* [ptxdist] [PATCH v2] sqlite: version bump 3.48.0 -> 3.49.2
@ 2025-05-08 8:12 Roman Schnider via ptxdist
2025-05-09 8:55 ` Michael Olbrich
0 siblings, 1 reply; 4+ messages in thread
From: Roman Schnider via ptxdist @ 2025-05-08 8:12 UTC (permalink / raw)
To: ptxdist; +Cc: Roman Schnider
https://www.sqlite.org/releaselog/3_49_2.html
* Addresses CVE-2025-29088 and CVE-2025-3277
https://www.sqlite.org/cves.html
* Adjust build options, disabled JSON support
* Install missing symlink libsqlite3.so -> libsqlite3.so.3.49.2 in the targetinstall stage.
Signed-off-by: Roman Schnider <r.schnider@cab.de>
---
v2:
- Bump to 3.49.2 since just released yesterday
- Since 3.49.0, the shared library is named using the package version, e.g. libsqlite3.so.3.49.2
The install_lib macro does create a libsqlite3.so.0 symlink, but the libsqlite3.so one is missing.
Create it manually.
rules/sqlite.make | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/rules/sqlite.make b/rules/sqlite.make
index f75edfbd5..3eb011062 100644
--- a/rules/sqlite.make
+++ b/rules/sqlite.make
@@ -29,8 +29,8 @@ endef
#
# Paths and names
#
-SQLITE_VERSION := 3.48.0
-SQLITE_MD5 := ab4e0652b6dedb075faf7a2781ba2c20
+SQLITE_VERSION := 3.49.2
+SQLITE_MD5 := 46ef8fec4c97ec77ab27659ad27b28b0
SQLITE := sqlite-autoconf-$(call sqlite/file-version,$(SQLITE_VERSION))
SQLITE_SUFFIX := tar.gz
SQLITE_URL := https://www.sqlite.org/2025/$(SQLITE).$(SQLITE_SUFFIX)
@@ -67,8 +67,9 @@ SQLITE_CONF_OPT := \
--disable-editline \
--$(call ptx/endis,PTXCONF_SQLITE_READLINE)-readline \
--$(call ptx/endis,PTXCONF_SQLITE_THREADSAFE)-threadsafe \
- --$(call ptx/endis,PTXCONF_SQLITE_LOAD_EXTENSION)-dynamic-extensions \
+ --$(call ptx/endis,PTXCONF_SQLITE_LOAD_EXTENSION)-load-extension \
--disable-math \
+ --disable-json \
--enable-fts4 \
--enable-fts3 \
--disable-fts5 \
@@ -90,7 +91,9 @@ $(STATEDIR)/sqlite.targetinstall:
@$(call install_fixup, sqlite,AUTHOR,"Ladislav Michl <ladis@linux-mips.org>")
@$(call install_fixup, sqlite,DESCRIPTION,missing)
- @$(call install_lib, sqlite, 0, 0, 0644, libsqlite3)
+ @$(call install_lib, sqlite, 0, 0, 0644, libsqlite3)
+ @$(call install_link, sqlite, libsqlite3.so.$(SQLITE_VERSION), \
+ /usr/lib/libsqlite3.so)
ifdef PTXCONF_SQLITE_TOOL
@$(call install_copy, sqlite, 0, 0, 0755, -, /usr/bin/sqlite3)
--
2.43.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [ptxdist] [PATCH v2] sqlite: version bump 3.48.0 -> 3.49.2
2025-05-08 8:12 [ptxdist] [PATCH v2] sqlite: version bump 3.48.0 -> 3.49.2 Roman Schnider via ptxdist
@ 2025-05-09 8:55 ` Michael Olbrich
2025-05-09 13:29 ` Roman Schnider via ptxdist
0 siblings, 1 reply; 4+ messages in thread
From: Michael Olbrich @ 2025-05-09 8:55 UTC (permalink / raw)
To: Roman Schnider via ptxdist; +Cc: Roman Schnider
On Thu, May 08, 2025 at 10:12:53AM +0200, Roman Schnider via ptxdist wrote:
> https://www.sqlite.org/releaselog/3_49_2.html
>
> * Addresses CVE-2025-29088 and CVE-2025-3277
> https://www.sqlite.org/cves.html
>
> * Adjust build options, disabled JSON support
> * Install missing symlink libsqlite3.so -> libsqlite3.so.3.49.2 in the targetinstall stage.
>
> Signed-off-by: Roman Schnider <r.schnider@cab.de>
> ---
> v2:
> - Bump to 3.49.2 since just released yesterday
> - Since 3.49.0, the shared library is named using the package version, e.g. libsqlite3.so.3.49.2
> The install_lib macro does create a libsqlite3.so.0 symlink, but the libsqlite3.so one is missing.
> Create it manually.
>
> rules/sqlite.make | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/rules/sqlite.make b/rules/sqlite.make
> index f75edfbd5..3eb011062 100644
> --- a/rules/sqlite.make
> +++ b/rules/sqlite.make
> @@ -29,8 +29,8 @@ endef
> #
> # Paths and names
> #
> -SQLITE_VERSION := 3.48.0
> -SQLITE_MD5 := ab4e0652b6dedb075faf7a2781ba2c20
> +SQLITE_VERSION := 3.49.2
> +SQLITE_MD5 := 46ef8fec4c97ec77ab27659ad27b28b0
> SQLITE := sqlite-autoconf-$(call sqlite/file-version,$(SQLITE_VERSION))
> SQLITE_SUFFIX := tar.gz
> SQLITE_URL := https://www.sqlite.org/2025/$(SQLITE).$(SQLITE_SUFFIX)
> @@ -67,8 +67,9 @@ SQLITE_CONF_OPT := \
> --disable-editline \
> --$(call ptx/endis,PTXCONF_SQLITE_READLINE)-readline \
> --$(call ptx/endis,PTXCONF_SQLITE_THREADSAFE)-threadsafe \
> - --$(call ptx/endis,PTXCONF_SQLITE_LOAD_EXTENSION)-dynamic-extensions \
> + --$(call ptx/endis,PTXCONF_SQLITE_LOAD_EXTENSION)-load-extension \
> --disable-math \
> + --disable-json \
See my comment on v1.
> --enable-fts4 \
> --enable-fts3 \
> --disable-fts5 \
> @@ -90,7 +91,9 @@ $(STATEDIR)/sqlite.targetinstall:
> @$(call install_fixup, sqlite,AUTHOR,"Ladislav Michl <ladis@linux-mips.org>")
> @$(call install_fixup, sqlite,DESCRIPTION,missing)
>
> - @$(call install_lib, sqlite, 0, 0, 0644, libsqlite3)
> + @$(call install_lib, sqlite, 0, 0, 0644, libsqlite3)
> + @$(call install_link, sqlite, libsqlite3.so.$(SQLITE_VERSION), \
> + /usr/lib/libsqlite3.so)
PTXdist drops this link explicitly, because it should not be needed at
runtime. It is typically used to find -lsqlite3 at build-time. The linker
will then use the 'soname' which is libsqlite3.so.0 here. And that link
exists.
So why do you need libsqlite3.so here?
Michael
>
> ifdef PTXCONF_SQLITE_TOOL
> @$(call install_copy, sqlite, 0, 0, 0755, -, /usr/bin/sqlite3)
> --
> 2.43.0
>
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [ptxdist] [PATCH v2] sqlite: version bump 3.48.0 -> 3.49.2
2025-05-09 8:55 ` Michael Olbrich
@ 2025-05-09 13:29 ` Roman Schnider via ptxdist
2025-05-09 13:43 ` Michael Olbrich
0 siblings, 1 reply; 4+ messages in thread
From: Roman Schnider via ptxdist @ 2025-05-09 13:29 UTC (permalink / raw)
To: Michael Olbrich, Roman Schnider via ptxdist; +Cc: Roman Schnider
> On Thu, May 08, 2025 at 10:12:53AM +0200, Roman Schnider via ptxdist wrote:
>> https://www.sqlite.org/releaselog/3_49_2.html
>>
>> * Addresses CVE-2025-29088 and CVE-2025-3277
>> https://www.sqlite.org/cves.html
>>
>> * Adjust build options, disabled JSON support
>> * Install missing symlink libsqlite3.so -> libsqlite3.so.3.49.2 in the targetinstall stage.
>>
>> Signed-off-by: Roman Schnider <r.schnider@cab.de>
>> ---
>> v2:
>> - Bump to 3.49.2 since just released yesterday
>> - Since 3.49.0, the shared library is named using the package version, e.g. libsqlite3.so.3.49.2
>> The install_lib macro does create a libsqlite3.so.0 symlink, but the libsqlite3.so one is missing.
>> Create it manually.
