SQLite vulnerability
Cameron, Frank J
cameron at ctc.com
Mon Dec 17 18:44:20 UTC 2018
On Mon, Dec 17, 2018 at 10:02:36AM -0800, Hugh LaMaster wrote:
> On 12/17/18 6:14 AM, Cameron, Frank J wrote:
> > 'The new SQLITE_DBCONFIG_DEFENSIVE features is more of a
> > defense-in-depth, designed to head off future vulnerabilities by
> > making shadow-tables read-only to ordinary SQL, along with some
> > other restrictions. ...
>
> Just a random thought, but, why not turn on "SQLITE_DBCONFIG_DEFENSIVE"
> for both base and ports by default, and, let people who need performance
> turn it off manually by choice?
>
> I'm always in favor of turning on useful security, and, letting people
> who need the extra performance turn off certain features manually
> and consciously.
I haven't seen anything to indicate that there's a performance difference
with enabling the defensive flag, but an application that expected to
be able to write to the shadow tables[*] would, I assume, crash if the
the option was enabled. Upstream will not enable this mode by default:
Shadow tables are read/write by default. Shadow tables only
become read-only when the SQLITE_DBCONFIG_DEFENSIVE flag is set
using sqlite3_db_config(). Shadow tables need to be read/write
by default in order to maintain backwards compatibility. For
example, the SQL text generated by the .dump command of the CLI
writes directly into shadow tables.
https://www.sqlite.org/vtab.html#xshadowname
(FreshPorts lists close to 400 ports that depend on the sqlite3 port.)
[*] When the defensive flag is enabled... The disabled features include
but are not limited to the following:
* The PRAGMA writable_schema=ON statement.
* Writes to the sqlite_dbpage virtual table.
* Direct writes to shadow tables.
https://sqlite.org/c3ref/c_dbconfig_defensive.html
-----------------------------------------------------------------
This message and any files transmitted within are intended
solely for the addressee or its representative and may contain
company proprietary information. If you are not the intended
recipient, notify the sender immediately and delete this
message. Publication, reproduction, forwarding, or content
disclosure is prohibited without the consent of the original
sender and may be unlawful.
Concurrent Technologies Corporation and its Affiliates.
www.ctc.com 1-800-282-4392
-----------------------------------------------------------------
More information about the freebsd-security
mailing list