CVE-2025-29087

Name	CVE-2025-29087
Description	In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1102411

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
sqlite3 (PTS)	bullseye	3.34.1-3	fixed
	bullseye (security)	3.34.1-3+deb11u1	fixed
	bookworm	3.40.1-2+deb12u1	fixed
	sid, trixie	3.46.1-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
sqlite3	source	bullseye	(not affected)
sqlite3	source	bookworm	(not affected)
sqlite3	source	(unstable)	3.46.1-3	1102411

Notes

[bookworm] - sqlite3 <not-affected> (Vulnerable code not present)
[bullseye] - sqlite3 <not-affected> (Vulnerable code not present)
Fixed by: https://sqlite.org/src/info/498e3f1cf57f164f (v3.49.1)