[Buildroot] [PATCH] package/sqlite: add patch to fix CVE-2025-29087

[Titouan Christophe]

This patch was commited upstream, and released as part of sqlite 3.49.1

However, the configuration system changed between sqlite 3.48 and 3.49
from autotools to autosetup, and this has proven challenging to support
in Buildroot (see `git log package/sqlite`), hence why we are still on
sqlite 3.48.

Therefore, until the package build infrastructure correctly supports
building sqlite 3.49, let's simply import the upstream patch to address
the CVE.

Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
---
 ...ast-to-avoid-32-bit-integer-overflow.patch | 33 +++++++++++++++++++
 package/sqlite/sqlite.mk                      |  3 ++
 2 files changed, 36 insertions(+)
 create mode 100644 package/sqlite/0002-Add-a-typecast-to-avoid-32-bit-integer-overflow.patch

diff --git a/package/sqlite/0002-Add-a-typecast-to-avoid-32-bit-integer-overflow.patch b/package/sqlite/0002-Add-a-typecast-to-avoid-32-bit-integer-overflow.patch
new file mode 100644
index 0000000000..b9904785c1
--- /dev/null
+++ b/package/sqlite/0002-Add-a-typecast-to-avoid-32-bit-integer-overflow.patch
@@ -0,0 +1,33 @@
+From f4fc2ee20311a0a5141726c71d318ab52001c974 Mon Sep 17 00:00:00 2001
+From: drh <>
+Date: Sun, 16 Feb 2025 10:57:25 +0000
+Subject: [PATCH] Add a typecast to avoid 32-bit integer overflow in the
+ concat_ws() function with an enormous separator values and many arguments.
+
+Fixes the following CVE:
+  - CVE-2025-29087: In SQLite 3.44.0 through 3.49.0 before 3.49.1,
+                    the concat_ws() SQL function can cause memory to be
+                    written beyond the end of a malloc-allocated buffer.
+
+For more info see https://nvd.nist.gov/vuln/detail/CVE-2025-29087
+
+Upstream: https://sqlite.org/src/info/498e3f1cf57f164f
+
+Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
+---
+ src/func.c    |  2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/manifest b/manifest
+index 2f7a6368f8..9f03427425 100644
+--- a/src/func.c
++++ b/src/func.c
+@@ -1570,7 +1570,7 @@ static void concatFuncCore(
+   for(i=0; i<argc; i++){
+     n += sqlite3_value_bytes(argv[i]);
+   }
+-  n += (argc-1)*nSep;
++  n += (argc-1)*(i64)nSep;
+   z = sqlite3_malloc64(n+1);
+   if( z==0 ){
+     sqlite3_result_error_nomem(context);
diff --git a/package/sqlite/sqlite.mk b/package/sqlite/sqlite.mk
index 218b3f0a1d..05e305ac17 100644
--- a/package/sqlite/sqlite.mk
+++ b/package/sqlite/sqlite.mk
@@ -13,6 +13,9 @@ SQLITE_LICENSE_FILES = tea/license.terms
 SQLITE_CPE_ID_VENDOR = sqlite
 SQLITE_INSTALL_STAGING = YES
 
+# 0002-Add-a-typecast-to-avoid-32-bit-integer-overflow.patch
+SQLITE_IGNORE_CVES = CVE-2025-29087
+
 ifeq ($(BR2_PACKAGE_SQLITE_STAT4),y)
 SQLITE_CFLAGS += -DSQLITE_ENABLE_STAT4
 endif
-- 
2.49.0