SQLite security bug

For people working on the C++ code.
kodemanic
New member
 
Posts: 2
Joined: Thu Sep 20, 2018 22:08
GitHub: ray-mccord

SQLite security bug

by kodemanic » Sat Dec 15, 2018 19:32

Came across this security advisory https://blade.tencent.com/magellan/index_en.html

Thought it may have an impact on Minetest's use of SQLite, especially for servers and mobile ports.

More at https://www.zdnet.com/google-amp/article/sqlite-bug-impacts-thousands-of-apps-including-all-chromium-based-browsers/

Fixed version of SQLite is v.3.26.0 https://www.sqlite.org/releaselog/3_26_0.html

I believe the mitigation is specifically this:

3. Added the SQLITE_DBCONFIG_DEFENSIVE option which disables the ability to create corrupt database files using ordinary SQL.
 

sofar
Developer
 
Posts: 2086
Joined: Fri Jan 16, 2015 07:31
GitHub: sofar
IRC: sofar
In-game: sofar

Re: SQLite security bug

by sofar » Thu Dec 20, 2018 22:48

kodemanic wrote:Came across this security advisory https://blade.tencent.com/magellan/index_en.html

Thought it may have an impact on Minetest's use of SQLite, especially for servers and mobile ports.

More at https://www.zdnet.com/google-amp/article/sqlite-bug-impacts-thousands-of-apps-including-all-chromium-based-browsers/

Fixed version of SQLite is v.3.26.0 https://www.sqlite.org/releaselog/3_26_0.html

I believe the mitigation is specifically this:

3. Added the SQLITE_DBCONFIG_DEFENSIVE option which disables the ability to create corrupt database files using ordinary SQL.


From what I've read, the issue is when you allow your application to accept direct SQL commands by a user to an sqlite file.

Minetest doesn't do this. The article confirms this and says, in the section of unaffected configurations that "- No external SQL request is accepted. " is not vulnerable.
 


Return to Partly official engine development



Who is online

Users browsing this forum: No registered users and 1 guest