Date: Mon, 17 Dec 2018 09:14:32 -0500 From: "Cameron, Frank J" <cameron@ctc.com> To: freebsd-security@freebsd.org Subject: Re: SQLite vulnerability Message-ID: <20181217141432.GJ10650@linux116.ctc.com> In-Reply-To: <20181217120937.GC78044@smtp.iq.pl> References: <20181217120937.GC78044@smtp.iq.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 17, 2018 at 01:09:37PM +0100, Piotr Kubaj via freebsd-security wrote: > Doesn't base also need to be patched? > AFAIK pkg uses sqlite database. Does pkg allow running arbitrary untrusted SQL? 'The vulnerability only exists in applications that allow a potential attacker to run arbitrary SQL. If an application allows that, it is usually called an "SQL Injection" vulnerability and is the fault of the application, not the database engine. The one notable exception to this rule is WebSQL in Chrome.' https://news.ycombinator.com/item?id=18686462 'The new SQLITE_DBCONFIG_DEFENSIVE features is more of a defense-in-depth, designed to head off future vulnerabilities by making shadow-tables read-only to ordinary SQL, along with some other restrictions. If you have an application that allows potential attackers to run arbitrary SQL, then the use of SQLITE_DBCONFIG_DEFENSIVE is recommended. It is not required. ... But that setting reduces the attack surface, making future bugs less likely.' https://news.ycombinator.com/item?id=18686572 ----------------------------------------------------------------- This message and any files transmitted within are intended solely for the addressee or its representative and may contain company proprietary information. If you are not the intended recipient, notify the sender immediately and delete this message. Publication, reproduction, forwarding, or content disclosure is prohibited without the consent of the original sender and may be unlawful. Concurrent Technologies Corporation and its Affiliates. www.ctc.com 1-800-282-4392 -----------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20181217141432.GJ10650>