SQLite vulnerability
Cameron, Frank J
cameron at ctc.com
Mon Dec 17 14:19:33 UTC 2018
On Mon, Dec 17, 2018 at 01:09:37PM +0100, Piotr Kubaj via freebsd-security wrote:
> Doesn't base also need to be patched?
> AFAIK pkg uses sqlite database.
Does pkg allow running arbitrary untrusted SQL?
'The vulnerability only exists in applications that allow a potential
attacker to run arbitrary SQL. If an application allows that, it is
usually called an "SQL Injection" vulnerability and is the fault of the
application, not the database engine. The one notable exception to this
rule is WebSQL in Chrome.'
https://news.ycombinator.com/item?id=18686462
'The new SQLITE_DBCONFIG_DEFENSIVE features is more of a defense-in-depth,
designed to head off future vulnerabilities by making shadow-tables
read-only to ordinary SQL, along with some other restrictions. If you
have an application that allows potential attackers to run arbitrary
SQL, then the use of SQLITE_DBCONFIG_DEFENSIVE is recommended. It is
not required. ... But that setting reduces the attack surface, making
future bugs less likely.'
https://news.ycombinator.com/item?id=18686572
-----------------------------------------------------------------
This message and any files transmitted within are intended
solely for the addressee or its representative and may contain
company proprietary information. If you are not the intended
recipient, notify the sender immediately and delete this
message. Publication, reproduction, forwarding, or content
disclosure is prohibited without the consent of the original
sender and may be unlawful.
Concurrent Technologies Corporation and its Affiliates.
www.ctc.com 1-800-282-4392
-----------------------------------------------------------------
More information about the freebsd-security
mailing list