SQLite security bug

For people working on the C++ code.
Post Reply
kodemanic
New member
Posts: 2
Joined: Thu Sep 20, 2018 22:08
GitHub: ray-mccord

SQLite security bug

by kodemanic » Post

Came across this security advisory https://blade.tencent.com/magellan/index_en.html

Thought it may have an impact on Minetest's use of SQLite, especially for servers and mobile ports.

More at https://www.zdnet.com/google-amp/articl ... -browsers/

Fixed version of SQLite is v.3.26.0 https://www.sqlite.org/releaselog/3_26_0.html

I believe the mitigation is specifically this:
3. Added the SQLITE_DBCONFIG_DEFENSIVE option which disables the ability to create corrupt database files using ordinary SQL.

sofar
Developer
Posts: 2132
Joined: Fri Jan 16, 2015 07:31
GitHub: sofar
IRC: sofar
In-game: sofar

Re: SQLite security bug

by sofar » Post

kodemanic wrote:Came across this security advisory https://blade.tencent.com/magellan/index_en.html

Thought it may have an impact on Minetest's use of SQLite, especially for servers and mobile ports.

More at https://www.zdnet.com/google-amp/articl ... -browsers/

Fixed version of SQLite is v.3.26.0 https://www.sqlite.org/releaselog/3_26_0.html

I believe the mitigation is specifically this:
3. Added the SQLITE_DBCONFIG_DEFENSIVE option which disables the ability to create corrupt database files using ordinary SQL.
From what I've read, the issue is when you allow your application to accept direct SQL commands by a user to an sqlite file.

Minetest doesn't do this. The article confirms this and says, in the section of unaffected configurations that "- No external SQL request is accepted. " is not vulnerable.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest