Page 1 of 1

SQLite security bug

PostPosted: Sat Dec 15, 2018 19:32
by kodemanic
Came across this security advisory https://blade.tencent.com/magellan/index_en.html

Thought it may have an impact on Minetest's use of SQLite, especially for servers and mobile ports.

More at https://www.zdnet.com/google-amp/article/sqlite-bug-impacts-thousands-of-apps-including-all-chromium-based-browsers/

Fixed version of SQLite is v.3.26.0 https://www.sqlite.org/releaselog/3_26_0.html

I believe the mitigation is specifically this:

3. Added the SQLITE_DBCONFIG_DEFENSIVE option which disables the ability to create corrupt database files using ordinary SQL.

Re: SQLite security bug

PostPosted: Thu Dec 20, 2018 22:48
by sofar
kodemanic wrote:Came across this security advisory https://blade.tencent.com/magellan/index_en.html

Thought it may have an impact on Minetest's use of SQLite, especially for servers and mobile ports.

More at https://www.zdnet.com/google-amp/article/sqlite-bug-impacts-thousands-of-apps-including-all-chromium-based-browsers/

Fixed version of SQLite is v.3.26.0 https://www.sqlite.org/releaselog/3_26_0.html

I believe the mitigation is specifically this:

3. Added the SQLITE_DBCONFIG_DEFENSIVE option which disables the ability to create corrupt database files using ordinary SQL.


From what I've read, the issue is when you allow your application to accept direct SQL commands by a user to an sqlite file.

Minetest doesn't do this. The article confirms this and says, in the section of unaffected configurations that "- No external SQL request is accepted. " is not vulnerable.