Version in base suite: 3.46.1-7+deb13u1 Base version: sqlite3_3.46.1-7+deb13u1 Target version: sqlite3_3.46.1-7+deb13u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/sqlite3/sqlite3_3.46.1-7+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/sqlite3/sqlite3_3.46.1-7+deb13u2.dsc changelog | 9 ++ patches/54-CVE-2026-11822_CVE-2026-11824.patch | 106 +++++++++++++++++++++++++ patches/series | 1 3 files changed, 116 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp3r51ascx/sqlite3_3.46.1-7+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp3r51ascx/sqlite3_3.46.1-7+deb13u2.dsc: no acceptable signature found diff -Nru sqlite3-3.46.1/debian/changelog sqlite3-3.46.1/debian/changelog --- sqlite3-3.46.1/debian/changelog 2026-01-22 18:19:00.000000000 +0000 +++ sqlite3-3.46.1/debian/changelog 2026-06-14 12:32:03.000000000 +0000 @@ -1,3 +1,12 @@ +sqlite3 (3.46.1-7+deb13u2) trixie; urgency=medium + + * Backport upstream security fix for CVE-2026-11822: memory corruption + vulnerabilities in the FTS5 full-text search extension. + * Backport upstream security fix for CVE-2026-11824: heap-based buffer + overflow vulnerability in the FTS5 full-text search extension. + + -- Laszlo Boszormenyi (GCS) Sun, 14 Jun 2026 14:32:03 +0200 + sqlite3 (3.46.1-7+deb13u1) trixie; urgency=medium * Backport upstream security fix for CVE-2025-7709: integer overflow in the diff -Nru sqlite3-3.46.1/debian/patches/54-CVE-2026-11822_CVE-2026-11824.patch sqlite3-3.46.1/debian/patches/54-CVE-2026-11822_CVE-2026-11824.patch --- sqlite3-3.46.1/debian/patches/54-CVE-2026-11822_CVE-2026-11824.patch 1970-01-01 00:00:00.000000000 +0000 +++ sqlite3-3.46.1/debian/patches/54-CVE-2026-11822_CVE-2026-11824.patch 2026-06-14 12:32:03.000000000 +0000 @@ -0,0 +1,106 @@ +From 79db323ce14923a1bcc7b3b72679003c14c1cd7f Mon Sep 17 00:00:00 2001 +From: dan +Date: Mon, 11 May 2026 11:12:06 +0000 +Subject: [PATCH] Fix potential buffer overwrite that could occur in fts5 when + processing corrupt records. + +FossilOrigin-Name: 4a5ad516ea93926c0d5206b4d72c3675905d2bf666b27a649256b93eb95c671b +--- + ext/fts5/fts5_index.c | 2 +- + ext/fts5/test/fts5corruptA.test | 72 +++++++++++++++++++++++++++++++++ + manifest | 15 +++---- + manifest.uuid | 2 +- + 4 files changed, 82 insertions(+), 9 deletions(-) + create mode 100644 ext/fts5/test/fts5corruptA.test + +diff --git a/ext/fts5/fts5_index.c b/ext/fts5/fts5_index.c +index 164d613881..29be766042 100644 +--- a/ext/fts5/fts5_index.c ++++ b/ext/fts5/fts5_index.c +@@ -873,7 +873,7 @@ static void fts5DataRelease(Fts5Data *pD + static Fts5Data *fts5LeafRead(Fts5Index *p, i64 iRowid){ + Fts5Data *pRet = fts5DataRead(p, iRowid); + if( pRet ){ +- if( pRet->nn<4 || pRet->szLeaf>pRet->nn ){ ++ if( pRet->szLeaf<4 || pRet->szLeaf>pRet->nn ){ + p->rc = FTS5_CORRUPT; + fts5DataRelease(pRet); + pRet = 0; +diff --git a/ext/fts5/test/fts5corruptA.test b/ext/fts5/test/fts5corruptA.test +new file mode 100644 +index 0000000000..838cded578 +--- /dev/null ++++ b/ext/fts5/test/fts5corruptA.test +@@ -0,0 +1,72 @@ ++# 2026 May 11 ++# ++# The author disclaims copyright to this source code. In place of ++# a legal notice, here is a blessing: ++# ++# May you do good and not evil. ++# May you find forgiveness for yourself and forgive others. ++# May you share freely, never taking more than you give. ++# ++#*********************************************************************** ++# ++ ++source [file join [file dirname [info script]] fts5_common.tcl] ++set testprefix fts5corruptA ++ ++# If SQLITE_ENABLE_FTS5 is not defined, omit this file. ++ifcapable !fts5 { ++ finish_test ++ return ++} ++sqlite3_fts5_may_be_corrupt 1 ++ ++do_execsql_test 1.0 { ++ CREATE VIRTUAL TABLE t USING fts5(x, detail='full'); ++ INSERT INTO t(t, rank) VALUES('pgsz', 32); ++} ++ ++set big [string repeat "a " 200] ++do_execsql_test 1.1 { ++ INSERT INTO t(rowid, x) VALUES(1, $big) ++} ++ ++do_test 1.2 { ++ db eval { ++ SELECT min(rowid) AS base_rowid, count(*) AS page_count FROM t_data ++ WHERE rowid>1000 ++ } {} ++} {} ++ ++do_test 1.3 { ++ for {set ii 0} {$ii < 5} {incr ii} { ++ db eval { ++ INSERT INTO t_data(rowid, block) ++ VALUES( $base_rowid + $page_count + $ii, zeroblob(4) ); ++ } ++ } ++ db eval { ++ INSERT INTO t_data(rowid, block) ++ VALUES( $base_rowid + $page_count + 5, ++ unhex('00000080' || 'CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC') ); ++ } ++ set {} {} ++} {} ++ ++db close ++ ++do_test 1.4 { ++ set hex [hexio_read test.db 0 [file size test.db]] ++ ++ set off [string first "023061018310" $hex] ++ set hex [string replace $hex $off [expr $off+11] 023061018370] ++ hexio_write test.db 0 $hex ++} {6144} ++ ++sqlite3 db test.db ++ ++do_catchsql_test 1.5 { ++ SELECT rowid FROM t WHERE t MATCH 'a' ++} {1 {fts5: corruption found reading blob 137438953481 from table "t"}} ++ ++sqlite3_fts5_may_be_corrupt 0 ++finish_test diff -Nru sqlite3-3.46.1/debian/patches/series sqlite3-3.46.1/debian/patches/series --- sqlite3-3.46.1/debian/patches/series 2026-01-22 18:19:00.000000000 +0000 +++ sqlite3-3.46.1/debian/patches/series 2026-06-14 12:32:03.000000000 +0000 @@ -12,3 +12,4 @@ 51-CVE-2025-29088.patch 52-CVE-2025-6965.patch 53-CVE-2025-7709.patch +54-CVE-2026-11822_CVE-2026-11824.patch