From owner-freebsd-security@freebsd.org Mon Dec 17 14:19:33 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 44AD31341080 for ; Mon, 17 Dec 2018 14:19:33 +0000 (UTC) (envelope-from cameron@ctc.com) Received: from pm4.ctc.com (pm4.ctc.com [147.160.99.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "pm4.ctc.com", Issuer "RapidSSL SHA256 CA - G3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B94076F90A for ; Mon, 17 Dec 2018 14:19:31 +0000 (UTC) (envelope-from cameron@ctc.com) Received: from pps.filterd (pm4.ctc.com [127.0.0.1]) by pm4.ctc.com (8.16.0.27/8.16.0.27) with SMTP id wBHEB01M019648 for ; Mon, 17 Dec 2018 09:14:33 -0500 Received: from server3a.ctc.com ([10.160.17.12]) by pm4.ctc.com with ESMTP id 2pcuqsb7y6-1 (version=TLSv1 cipher=AES256-SHA bits=256 verify=NO) for ; Mon, 17 Dec 2018 09:14:32 -0500 Received: from linux116.ctc.com (linux116.ctc.com [10.160.39.116]) by server3a.ctc.com (8.14.4/8.14.4) with ESMTP id wBHEEXoC032145 for ; Mon, 17 Dec 2018 09:14:33 -0500 Received: (from cameron@localhost) by linux116.ctc.com (8.14.4/8.14.4/Submit) id wBHEEWUA030492 for freebsd-security@freebsd.org; Mon, 17 Dec 2018 09:14:32 -0500 Date: Mon, 17 Dec 2018 09:14:32 -0500 From: "Cameron, Frank J" To: freebsd-security@freebsd.org Subject: Re: SQLite vulnerability Message-ID: <20181217141432.GJ10650@linux116.ctc.com> References: <20181217120937.GC78044@smtp.iq.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181217120937.GC78044@smtp.iq.pl> User-Agent: Mutt/1.5.21 (2010-09-15) X-Rspamd-Queue-Id: B94076F90A X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of cameron@ctc.com designates 147.160.99.24 as permitted sender) smtp.mailfrom=cameron@ctc.com X-Spamd-Result: default: False [-1.44 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.46)[-0.459,0]; RCVD_COUNT_FIVE(0.00)[5]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.18)[-0.181,0]; DMARC_NA(0.00)[ctc.com]; MX_GOOD(-0.01)[pm4.ctc.com,pm5.ctc.com]; NEURAL_HAM_SHORT(-0.48)[-0.478,0]; RCVD_IN_DNSWL_NONE(0.00)[24.99.160.147.list.dnswl.org : 127.0.10.0]; IP_SCORE(-0.02)[country: US(-0.08)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:7816, ipnet:147.160.0.0/16, country:US]; RCVD_TLS_LAST(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 14:19:33 -0000 On Mon, Dec 17, 2018 at 01:09:37PM +0100, Piotr Kubaj via freebsd-security wrote: > Doesn't base also need to be patched? > AFAIK pkg uses sqlite database. Does pkg allow running arbitrary untrusted SQL? 'The vulnerability only exists in applications that allow a potential attacker to run arbitrary SQL. If an application allows that, it is usually called an "SQL Injection" vulnerability and is the fault of the application, not the database engine. The one notable exception to this rule is WebSQL in Chrome.' https://news.ycombinator.com/item?id=18686462 'The new SQLITE_DBCONFIG_DEFENSIVE features is more of a defense-in-depth, designed to head off future vulnerabilities by making shadow-tables read-only to ordinary SQL, along with some other restrictions. If you have an application that allows potential attackers to run arbitrary SQL, then the use of SQLITE_DBCONFIG_DEFENSIVE is recommended. It is not required. ... But that setting reduces the attack surface, making future bugs less likely.' https://news.ycombinator.com/item?id=18686572 ----------------------------------------------------------------- This message and any files transmitted within are intended solely for the addressee or its representative and may contain company proprietary information. If you are not the intended recipient, notify the sender immediately and delete this message. Publication, reproduction, forwarding, or content disclosure is prohibited without the consent of the original sender and may be unlawful. Concurrent Technologies Corporation and its Affiliates. www.ctc.com 1-800-282-4392 -----------------------------------------------------------------