{"uuid": "2161ddd1-46c4-49f7-bfbd-001230ffdb78", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-70873", "type": "seen", "source": "https://gist.github.com/ViveliDuCh/480c5a9928db2360e8f9e477fdd740a3", "content": "# Backport PR -- recommended title & description (EF Core 9.0 SQLite3MC swap)\n\nFor opening the backport PR of [dotnet/efcore#38402](https://github.com/dotnet/efcore/pull/38402) onto the 9.0 servicing branch. Formatted to match current `dotnet/efcore` backport conventions (e.g. [#36778](https://github.com/dotnet/efcore/pull/36778), [#36138](https://github.com/dotnet/efcore/pull/36138), [#35241](https://github.com/dotnet/efcore/pull/35241)): a `[release/9.0]` title prefix with the parent PR in parentheses, and the standard servicing body template (Description / Customer impact / How found / Regression / Testing / Risk).\n\n---\n\n## Recommended PR title\n\n```\n[release/9.0] Switch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle (#38402)\n```\n\n> Note on base branch: most current EF Core servicing PRs target `release/9.0-staging`. If that is the case here, use `[release/9.0-staging] ...` instead -- the body is identical.\n\n---\n\n## Recommended PR description (ready to paste)\n\nBackports the SQLite3MC native-bundle swap so the shipped 9.0 SQLite packages receive timely upstream security updates.\n\nFixes #38257\nBackports #38402 (plus prerequisite #36551 -- SQLitePCLRaw 3.x migration, without which the new bundle's transitive `SQLitePCLRaw.core` >= 3.0.2 dependency conflicts with this branch's 2.1.x pin: NU1109 / NU1605)\n\n**Description**\n\n`Microsoft.Data.Sqlite` and `Microsoft.EntityFrameworkCore.Sqlite` reference `SQLitePCLRaw.bundle_e_sqlite3`, whose native `e_sqlite3` build is no longer published to NuGet.org promptly, delaying upstream SQLite security fixes. This backports the swap to `SQLite3MC.PCLRaw.bundle` (the `e_sqlite3mc` / SQLite3 Multiple Ciphers native build, which tracks upstream SQLite and ships updates quickly), together with the prerequisite SQLitePCLRaw 3.x migration that the new bundle requires on this branch.\n\n**Customer impact**\n\nUsers on `Microsoft.Data.Sqlite` / `Microsoft.EntityFrameworkCore.Sqlite` were exposed to known SQLite CVEs (CVE-2025-6965, CVE-2025-70873) because the bundled native build lagged upstream. After the swap the default native build receives timely security updates, and passphrase-based encryption works out of the box. Behavior for unencrypted databases is unchanged. Two minor, documented compatibility notes:\n\n- Double-quoted string literals are not supported by `e_sqlite3mc` -- SQL must use single quotes for string values (double quotes for identifiers only).\n- A few less-common RIDs (`linux-riscv64`, `linux-musl-riscv64`, `linux-musl-s390x`) are not covered by the new bundle.\n\nOpt-out for either concern: reference the `.Core` packages (`Microsoft.Data.Sqlite.Core` / `Microsoft.EntityFrameworkCore.Sqlite.Core`) with `SQLitePCLRaw.bundle_e_sqlite3`, as documented in EntityFramework.Docs#5385.\n\n**How found**\n\nUser-reported in dotnet/efcore#38257 (\"SQLite vulnerbilities\"), with multiple users and MSRC reports.\n\n**Regression**\n\nNo -- long-standing maintenance gap in the upstream `bundle_e_sqlite3` native build, not a regression in EF Core.\n\n**Testing**\n\nNo new tests; covered by the existing `Microsoft.Data.Sqlite` and `EFCore.Sqlite` suites. Test infrastructure was rewired for SQLitePCLRaw 3.x (the `bundle_sqlite3` / `bundle_winsqlite3` / `bundle_e_sqlcipher` / `bundle_e_sqlite3mc` packages no longer exist at 3.x; replaced with `core` + `provider.*` packages and explicit `Batteries_V2` / `SetProvider` init). Verified locally: clean build (0 warnings / 0 errors); Microsoft.Data.Sqlite test legs pass on `net9.0` and `net462` (0 failures).\n\n**Risk**\n\nMedium -- two documented behavior changes on a servicing branch:\n\n1. SQLitePCLRaw 2.1 -> 3.0 migration (#36551).\n2. Default native bundle `e_sqlite3` -> `e_sqlite3mc` (#38402).\n\nNo quirk / `AppContext` switch applies: native bundle selection is a build-time NuGet decision, not a runtime managed branch (the servicing-PR guidance explicitly exempts this case). An opt-out is available via the existing `.Core` packages.\n\n---\n\n## Bonus -- recommended commit message (one-liner)\n\n```\nSwitch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle (backport #38402, #36551)\n```\n\n## Backport deviation to call out in review\n\nThe only deviation from the parent PRs: the netfx test leg stays at `net462` (upstream #36551 used `$(NetFrameworkCurrent)`, which resolves to `net481` on this branch and would not match the test projects' `net462` target). Package versions (`SQLitePCLRaw` 3.0.3, `SQLite3MC.PCLRaw.bundle` 2.3.5) match #38402's merged end-state exactly.", "creation_timestamp": "2026-06-27T01:54:37.992897Z"}