On Mon, Jun 27, 2016 at 08:45:58PM -0500, DJ Lucas wrote: > > > On 06/26/2016 04:31 PM, Ken Moffat wrote: > > Necessary for thunderbird, but worrying : upstream sqlite turned it > > off by default because it was a potential vulnerability. > > > > I came across a post on an sqlite list the other day, suggesting it > > would be better to do that with a static sqlite (e.g. the version > > included in thunderbird) so it would be limited to that one > > application. But then, we prefer system sqlite because in the past > > there were problems when the version of sqlite in an application > > differed from the system version. > > FWIW, this is how other distros have handled it. That said, as suggested on > the sqlite list, using an internal only version is clearly a better solution > (if workable). I was just so focused on the segfaults, and enjoying a short > lived sense of relief (before I realized that I wasn't actually done), it > didn't even occur to me to try the internal version rather than 'fix' the > system version. Shouldn't take too long. I'll give them both a rebuild > tonight and see how it behaves with internal SQLite. I'll report back when > complete. > > --DJ > I wasn't intending to give you extra work, particularly if that's what big distros are doing. I'm just concerned about applying it in general (I haven't counted all the possible users of sqlite in the book, and anyway somebody who understands the vulnerability would need to audit each of them).
I don't recall what problems people had (it was many years ago), and it seems unlikely that a static lib in thunderbird could cause problems elsewhere, but without details of the past problems it is all guesswork. Hmm, I wonder if a package managed to build its own shared version of sqlite in the past ? Security is never fun :-( ĸen -- Democracy is the theory that the common people know what they want, and deserve to get it good and hard -- H.L. Mencken -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
