sqlite: upgrade vendored snapshot 3.34.1 -> 3.53.1 (CVE fixes)#1457
Open
bmehta001 wants to merge 7 commits into
Open
sqlite: upgrade vendored snapshot 3.34.1 -> 3.53.1 (CVE fixes)#1457bmehta001 wants to merge 7 commits into
bmehta001 wants to merge 7 commits into
Conversation
…ules#248, modules#266) The in-tree SQLite snapshot has been on 3.34.1 (March 2021) since commit 03c78ec. That leaves us exposed to a series of CVEs reported against the modules repo as cpp_client_telemetry_modules#248 and microsoft#266: CVE-2022-35737 String overflow in printf APIs (fixed 3.39.2) CVE-2023-7104 Heap buffer overflow in sqlite3session.c (fixed 3.44.0) CVE-2024-0232 Use-after-free in JSON parser (fixed 3.44.2) CVE-2025-6965 Aggregate function memory corruption (fixed 3.50.2) CVE-2025-70873 zipfile extension info disclosure (post-3.51.1) CVE-2025-7709 FTS5 integer overflow -> controlled OOB (post-3.51.1) Upgrading to the current stable amalgamation (3.53.1, May 2025) addresses all of the above and avoids the trap of landing on an interim version that later requires another bump for a newer CVE. Source: https://www.sqlite.org/2026/sqlite-amalgamation-3530100.zip SHA3-256 3c07136e4f6b5dd0c395be86455014039597bc65b6851f7111e88f71b6e06114 sqlite/sqlite GitHub tag version-3.53.1 (commit ccd445d76a9362c63add000354fac84ba9022176) Files refreshed from the upstream amalgamation: sqlite/sqlite3.h 604 KB -> 690 KB sqlite/sqlite3ext.h 41 KB -> 39 KB sqlite/sqlite3_debug.c sqlite/sqlite3_retail.c sqlite/shell.c 676 KB -> 1182 KB The MEMSET_S patches from PR microsoft#1286 are re-applied. Four of the five original patch sites still exist verbatim in 3.53.1 (pcacheFetchFinishWithInit, sqlite3VdbeCreate, whereClauseInsert, sqlite3WhereBegin); the fifth (sqlite3ExprListAppend zEName clear) was refactored upstream into a single `*pItem = zeroItem;` struct assignment and therefore no longer needs to be wrapped. Trade-off: the previous sqlite3_debug.c was built with `--linemacros` and carried 802 `#line` directives to map back to the unamalgamated `tsrc/*.c` files; sqlite3_retail.c had them stripped. The upstream amalgamation download ships without `#line` directives (matching the previous retail flavor), and we have no Tcl-based regeneration step locally, so for this upgrade both `sqlite3_debug.c` and `sqlite3_retail.c` are copies of the upstream amalgamation. The retail/debug split (and the `sqlite/sqlite3.c` wrapper that selects between them via NDEBUG) is preserved so downstream project files do not need to change; only the source-file mapping in debug builds is affected, and that capability was never tested for the retail flavor. cgmanifest.json: bumped the SQLite registration `CommitHash` to the github.com/sqlite/sqlite mirror commit for tag `version-3.53.1`. sqlite/version.txt: updated the source URL and rewrote the Integration steps section to reflect the new amalgamation-zip layout (the previous `sqlite-win10-all-*.zip` no longer exists for current versions). Closes microsoft/cpp_client_telemetry_modules#248 Closes microsoft/cpp_client_telemetry_modules#266 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Clarify the historical fixed-in versions for CVE-2023-7104, CVE-2024-0232, and CVE-2025-7709 so the PR audit trail matches public CVE metadata. The upgrade target remains SQLite 3.53.1. Files changed: - none (metadata-only correction in PR description) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR upgrades the vendored SQLite snapshot from 3.34.1 to 3.53.1 to pick up upstream CVE fixes while preserving the existing wrapper/build layout and reapplying the local MEMSET_S hardening patches.
Changes:
- Refreshes SQLite amalgamation headers, shell source, and debug/retail source copies to 3.53.1.
- Reapplies the local
MEMSET_Ssubstitutions at the four remaining applicable SQLite call sites. - Updates component governance metadata and integration instructions for the new source package.
