rpms/sqlite

Fork 0

[security][HIGH] sqlite 3.50.4: CVE-2025-70873 require triage #1

New issue

Closed

opened 2026-04-29 04:39:48 +03:00 by sbelikov · 1 comment

sbelikov commented

2026-04-29 04:39:48 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: sqlite
Version: 3.50.4
EVR: 3.50.4-1
Category: database
Policy class: leaf
NiceOS policy class: -
Owner: base-team
Severity: HIGH
Max CVSS: 7.5
CVE count: 1

LLM recommendation / Рекомендация LLM

RU

Кандидат на уязвимость CVE-2025-70873 для пакета sqlite версии 3.50.4. NVD указывает, что уязвимость существует в версиях до 3.51.1, однако текущая версия дистрибутива (3.50.4) может не попадать в точный диапазон уязвимых выпусков, требующий ручной проверки.

Необходимо вручную проверить точный список уязвимых версий в базе данных NVD или на сайте SQLite. Если версия 3.50.4 входит в диапазон, требуется обновление пакета до версии 3.51.1 или выше. Если версия не входит в диапазон, заявку следует закрыть как ложное срабатывание.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: 3.51.1

Проверки: 1. Проверить точный диапазон версий в NVD для CVE-2025-70873 (не только верхнюю границу).
2. Установить тестовый ZIP-файл с эксплойтом (если доступен) и попытаться вызвать утечку памяти через zipfileInflate.
3. Сравнить текущую версию sqlite (3.50.4) с официальным списком исправлений на сайте sqlite.org.

Риски: Потенциальная утечка информации (heap memory disclosure) при обработке специально сконструированных ZIP-файлов в расширении zipfile. Риск реализуется только если пакет sqlite используется с включенным расширением zipfile и обрабатывает вредоносные файлы.

EN

CVE-2025-70873 candidate for package sqlite version 3.50.4. NVD indicates vulnerability exists in versions prior to 3.51.1, but the current distribution version (3.50.4) may not fall within the exact vulnerable release range, requiring manual verification.

Manually verify the exact list of vulnerable versions in the NVD database or on the SQLite website. If version 3.50.4 falls within the range, update the package to version 3.51.1 or higher. If the version is not within the range, close the request as a false positive.

Recommended action: needs_triage

Target version hint: 3.51.1

Tests: 1. Verify the exact version range in NVD for CVE-2025-70873 (not just the upper bound).
2. Install a test ZIP file with an exploit (if available) and attempt to trigger heap memory disclosure via zipfileInflate.
3. Compare the current sqlite version (3.50.4) with the official fix list on sqlite.org.

Risks: Potential information disclosure (heap memory disclosure) when processing specially crafted ZIP files in the zipfile extension. The risk is only realized if the sqlite package is used with the zipfile extension enabled and processes malicious files.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	NiceOS status	Reason
CVE-2025-70873	HIGH	7.5	cpe-range	needs_triage	package version is inside version range

