On 06/27/2016 10:10 PM, Ken Moffat wrote:
I wasn't intending to give you extra work, particularly if that's what big distros are doing. I'm just concerned about applying it in general (I haven't counted all the possible users of sqlite in the book, and anyway somebody who understands the vulnerability would need to audit each of them).
:-) Not much additional work (at least not if I'd have used the correct incarnation of the gcc6 patch the first time!). As to the second part, if the need of FTS3 is excluded in its entirety, no additional work there either.
I don't recall what problems people had (it was many years ago), and it seems unlikely that a static lib in thunderbird could cause problems elsewhere, but without details of the past problems it is all guesswork. Hmm, I wonder if a package managed to build its own shared version of sqlite in the past ? Security is never fun :-(
Seems to me that it is working fine. My error was not exporting the CFLAGS and CXXFLAGS. Will update this evening. Will it be a problem to do the same with SM? If not, we should remove at least the FTS3 Tokenier define from the SQLite instructions (the one I suggested adding), and review the rational for the other FTS3 define?
--DJ -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