Reviewed changes
Copilot reviewed 3 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
sqlite/sqlite3.h |
Updates public SQLite version/API declarations to 3.53.1. |
sqlite/sqlite3ext.h |
Updates SQLite extension API declarations and macros to the 3.53.1 surface. |
sqlite/shell.c |
Refreshes the SQLite shell amalgamation source. |
sqlite/sqlite3_debug.c |
Refreshes the debug amalgamation copy and preserves local MEMSET_S patches. |
sqlite/sqlite3_retail.c |
Refreshes the retail amalgamation copy and preserves local MEMSET_S patches. |
sqlite/version.txt |
Documents the new source archive and integration process. |
cgmanifest.json |
Updates the recorded SQLite upstream commit to the 3.53.1 tag. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Release.vc14x.MT-sqlite builds already optimize for size, so leaving /RTC1 enabled makes modern MSVC reject the SQLite project with D8016. Match the normal Release configs by using default runtime checks. Files changed: - sqlite/sqlite.vcxproj Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Document that SQLite refreshes should review all five historical MEMSET_S patch sites from PR microsoft#1286, even though only four remain in the current amalgamation, and keep both desktop and UWP project files in sync. Files changed: - sqlite/version.txt Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SQLite upgrade: 3.34.1 -> 3.53.1
Addresses
cpp_client_telemetry_modules#248and its duplicatecpp_client_telemetry_modules#266.Also fixes #1313 by aligning the SQLite release-MT MSVC runtime-check setting with the existing Release configs.
Why
The in-tree SQLite snapshot has been on 3.34.1 (March 2021) since commit
03c78ece. That leaves us exposed to a series of public CVEs against SQLite:sqlite3session.cUpgrading directly to the current stable amalgamation (3.53.1) clears all of the above and avoids landing on an interim version that would require another CVE-bump round trip later.
What's in the diff
sqlite/sqlite3.hsqlite/sqlite3ext.hsqlite/shell.csqlite/sqlite3_debug.csqlite/sqlite3_retail.csqlite/version.txtcgmanifest.jsonCommitHashbumped toversion-3.53.1tag (ccd445d...)Source verification:
3c07136e4f6b5dd0c395be86455014039597bc65b6851f7111e88f71b6e06114version-3.53.1(ccd445d76a9362c63add000354fac84ba9022176)MEMSET_S patch reapplication (from PR #1286)
The optional
USE_ONEDS_SECURE_MEM_FUNCTIONSdefine wraps a fixed set of bulk-clearingmemsetcalls inside SQLite with the bounds-checkingMEMSET_Smacro. Four of the original five patch sites still exist verbatim in 3.53.1:pcacheFetchFinishWithInit- clearing&pPgHdr->pDirtysqlite3VdbeCreate- clearing&p->aOpwhereClauseInsert- clearing&pTerm->eOperatorsqlite3WhereBegin- clearing&pWInfo->nOBSatThe fifth site (
sqlite3ExprListAppend- clearing&pItem->zEName) was refactored upstream into a single*pItem = zeroItem;struct assignment, so it no longer needs the wrapper.The CMake option,
memset_s.hheader, and the wrappersqlite/sqlite3.care all unchanged.Trade-off: debug
#linedirectivesThe previous
sqlite3_debug.cwas generated with the SQLite build tool's--linemacrosflag and carried 802#linedirectives mapping back to the unamalgamatedtsrc/*.cfiles;sqlite3_retail.chad them stripped.The upstream amalgamation download has no
#linedirectives by default (matching the previous retail flavor). Regenerating the--linemacrosvariant requires Tcl plus the full source tree, which we don't have a local pipeline for.For this upgrade both files are byte-identical copies of the upstream amalgamation. The retail/debug file split (and the
sqlite/sqlite3.cwrapper that selects between them viaNDEBUG) is preserved so the.vcxproj/ build files don't need any changes; only the source-file-mapping convenience in debug SQLite-internal stack traces is lost, and that capability was never tested for the retail flavor.A follow-up cleanup (matching the eventual direction in the internal
mip/3.9.324.1/custombranch) could collapse the two files back into a singlesqlite3.c; intentionally kept out of scope here to minimize the project-file blast radius.Out of scope
androidx.Roomby default and does not link the vendored SQLite, so it is unaffected.Reproducibility
Pre-merge checklist for reviewers
OfflineStorage_SQLiteunit tests pass (this is the main SDK consumer of the vendored SQLite)Analyze cpp(clang static analysis) is cleanMEMSET_S(...)appears exactly 4x in each ofsqlite3_debug.candsqlite3_retail.cSQLITE_VERSION "3.53.1"insqlite3.hCloses microsoft/cpp_client_telemetry_modules#248
Closes microsoft/cpp_client_telemetry_modules#266