Richard Hipp wrote: > I suppose that Thunderbird was making use of the fts3_tokenizer() > interface, which has be removed from standard builds due to security > concerns, as of version 3.11.0. You can reenable that feature at > compile-time by building with -DSQLITE_ENABLE_FTS3_TOKENIZER. See the > last bullet (the only bullet under the "Backwards Compability" > heading) of the release notes at > https://www.sqlite.org/releaselog/3_11_0.html for links to further > information. > > At this time, you basically have two options: > > (1) Compile your system sqlite3.so library using > SQLITE_ENABLE_FTS3_TOKENIZER and hope that none of the applications > that link against this library use it in such a way that the > fts3_tokenizer() could present a security vulnerability. > > (2) Statically link against a version of SQLite that you compile > yourself. SQlite is a single file of C code ("sqlite3.c") so making > it a part of the project source tree is not a big deal. > > Option (2) seems like the best choice to me since that guarantees that > Thunderbird will continue to operate regardless of what historical > version of sqlite3.so happens to be installed (or not installed) on > the system and regardless of the compile-time options used to create > that sqlite3.so. (For example, what if somebody installs a new > sqlite3.so that omits full-text search?) Static linking removes a > dependency and makes Thunderbird more robust.
Thunderbird has *always* used its own statically built sqlite, just like all other Mozilla software. In fact, it has more than one copy: https://hg.mozilla.org/mozilla-central/file/918df3a0bc1c/db/sqlite3/src https://hg.mozilla.org/mozilla-central/file/918df3a0bc1c/security/nss/lib/sqlite > > On 2/26/16, Steven Haigh <netwiz at crc.id.au> wrote: >> Dear sqlite-users list, >> >> I'd like to try and get some pointers on the following issue as >> documented on the following included BZ issues. >> >> Please CC me as I'm not subscribed to this list. >> >> >> -------- Forwarded Message -------- >> Subject: Re: SQLite and Thunderbird >> Date: Fri, 26 Feb 2016 10:06:25 +0100 >> From: Jan Stan?k <jstanek at redhat.com> >> Organization: Red Hat >> To: Steven Haigh <netwiz at crc.id.au> >> CC: nils at redhat.com, stransky at redhat.com >> >> Hi, >> I presume thet this is general thunderbird issue, not Fedora specific >> one. If so, I would suggest asking at >> sqlite-users at mailinglists.sqlite.org, they are usually quite helpful. >> >> Regards, >> Jan >> >> Dne 26.2.2016 v 07:10 Steven Haigh napsal(a): >>> Re: >>> https://bugzilla.redhat.com/show_bug.cgi?id=1310864 >>> https://bugzilla.redhat.com/show_bug.cgi?id=1311032 >>> >>> Hi all, >>> >>> Just trying to open a channel of communication regarding these bugs. >>> >>> While I believe thunderbird uses a format of call that is depreciated in >>> the newer SQLite packages, it is not ideal to statically compile >>> thunderbird against sqlite to make it work (which I believe is the >>> current fix). >>> >>> Any suggestions on a long-term fix? >>> >> >> >> -- >> Jan Stanek - Red Hat Associate Developer Engineer - Databases Team >> >> >> >> -- >> Steven Haigh >> >> Email: netwiz at crc.id.au >> Web: https://www.crc.id.au >> Phone: (03) 9001 6090 - 0412 935 897 >> >> >> >> > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
