab it, and someone (preferably sunpoet@) should contact Pavel I. Volkov to see if he's still interested in maintaining the port because this has been open for far too long.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=5b98d506ed03da39038bbf77ab508295d6f0cf94 commit 5b98d506ed03da39038bbf77ab508295d6f0cf94 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2025-11-07 16:44:51 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2025-11-07 17:11:52 +0000 databases/sqlite3: security update to 3.50.4 Changes per <https://sqlite.org/changes.html>: 2025-07-30 (3.50.4) 1 Fix two long-standings cases of the use of uninitialized variables in obscure circumstances. 2025-07-17 (3.50.3) 1 Fix a possible memory error that can occur if a query is made against against FTS5 index that has been deliberately corrupted in a very specific way. 2 Fix the parser so that it ignored SQL comments in all places of a CREATE TRIGGER statement. This resolves a problem that was introduced by the introduction of the SQLITE_DBCONFIG_ENABLE_COMMENTS feature in version 3.49.0. 3 Fix an incorrect answer due to over-optimization of an AND operator. Forum post f4878de3e. 4 Fix minor makefile issues and documentation typos. While here, install sqlite_cfg.h The 3.51.0 update is left for the maintainer or other interested parties; 3.51.0 was released earlier this week, on 2025-11-04. Security: c5889223-b4e1-11f0-ae9b-b42e991fc52e Security: CVE-2025-7709 Approved by: ports-secteam@ (implicit) MFH: 2025Q4 PR: 290588 databases/sqlite3/Makefile | 3 ++- databases/sqlite3/distinfo | 6 +++--- databases/sqlite3/pkg-plist | 1 + 3 files changed, 6 insertions(+), 4 deletions(-)
(In reply to Mark C from comment #4) Thanks a lot! (In reply to Po-Chuan Hsieh from comment #0) Please discuss with Pavel to join this and the 3.51.0 update, and for main only.
A commit in branch 2025Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=8cdfe27078747b95e8e260ce1f9e43217464b893 commit 8cdfe27078747b95e8e260ce1f9e43217464b893 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2025-11-07 16:44:51 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2025-11-07 17:14:33 +0000 databases/sqlite3: security update to 3.50.4 Changes per <https://sqlite.org/changes.html>: 2025-07-30 (3.50.4) 1 Fix two long-standings cases of the use of uninitialized variables in obscure circumstances. 2025-07-17 (3.50.3) 1 Fix a possible memory error that can occur if a query is made against against FTS5 index that has been deliberately corrupted in a very specific way. 2 Fix the parser so that it ignored SQL comments in all places of a CREATE TRIGGER statement. This resolves a problem that was introduced by the introduction of the SQLITE_DBCONFIG_ENABLE_COMMENTS feature in version 3.49.0. 3 Fix an incorrect answer due to over-optimization of an AND operator. Forum post f4878de3e. 4 Fix minor makefile issues and documentation typos. While here, install sqlite_cfg.h The 3.51.0 update is left for the maintainer or other interested parties; 3.51.0 was released earlier this week, on 2025-11-04. Security: c5889223-b4e1-11f0-ae9b-b42e991fc52e Security: CVE-2025-7709 Approved by: ports-secteam@ (implicit) MFH: 2025Q4 PR: 290588 (cherry picked from commit 5b98d506ed03da39038bbf77ab508295d6f0cf94) databases/sqlite3/Makefile | 3 ++- databases/sqlite3/distinfo | 6 +++--- databases/sqlite3/pkg-plist | 1 + 3 files changed, 6 insertions(+), 4 deletions(-)
This was long overdue. It was discovered in July, published in August, we took a week to add it to VuXML, and then another like six weeks to fix it. I have revised the VuXML entry a bit before I found this PR, so here goes: The branch main has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=f94b70f52d74ead333820f1836d646c6447fbbd0 commit f94b70f52d74ead333820f1836d646c6447fbbd0 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2025-11-07 16:55:53 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2025-11-07 17:11:52 +0000 security/vuxml: Revise SQLite3 entry - mention this bug is only for >= 3.49.1 according to https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g - advance the discovery date to Mid July per the same - strip double -9.6 from linux_base-rl9 name to get the entry to actually trigger for the package, and set it to ">= 0" because we don't want unrelated updates to linux_base-rl9-9.6 make this entry disappear. It's left for emulation@ to clean up. Security: CVE-2025-7709 Security: c5889223-b4e1-11f0-ae9b-b42e991fc52e
(In reply to Matthias Andree from comment #9) make that "took like ten weeks to file the VuXML" and then another almost two to fix it.
(In reply to Matthias Andree from comment #7) I do not think it was appropriate to take over this PR. I feel this action was improper for two reasons: 1. I had already submitted this PR with a more comprehensive set of changes. However, you closed it by committing a separate patch instead my submission. 2. If an implicit approval from the ports-secteam exists for updating the port due to a vulnerability, you could have simply cited that approval to commit your update without overriding my current submission. Therefore, I will be reopening this PR and assigning it to myself to commit the pending changes.
(In reply to Po-Chuan Hsieh from comment #0) Add a note here that the enabled SESSION option is needed for using databases/sqlite3 in www/node{22,24,25}. See also bug #290509.
(In reply to Po-Chuan Hsieh from comment #11) Sorry that it was incomplete and I closed it, of course it's fine to reopen and add the missing bits. All I should normally do under blanket for a security issue is the safe patchlevel update, anything else is out of scope and this looked like it wanted merging with the 3.51.0 which wouldn't be for 2025Q4 and couldn't be cherry-picked for security update to quarterly, so we needed that in isolation anyhow.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=b5b732d31a22ebba5dd27d23acbfae5c7511da41 commit b5b732d31a22ebba5dd27d23acbfae5c7511da41 Author: Po-Chuan Hsieh <sunpoet@FreeBSD.org> AuthorDate: 2025-11-11 07:13:27 +0000 Commit: Po-Chuan Hsieh <sunpoet@FreeBSD.org> CommitDate: 2025-11-11 07:17:10 +0000 databases/sqlite3: Enable SESSION option by default - Update WWW - Add LICENSE_FILE - Remove unnecessary substitution - Remove unnecessary double quotation mark - Bump PORTREVISION for package change PR: 290588 Approved by: maintainer (timeout, 14 days) databases/sqlite3/Makefile | 41 +++++++++++++++++++++-------------------- 1 file changed, 21 insertions(+), 20 deletions(-)
Committed. Thanks.
Just for the record, confirming that this update compiles, builds, installs, and runs correctly for me. Which should be no surprise.