Descriptions

CVE-2025-70873

An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2025-70873"
  ],
  "fingerprint": "66c0d2dfc69af0d63184",
  "generated_at": "2026-04-29T01:39:47Z",
  "package": "sqlite",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "3.50.4"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `sqlite` - Version: `3.50.4` - EVR: `3.50.4-1` - Category: `database` - Policy class: `leaf` - NiceOS policy class: `-` - Owner: `base-team` - Severity: `HIGH` - Max CVSS: `7.5` - CVE count: `1` ## LLM recommendation / Рекомендация LLM ### RU Кандидат на уязвимость CVE-2025-70873 для пакета sqlite версии 3.50.4. NVD указывает, что уязвимость существует в версиях до 3.51.1, однако текущая версия дистрибутива (3.50.4) может не попадать в точный диапазон уязвимых выпусков, требующий ручной проверки. Необходимо вручную проверить точный список уязвимых версий в базе данных NVD или на сайте SQLite. Если версия 3.50.4 входит в диапазон, требуется обновление пакета до версии 3.51.1 или выше. Если версия не входит в диапазон, заявку следует закрыть как ложное срабатывание. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `3.51.1` **Проверки:** 1. Проверить точный диапазон версий в NVD для CVE-2025-70873 (не только верхнюю границу). 2. Установить тестовый ZIP-файл с эксплойтом (если доступен) и попытаться вызвать утечку памяти через zipfileInflate. 3. Сравнить текущую версию sqlite (3.50.4) с официальным списком исправлений на сайте sqlite.org. **Риски:** Потенциальная утечка информации (heap memory disclosure) при обработке специально сконструированных ZIP-файлов в расширении zipfile. Риск реализуется только если пакет sqlite используется с включенным расширением zipfile и обрабатывает вредоносные файлы. ### EN CVE-2025-70873 candidate for package sqlite version 3.50.4. NVD indicates vulnerability exists in versions prior to 3.51.1, but the current distribution version (3.50.4) may not fall within the exact vulnerable release range, requiring manual verification. Manually verify the exact list of vulnerable versions in the NVD database or on the SQLite website. If version 3.50.4 falls within the range, update the package to version 3.51.1 or higher. If the version is not within the range, close the request as a false positive. **Recommended action:** `needs_triage` **Target version hint:** `3.51.1` **Tests:** 1. Verify the exact version range in NVD for CVE-2025-70873 (not just the upper bound). 2. Install a test ZIP file with an exploit (if available) and attempt to trigger heap memory disclosure via zipfileInflate. 3. Compare the current sqlite version (3.50.4) with the official fix list on sqlite.org. **Risks:** Potential information disclosure (heap memory disclosure) when processing specially crafted ZIP files in the zipfile extension. The risk is only realized if the sqlite package is used with the zipfile extension enabled and processes malicious files. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2025-70873 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2025-70873 An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2025-70873" ], "fingerprint": "66c0d2dfc69af0d63184", "generated_at": "2026-04-29T01:39:47Z", "package": "sqlite", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "3.50.4" } ```

sbelikov added the

labels

2026-04-29 04:39:48 +03:00

sbelikov commented

2026-04-29 23:51:44 +03:00

Author

Owner

Fixed in sqlite-3.50.4-2 on branch niceos-5.2.

Triage result:

CVE	NiceOS status	Resolution
CVE-2025-70873	fixed	Backported the upstream `zipfileInflate()` fix onto the NiceOS 5.2 pinned SQLite 3.50.x line.

Details:

NiceOS keeps SQLite on 3.50.4 to avoid unnecessary ABI/API/SQL-behavior changes in the stable branch.
The fix changes the zipfile extension to return only the number of bytes actually produced by Inflate instead of the untrusted expected uncompressed size.
No public ABI change: SONAME remains libsqlite3.so.0; public headers and exported API are unchanged.

Verification:

rpmbuild -bp confirms the patched zipfileInflate() code is present in the prepared build tree.
rpmbuild -ba SPECS/sqlite.spec completed successfully.
Optional %check completed successfully.
Upgrade test completed successfully.
sqlite3 -version reports 3.50.4.
Basic SQLite smoke tests completed successfully.

Closing as fixed by backport.

Fixed in `sqlite-3.50.4-2` on branch `niceos-5.2`. Triage result: | CVE | NiceOS status | Resolution | |---|---|---| | CVE-2025-70873 | fixed | Backported the upstream `zipfileInflate()` fix onto the NiceOS 5.2 pinned SQLite 3.50.x line. | Details: - NiceOS keeps SQLite on `3.50.4` to avoid unnecessary ABI/API/SQL-behavior changes in the stable branch. - The fix changes the zipfile extension to return only the number of bytes actually produced by Inflate instead of the untrusted expected uncompressed size. - No public ABI change: SONAME remains `libsqlite3.so.0`; public headers and exported API are unchanged. Verification: - `rpmbuild -bp` confirms the patched `zipfileInflate()` code is present in the prepared build tree. - `rpmbuild -ba SPECS/sqlite.spec` completed successfully. - Optional `%check` completed successfully. - Upgrade test completed successfully. - `sqlite3 -version` reports `3.50.4`. - Basic SQLite smoke tests completed successfully. Closing as fixed by backport.

sbelikov closed this issue

2026-04-29 23:51:44 +03:00