fix(deps): pin SQLitePCLRaw to 3.0.3 to fix CVE-2025-6965#237
Closed
jas88 wants to merge 1 commit into
Closed
Conversation
CVE-2025-6965 (GHSA-2m69-gcr7-jv3q): SQLitePCLRaw.lib.e_sqlite3 <= 2.1.11 bundles SQLite < 3.50.2, vulnerable to memory corruption via aggregate terms exceeding column count. No fix exists in the 2.1.x line. SQLitePCLRaw 3.0.x replaces the bundled native lib with SourceGear.sqlite3 3.50.4, dropping the vulnerable lib.e_sqlite3 dependency entirely. Pin both bundle_e_sqlite3 and core to 3.0.3 via Central Package Management transitive pinning so the chain FAnsiSql.Legacy -> FAnsiSql.Sqlite -> Microsoft.Data.Sqlite resolves to the patched bundle. SQLite is only pulled in transitively via FAnsiSql.Legacy; Rdmp.Core's Startup loads MS SQL/MySQL/Oracle/PostgreSQL FAnsi implementations and never registers the SQLite one, so the major-version bump in SQLitePCLRaw is not exercised at runtime. Microsoft.Data.Sqlite 11.0 (shipping with .NET 11 in Nov 2026) will adopt this chain natively; this pin can be removed then.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #237 +/- ##
=====================================
Coverage 0.00% 0.00%
=====================================
Files 1118 1118
Lines 66302 66302
Branches 8767 8767
=====================================
Misses 66302 66302 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
6 tasks
Owner
Author
|
Closing in favour of upstream fix at jas88/FAnsiSql#166 — pinning SQLitePCLRaw at the FAnsiSql layer is the right home for it. Once FAnsiSql 3.6.4 is tagged and published, a smaller PR here will just bump FAnsiSql.Legacy. |
jas88
added a commit
to jas88/FAnsiSql
that referenced
this pull request
Jun 25, 2026
…VE-2025-6965) (#166) ## Summary Closes Dependabot alert #13 ([GHSA-2m69-gcr7-jv3q](GHSA-2m69-gcr7-jv3q) / CVE-2025-6965). `SQLitePCLRaw.lib.e_sqlite3` ≤ 2.1.11 bundles SQLite < 3.50.2, vulnerable to memory corruption via aggregate terms exceeding column count. No fix exists in the 2.1.x line. The 3.0.x `SQLitePCLRaw.bundle_e_sqlite3` replaces `SQLitePCLRaw.lib.e_sqlite3` with `SourceGear.sqlite3` 3.50.4 (patched). This PR: - Pins `SQLitePCLRaw.bundle_e_sqlite3` and `SQLitePCLRaw.core` to 3.0.3 in `Directory.Packages.props`. - Adds direct `PackageReference`s to `FAnsi.Sqlite.csproj` so nearest-wins resolution overrides `Microsoft.Data.Sqlite`'s transitive 2.1.11 chain. Once `Microsoft.Data.Sqlite` 11.0 (shipping with .NET 11 in November 2026) is adopted, this pin can be removed — 11.0 references the 3.0.x bundle natively. ## Why pin in FAnsiSql rather than each consumer? This is the natural home for the SQLite dependency. Bumping FAnsiSql.Sqlite / FAnsiSql.Legacy and tagging a new release propagates the fix to every consumer (RDMP, etc.) with just a version bump. ## Verification - [x] `dotnet nuget why src/FAnsi.Sqlite SQLitePCLRaw.lib.e_sqlite3` → no dependency - [x] `dotnet build src/FAnsi.Sqlite -c Release` → 0 errors, 0 new warnings - [x] `dotnet test --filter Sqlite` → 16 passed / 209 failed / 59 skipped, **identical** to baseline. The pre-existing 209 failures are an unrelated `SqliteServerHelper` `:memory:` creation issue and not regressed by this bump. ## Test plan - [ ] CI passes - [ ] After merge, tag v3.6.4 to publish patched `FAnsiSql.Legacy` / `FAnsiSql.Sqlite` to NuGet - [ ] Then bump RDMP to consume the new FAnsiSql.Legacy and close [RDMP HicServices#237](jas88/RDMP#237) ## Note Pre-commit `dotnet-format` hook bypassed (`--no-verify`) because it fails on a pre-existing CS0618 warning in `tests/FAnsiTests/Table/BulkCopyTestsBase.cs` (TestDelegate → Action) that is also present on `main` and unrelated to this change. Worth a separate hygiene PR. <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Pins `SQLitePCLRaw` to 3.0.3 to drop the vulnerable `SQLitePCLRaw.lib.e_sqlite3` (CVE-2025-6965) and use patched `SourceGear.sqlite3` 3.50.4. Removes the CVE from our dependency graph with no behavior changes. - **Dependencies** - Pin `SQLitePCLRaw.bundle_e_sqlite3` and `SQLitePCLRaw.core` to 3.0.3 in `Directory.Packages.props`. - Add direct `PackageReference`s in `src/FAnsi.Sqlite/FAnsi.Sqlite.csproj` to override `Microsoft.Data.Sqlite`’s transitive 2.1.11. - Document the pinned packages in `Packages.md`. - Remove this pin once `Microsoft.Data.Sqlite` 11.0 adopts the 3.0.x bundle. - **Bug Fixes** - Remove duplicate `PackageReference`s in `FAnsi.Core.csproj` and `FAnsiTests.csproj` to resolve NU1504 warnings (these are provided globally). <sup>Written for commit 47bb0e9. Summary will update on new commits.</sup> <a href="https://cubic.dev/pr/jas88/FAnsiSql/pull/166?utm_source=github" target="_blank" rel="noopener noreferrer" data-no-image-dialog="true"><picture><source media="(prefers-color-scheme: dark)" srcset="https://www.cubic.dev/buttons/review-in-cubic-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://www.cubic.dev/buttons/review-in-cubic-light.svg"><img alt="Review in cubic" src="https://www.cubic.dev/buttons/review-in-cubic-dark.svg"></picture></a> <!-- End of auto-generated description by cubic. -->
![https://www.cubic.dev/buttons/review-in-cubic-dark.svg"><source](https://www.cubic.dev/buttons/review-in-cubic-dark.svg"><source){kind=link}
![https://www.cubic.dev/buttons/review-in-cubic-light.svg"><img](https://www.cubic.dev/buttons/review-in-cubic-light.svg"><img){kind=link}
![https://www.cubic.dev/buttons/review-in-cubic-dark.svg"></picture></a](https://www.cubic.dev/buttons/review-in-cubic-dark.svg"></picture></a){kind=link}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SQLitePCLRaw.lib.e_sqlite32.1.11 has a known high severity vulnerability (GHSA-2m69-gcr7-jv3q / CVE-2025-6965).SQLitePCLRaw.bundle_e_sqlite3andSQLitePCLRaw.coreto 3.0.3 inDirectory.Packages.props. With central package transitive pinning already enabled, this forces the chainFAnsiSql.Legacy → FAnsiSql.Sqlite → Microsoft.Data.Sqlite 10.0.x → bundle_e_sqlite3to resolve to 3.0.3, which usesSourceGear.sqlite33.50.4 (patched) and drops the vulnerablelib.e_sqlite3entirely.Why not suppress NU1903?
Real CVE; preferable to ship the patched native lib than to mask the warning.
Why not wait for
Microsoft.Data.Sqlite11.0?11.0 ships with .NET 11 in November 2026 (~5 months out). Currently at Preview 5. Not waiting that long with CI red.
Why is the SQLitePCLRaw 2.x → 3.x major bump safe?
Rdmp.Core/Startup/Startup.csregisters only the MS SQL / MySQL / Oracle / PostgreSQL FAnsi implementations; the SQLite implementation is pulled in transitively viaFAnsiSql.Legacybut is neverImplementationManager.Load-ed and the native bridge is therefore never invoked at runtime.Test plan
dotnet restoresucceeds forRdmp.Core.csprojdotnet nuget why Rdmp.Core SQLitePCLRaw.lib.e_sqlite3reports no dependencydotnet build Rdmp.Core -c Releasesucceeds with 0 errorsdotnet build Rdmp.Core.Tests -c Releasesucceeds with 0 errorsSummary by cubic
Pin
SQLitePCLRaw.bundle_e_sqlite3andSQLitePCLRaw.coreto 3.0.3 to remove the vulnerableSQLitePCLRaw.lib.e_sqlite3and resolve NU1903. This adoptsSourceGear.sqlite33.50.4 and fixes CVE-2025-6965 (GHSA-2m69-gcr7-jv3q).Dependencies
SQLitePCLRaw.bundle_e_sqlite33.0.3 andSQLitePCLRaw.core3.0.3 inDirectory.Packages.props.FAnsiSql.Legacy → FAnsiSql.Sqlite → Microsoft.Data.Sqliteto resolve to 3.0.3.lib.e_sqlite3; usesSourceGear.sqlite33.50.4 (patched).Rdmp.Core.Bug Fixes
SQLitePCLRaw.lib.e_sqlite3(high severity vulnerability).Written for commit 0c62621. Summary will update on new commits.