{"uuid": "bc2f49a2-03cf-4f89-986d-24efa6633197", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-70873", "type": "seen", "source": "https://gist.github.com/ViveliDuCh/68e776b6172a771a5a6b50b4d9f85a13", "content": "# Servicing PR -- Switch Microsoft.Data.Sqlite / EFCore.Sqlite to SQLite3MC bundle (EF Core 9.0)\n\nBackport of [dotnet/efcore#38402](https://github.com/dotnet/efcore/pull/38402) (+ prerequisite [#36551](https://github.com/dotnet/efcore/pull/36551)) to the `release/9.0` servicing branch. Verified locally: clean build (0 warnings / 0 errors) and all Microsoft.Data.Sqlite test legs pass on `net9.0` + `net462` (0 failures). All changes currently unstaged.\n\n---\n\n## Recommended commit message (one-liner)\n\n```\nSwitch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle (backport #38402, #36551)\n```\n\n## Recommended PR title\n\n```\n[release/9.0] Switch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle\n```\n\n## Recommended PR description\n\n> Fixes #38257\n> Backports #38402 (plus prerequisite #36551 -- SQLitePCLRaw 3.x migration)\n\n### Description\n\n`Microsoft.Data.Sqlite` and `Microsoft.EntityFrameworkCore.Sqlite` reference `SQLitePCLRaw.bundle_e_sqlite3`, whose native `e_sqlite3` builds are no longer published to NuGet.org promptly. This delays upstream SQLite security fixes (CVE-2025-6965, CVE-2025-70873). This PR backports the swap to `SQLite3MC.PCLRaw.bundle` (the `e_sqlite3mc` native build), together with the prerequisite SQLitePCLRaw 3.x migration -- without which the new bundle's transitive `SQLitePCLRaw.core` >= 3.0.2 dependency conflicts with the branch's 2.1.x pin (NU1109 / NU1605).\n\n### Customer impact\n\nUsers on `Microsoft.Data.Sqlite` / `Microsoft.EntityFrameworkCore.Sqlite` were exposed to known SQLite CVEs because the bundled native build lagged upstream. After the swap, the default native build (SQLite3 Multiple Ciphers) tracks upstream SQLite releases and receives timely security updates. Behavior for unencrypted databases is unchanged; passphrase-based encryption now works out of the box. Two minor, documented compatibility notes:\n\n- Double-quoted string literals are not supported by `e_sqlite3mc` -- SQL must use single quotes for string values (double quotes for identifiers only).\n- A few less-common RIDs (`linux-riscv64`, `linux-musl-riscv64`, `linux-musl-s390x`) aren't covered by the new bundle.\n\nOpt-out: reference `Microsoft.Data.Sqlite.Core` + `SQLitePCLRaw.bundle_e_sqlite3` (or `Microsoft.EntityFrameworkCore.Sqlite.Core`), documented in [EntityFramework.Docs#5385](https://github.com/dotnet/EntityFramework.Docs/pull/5385).\n\n### How found\n\nUser-reported in [dotnet/efcore#38257](https://github.com/dotnet/efcore/issues/38257) (\"SQLite vulnerbilities\"), with many comments and multiple MSRC reports.\n\n### Regression\n\nNo -- long-standing maintenance gap in the upstream `bundle_e_sqlite3` native build, not a regression in EF Core.\n\n### Testing\n\nNo new tests; covered by the existing `Microsoft.Data.Sqlite` and `EFCore.Sqlite` suites. Test infrastructure was rewired for SQLitePCLRaw 3.x (the `bundle_sqlite3` / `bundle_winsqlite3` / `bundle_e_sqlcipher` / `bundle_e_sqlite3mc` packages were removed at 3.x; replaced with `core` + `provider.*` packages and explicit `Batteries_V2` / `SetProvider` init). Verified locally: builds clean; Microsoft.Data.Sqlite test legs pass on `net9.0` and `net462` (0 failures).\n\n### Risk\n\nMedium -- two documented behavior changes on a servicing branch:\n\n1. SQLitePCLRaw 2.1 -> 3.0 migration (#36551).\n2. Default native bundle `e_sqlite3` -> `e_sqlite3mc` (#38402).\n\nNo quirk / `AppContext` switch applies: native bundle selection is a build-time NuGet decision, not a runtime managed branch (the servicing-PR skill explicitly exempts this case). Opt-out is available via the existing `.Core` packages.\n\n### Backport deviations from upstream\n\n- **`SQLitePCLRaw` pinned at 3.0.3** (upstream #36551 used 3.0.2) -- newer servicing patch already present on the branch; satisfies `SQLite3MC.PCLRaw.bundle` 2.3.5 (which needs `core` >= 3.0.2).\n- **Test netfx leg kept at `net462`** (upstream #36551 used `$(NetFrameworkCurrent)`). On `release/9.0`, `$(NetFrameworkCurrent)` = `net481`, which wouldn't match the test projects' `net462` target, so the `RuntimeIdentifier=win-x64` condition is pinned to `net462`.\n\n---\n\n### Files changed (13)\n\n```\n Directory.Packages.props                                       |  2 +-\n EFCore.sln                                                     | 14 --------\n eng/Versions.props                                             |  3 ++-\n src/EFCore.Sqlite/EFCore.Sqlite.csproj                         |  2 +-\n src/Microsoft.Data.Sqlite.Core/Properties/InternalsVisibleTo.cs|  4 ----\n src/Microsoft.Data.Sqlite/Microsoft.Data.Sqlite.csproj         |  2 +-\n test/Directory.Packages.props                                  |  5 ++---\n test/.../Microsoft.Data.Sqlite.Tests.csproj                    |  4 ++++\n test/.../Microsoft.Data.Sqlite.e_sqlcipher.Tests.csproj        | 17 --------- (deleted)\n test/.../Microsoft.Data.Sqlite.e_sqlite3mc.Tests.csproj        | 17 --------- (deleted)\n test/.../Microsoft.Data.Sqlite.sqlite3.Tests.csproj            |  3 ++-\n test/.../Microsoft.Data.Sqlite.winsqlite3.Tests.csproj         |  3 ++-\n test/.../TestUtilities/SqliteTestFramework.cs                  | 24 ++++++++---\n```\n\nDocs counterpart (separate PR against EntityFramework.Docs, ef-core-9.0 breaking-changes): mirrors #5385.", "creation_timestamp": "2026-06-27T00:00:58.341188Z"}