Fedora 42: sqlite Critical CVE Fixes Advisory FEDORA-2025-3af464595a

SQLite is a C library that implements an SQL database engine. A large

subset of SQL92 is supported. A complete database is stored in a

single disk file. The API is designed for convenience and ease of use.

Applications that link against SQLite can enjoy the power and

flexibility of an SQL database without the administrative hassles of

supporting a separate database server. Version 2 and version 3 binaries

are named to permit each to be installed on a single host

SQLite is built with some non-default settings:

- Additional APIs for table's and query's metadata are enabled

(SQLITE_ENABLE_COLUMN_METADATA)

- Directory syncs are disabled (SQLITE_DISABLE_DIRSYNC)

- `secure_delete` defaults to 'on', so deleted content is overwritten

with zeros (SQLITE_SECURE_DELETE)

- `sqlite3_unlock_notify()` is enabled - this feature allows to register a

callback that's invoked when lock is removed (SQLITE_ENABLE_UNLOCK_NOTIFY)

- `dbstat` virtual table with disk space usage is enabled

- `dbpage` virtual table providing direct access to underlying database file

is enabled (SQLITE_ENABLE_DBPAGE_VTAB)

- Threadsafe mode is set to 1 - Serialized, so it is safe to use in a

multithreaded environment (SQLITE_THREADSAFE=1)

- FTS3, FTS4 and FTS5 are enabled so versions 3 to 5 of the full-text search

engine are available (SQLITE_ENABLE_FTS3, SQLITE_ENABLE_FTS4,

SQLITE_ENABLE_FTS5)

- Pattern parser in FTS3 extension supports nested parenthesis and operators

`AND`, `OR` (SQLITE_ENABLE_FTS3_PARENTHESIS)

- R*Tree index extension is enabled (SQLITE_ENABLE_RTREE)

- Extension loading is enabled

- Sessions (sqlite-session feature) is enabled

- Preupdate hook is enabled

It is also important to note that shell has some extensions as its dependencies,

so some extensions are enabled by default in SQLite shell, but not in the system

libraries. Only the aforementioned extensions are available in the libraries:

FTS3, FTS4, FTS5, R*Tree

cve fixes