>>
>> rules/sqlite.make | 11 +++++++----
>> 1 file changed, 7 insertions(+), 4 deletions(-)
>>
>> diff --git a/rules/sqlite.make b/rules/sqlite.make
>> index f75edfbd5..3eb011062 100644
>> --- a/rules/sqlite.make
>> +++ b/rules/sqlite.make
>> @@ -29,8 +29,8 @@ endef
>> #
>> # Paths and names
>> #
>> -SQLITE_VERSION := 3.48.0
>> -SQLITE_MD5 := ab4e0652b6dedb075faf7a2781ba2c20
>> +SQLITE_VERSION := 3.49.2
>> +SQLITE_MD5 := 46ef8fec4c97ec77ab27659ad27b28b0
>> SQLITE := sqlite-autoconf-$(call sqlite/file-version,$(SQLITE_VERSION))
>> SQLITE_SUFFIX := tar.gz
>> SQLITE_URL := https://www.sqlite.org/2025/$(SQLITE).$(SQLITE_SUFFIX)
>> @@ -67,8 +67,9 @@ SQLITE_CONF_OPT := \
>> --disable-editline \
>> --$(call ptx/endis,PTXCONF_SQLITE_READLINE)-readline \
>> --$(call ptx/endis,PTXCONF_SQLITE_THREADSAFE)-threadsafe \
>> - --$(call ptx/endis,PTXCONF_SQLITE_LOAD_EXTENSION)-dynamic-extensions \
>> + --$(call ptx/endis,PTXCONF_SQLITE_LOAD_EXTENSION)-load-extension \
>> --disable-math \
>> + --disable-json \
>
> See my comment on v1.
>
>> --enable-fts4 \
>> --enable-fts3 \
>> --disable-fts5 \
>> @@ -90,7 +91,9 @@ $(STATEDIR)/sqlite.targetinstall:
>> @$(call install_fixup, sqlite,AUTHOR,"Ladislav Michl <ladis@linux-mips.org>")
>> @$(call install_fixup, sqlite,DESCRIPTION,missing)
>>
>> - @$(call install_lib, sqlite, 0, 0, 0644, libsqlite3)
>> + @$(call install_lib, sqlite, 0, 0, 0644, libsqlite3)
>> + @$(call install_link, sqlite, libsqlite3.so.$(SQLITE_VERSION), \
>> + /usr/lib/libsqlite3.so)
>
> PTXdist drops this link explicitly, because it should not be needed at
> runtime. It is typically used to find -lsqlite3 at build-time. The linker
> will then use the 'soname' which is libsqlite3.so.0 here. And that link
> exists.
> So why do you need libsqlite3.so here?
Since 3.49.0 the build does not create a shared library including the
SONAME entry with 'libsqlite3.so.0' anymore. A binary linked against it
will then include the default name libsqlite3.so for the NEEDED entry,
which is not there:
$ arm-v7a-linux-gnueabihf-objdump -p sqlite-test | grep NEEDED
NEEDED libz.so.1
NEEDED libsqlite3.so
NEEDED libc.so.6
A detailed explication why they removed the soname can be found here:
https://sqlite.org/src/forumpost/5a3b44f510df8ded
I guess we now have to options:
1. add the link manually
2. change the configuration to use the option --soname=legacy
Roman.
>
> Michael
>
>>
>> ifdef PTXCONF_SQLITE_TOOL
>> @$(call install_copy, sqlite, 0, 0, 0755, -, /usr/bin/sqlite3)
>> --
>> 2.43.0
>>
>>
>>
>
> --
> Pengutronix e.K. | |
> Steuerwalder Str. 21 | http://www.pengutronix.de/ |
> 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
> Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [ptxdist] [PATCH v2] sqlite: version bump 3.48.0 -> 3.49.2
2025-05-09 13:29 ` Roman Schnider via ptxdist
@ 2025-05-09 13:43 ` Michael Olbrich
0 siblings, 0 replies; 4+ messages in thread
From: Michael Olbrich @ 2025-05-09 13:43 UTC (permalink / raw)
To: Roman Schnider; +Cc: Roman Schnider via ptxdist
On Fri, May 09, 2025 at 01:29:40PM +0000, Roman Schnider wrote:
> > On Thu, May 08, 2025 at 10:12:53AM +0200, Roman Schnider via ptxdist wrote:
> >> https://www.sqlite.org/releaselog/3_49_2.html
> >>
> >> * Addresses CVE-2025-29088 and CVE-2025-3277
> >> https://www.sqlite.org/cves.html
> >>
> >> * Adjust build options, disabled JSON support
> >> * Install missing symlink libsqlite3.so -> libsqlite3.so.3.49.2 in the targetinstall stage.
