Re: [ptxdist] [PATCH v2] sqlite: version bump 3.48.0 -> 3.49.2

[Michael Olbrich <m.olbrich@pengutronix.de>]

On Fri, May 09, 2025 at 01:29:40PM +0000, Roman Schnider wrote:
> > On Thu, May 08, 2025 at 10:12:53AM +0200, Roman Schnider via ptxdist wrote:
> >> https://www.sqlite.org/releaselog/3_49_2.html
> >> 
> >> * Addresses CVE-2025-29088 and CVE-2025-3277
> >> https://www.sqlite.org/cves.html
> >> 
> >> * Adjust build options, disabled JSON support
> >> * Install missing symlink libsqlite3.so -> libsqlite3.so.3.49.2 in the targetinstall stage.
> >> 
> >> Signed-off-by: Roman Schnider <r.schnider@cab.de>
> >> ---
> >> v2:
> >> - Bump to 3.49.2 since just released yesterday
> >> - Since 3.49.0, the shared library is named using the package version, e.g. libsqlite3.so.3.49.2
> >>   The install_lib macro does create a libsqlite3.so.0 symlink, but the libsqlite3.so one is missing.
> >>   Create it manually.
> >> 
> >>  rules/sqlite.make | 11 +++++++----
> >>  1 file changed, 7 insertions(+), 4 deletions(-)
> >> 
> >> diff --git a/rules/sqlite.make b/rules/sqlite.make
> >> index f75edfbd5..3eb011062 100644
> >> --- a/rules/sqlite.make
> >> +++ b/rules/sqlite.make
> >> @@ -29,8 +29,8 @@ endef
> >>  #
> >>  # Paths and names
> >>  #
> >> -SQLITE_VERSION	:= 3.48.0
> >> -SQLITE_MD5	:= ab4e0652b6dedb075faf7a2781ba2c20
> >> +SQLITE_VERSION	:= 3.49.2
> >> +SQLITE_MD5	:= 46ef8fec4c97ec77ab27659ad27b28b0
> >>  SQLITE		:= sqlite-autoconf-$(call sqlite/file-version,$(SQLITE_VERSION))
> >>  SQLITE_SUFFIX	:= tar.gz
> >>  SQLITE_URL	:= https://www.sqlite.org/2025/$(SQLITE).$(SQLITE_SUFFIX)
> >> @@ -67,8 +67,9 @@ SQLITE_CONF_OPT		:= \
> >>  	--disable-editline \
> >>  	--$(call ptx/endis,PTXCONF_SQLITE_READLINE)-readline \
> >>  	--$(call ptx/endis,PTXCONF_SQLITE_THREADSAFE)-threadsafe \
> >> -	--$(call ptx/endis,PTXCONF_SQLITE_LOAD_EXTENSION)-dynamic-extensions \
> >> +	--$(call ptx/endis,PTXCONF_SQLITE_LOAD_EXTENSION)-load-extension \
> >>  	--disable-math \
> >> +	--disable-json \
> > 
> > See my comment on v1.
> > 
> >>  	--enable-fts4 \
> >>  	--enable-fts3 \
> >>  	--disable-fts5 \
> >> @@ -90,7 +91,9 @@ $(STATEDIR)/sqlite.targetinstall:
> >>  	@$(call install_fixup, sqlite,AUTHOR,"Ladislav Michl <ladis@linux-mips.org>")
> >>  	@$(call install_fixup, sqlite,DESCRIPTION,missing)
> >>  
> >> -	@$(call install_lib, sqlite, 0, 0, 0644, libsqlite3)
> >> +	@$(call install_lib,  sqlite, 0, 0, 0644, libsqlite3)
> >> +	@$(call install_link, sqlite, libsqlite3.so.$(SQLITE_VERSION), \
> >> +		/usr/lib/libsqlite3.so)
> > 
> > PTXdist drops this link explicitly, because it should not be needed at
> > runtime. It is typically used to find -lsqlite3 at build-time. The linker
> > will then use the 'soname' which is libsqlite3.so.0 here. And that link
> > exists.
> > So why do you need libsqlite3.so here?
> 
> Since 3.49.0 the build does not create a shared library including the 
> SONAME entry with 'libsqlite3.so.0' anymore. A binary linked against it 
> will then include the default name libsqlite3.so for the NEEDED entry, 
> which is not there:
> $ arm-v7a-linux-gnueabihf-objdump -p sqlite-test | grep NEEDED
>    NEEDED               libz.so.1
>    NEEDED               libsqlite3.so
>    NEEDED               libc.so.6
> 
> 
> A detailed explication why they removed the soname can be found here:
> https://sqlite.org/src/forumpost/5a3b44f510df8ded

Thank you for the explication.

> I guess we now have to options:
> 1. add the link manually
> 2. change the configuration to use the option --soname=legacy

Please use --soname=legacy so that we can keep the rest as is.

Michael

> >>  ifdef PTXCONF_SQLITE_TOOL
> >>  	@$(call install_copy, sqlite, 0, 0, 0755, -, /usr/bin/sqlite3)
> >> -- 
> >> 2.43.0

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |