> On Dec 20, 2018, at 9:34 AM, Simon Slavin <slav...@bigfraud.org> wrote: > > Yes, but you can't program the program which accesses the SQLite API. Your > app, or my app, retrieving that BLOB, wouldn't necessarily try to execute it, > or store the BLOB in exactly the right place in memory for it to do something > malicious.
Are you saying the exploit depends on something very specific that Chromium does in its SQLite API calls, which no other app would do? From what I’ve read, it sounds like any code using FTS3 was vulnerable to maliciously crafted SQL statements messing with the shadow tables. —Jens _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users