> >>
> >> Signed-off-by: Roman Schnider <r.schnider@cab.de>
> >> ---
> >> v2:
> >> - Bump to 3.49.2 since just released yesterday
> >> - Since 3.49.0, the shared library is named using the package version, e.g. libsqlite3.so.3.49.2
> >> The install_lib macro does create a libsqlite3.so.0 symlink, but the libsqlite3.so one is missing.
> >> Create it manually.
> >>
> >> rules/sqlite.make | 11 +++++++----
> >> 1 file changed, 7 insertions(+), 4 deletions(-)
> >>
> >> diff --git a/rules/sqlite.make b/rules/sqlite.make
> >> index f75edfbd5..3eb011062 100644
> >> --- a/rules/sqlite.make
> >> +++ b/rules/sqlite.make
> >> @@ -29,8 +29,8 @@ endef
> >> #
> >> # Paths and names
> >> #
> >> -SQLITE_VERSION := 3.48.0
> >> -SQLITE_MD5 := ab4e0652b6dedb075faf7a2781ba2c20
> >> +SQLITE_VERSION := 3.49.2
> >> +SQLITE_MD5 := 46ef8fec4c97ec77ab27659ad27b28b0
> >> SQLITE := sqlite-autoconf-$(call sqlite/file-version,$(SQLITE_VERSION))
> >> SQLITE_SUFFIX := tar.gz
> >> SQLITE_URL := https://www.sqlite.org/2025/$(SQLITE).$(SQLITE_SUFFIX)
> >> @@ -67,8 +67,9 @@ SQLITE_CONF_OPT := \
> >> --disable-editline \
> >> --$(call ptx/endis,PTXCONF_SQLITE_READLINE)-readline \
> >> --$(call ptx/endis,PTXCONF_SQLITE_THREADSAFE)-threadsafe \
> >> - --$(call ptx/endis,PTXCONF_SQLITE_LOAD_EXTENSION)-dynamic-extensions \
> >> + --$(call ptx/endis,PTXCONF_SQLITE_LOAD_EXTENSION)-load-extension \
> >> --disable-math \
> >> + --disable-json \
> >
> > See my comment on v1.
> >
> >> --enable-fts4 \
> >> --enable-fts3 \
> >> --disable-fts5 \
> >> @@ -90,7 +91,9 @@ $(STATEDIR)/sqlite.targetinstall:
> >> @$(call install_fixup, sqlite,AUTHOR,"Ladislav Michl <ladis@linux-mips.org>")
> >> @$(call install_fixup, sqlite,DESCRIPTION,missing)
> >>
> >> - @$(call install_lib, sqlite, 0, 0, 0644, libsqlite3)
> >> + @$(call install_lib, sqlite, 0, 0, 0644, libsqlite3)
> >> + @$(call install_link, sqlite, libsqlite3.so.$(SQLITE_VERSION), \
> >> + /usr/lib/libsqlite3.so)
> >
> > PTXdist drops this link explicitly, because it should not be needed at
> > runtime. It is typically used to find -lsqlite3 at build-time. The linker
> > will then use the 'soname' which is libsqlite3.so.0 here. And that link
> > exists.
> > So why do you need libsqlite3.so here?
>
> Since 3.49.0 the build does not create a shared library including the
> SONAME entry with 'libsqlite3.so.0' anymore. A binary linked against it
> will then include the default name libsqlite3.so for the NEEDED entry,
> which is not there:
> $ arm-v7a-linux-gnueabihf-objdump -p sqlite-test | grep NEEDED
> NEEDED libz.so.1
> NEEDED libsqlite3.so
> NEEDED libc.so.6
>
>
> A detailed explication why they removed the soname can be found here:
> https://sqlite.org/src/forumpost/5a3b44f510df8ded
Thank you for the explication.
> I guess we now have to options:
> 1. add the link manually
> 2. change the configuration to use the option --soname=legacy
Please use --soname=legacy so that we can keep the rest as is.
Michael
> >> ifdef PTXCONF_SQLITE_TOOL
> >> @$(call install_copy, sqlite, 0, 0, 0755, -, /usr/bin/sqlite3)
> >> --
> >> 2.43.0
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-05-09 13:44 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-05-08 8:12 [ptxdist] [PATCH v2] sqlite: version bump 3.48.0 -> 3.49.2 Roman Schnider via ptxdist
2025-05-09 8:55 ` Michael Olbrich
2025-05-09 13:29 ` Roman Schnider via ptxdist
2025-05-09 13:43 ` Michael Olbrich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox