Hi, This vulnerability has been addressed in SQLite 3.26.0. When could we expect new version (official) of System.Data.SQLite which uses 3.26.0?
--- Vladimir -----Original Message----- From: sqlite-users [mailto:sqlite-users-boun...@mailinglists.sqlite.org] On Behalf Of Keith Medcalf Sent: Friday, December 21, 2018 06:45 To: SQLite mailing list <sqlite-users@mailinglists.sqlite.org> Subject: Re: [sqlite] Claimed vulnerability in SQLite: Info or Intox? Only if the application were so badly written as to permit the execution of untrusted code ... --- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume. >-----Original Message----- >From: sqlite-users [mailto:sqlite-users- >boun...@mailinglists.sqlite.org] On Behalf Of Jens Alfke >Sent: Thursday, 20 December, 2018 18:56 >To: SQLite mailing list >Subject: Re: [sqlite] Claimed vulnerability in SQLite: Info or Intox? > > > >> On Dec 20, 2018, at 5:05 PM, Simon Slavin <slav...@bigfraud.org> >wrote: >> >> Which would make it do what ? I can imagine "crash with a memory >fault". I find it much harder to believe "execute code stored in the >database". You would have to know a lot about a program to make it do >that, and an attack aimed at one program/library (e.g. Chromium) >wouldn't work on another with a different memory layout. > >It depends on the details of the vulnerability. Since it’s an FTS3 >query that triggered the problem, there are probably multiple FTS3 and >SQLite stack frames active at the time the buffer overrun occurs, so it >may not depend so much on the application itself. (Of course it would >likely depend on the compiler, the optimization settings, and of course >CPU architecture.) > >Again, from Dr. Hipp’s statement: > By making malicious changes to the shadow tables that FTS3 uses and >then running > FTS3 queries that used those tables, an integer overflow could cause a > buffer overrun, which if carefully managed might lead to an RCE. > This is only a problem for application that enable FTS3 (using the > SQLITE_ENABLE_FTS3 or SQLITE_ENABLE_FTS4 compile-time options) and > which allow potential attackers to run arbitrary SQL. > >Anyway, my original question was: If an application opens untrusted >SQLite databases as documents, and if a trigger added to a database can >run arbitrary SQL, wouldn’t that make such an application vulnerable? > >—Jens >_______________________________________________ >sqlite-users mailing list >sqlite-users@mailinglists.sqlite.org >http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users