On 06/29/2016 01:19 PM, DJ Lucas wrote:
On 06/27/2016 10:10 PM, Ken Moffat wrote:
I wasn't intending to give you extra work, particularly if that's
what big distros are doing. I'm just concerned about applying it in
general (I haven't counted all the possible users of sqlite in the
book, and anyway somebody who understands the vulnerability would
need to audit each of them).
:-) Not much additional work (at least not if I'd have used the correct
incarnation of the gcc6 patch the first time!). As to the second part,
if the need of FTS3 is excluded in its entirety, no additional work
there either.
Okay, so FTS3 is required for TCL and is not itself a security issue.
Here is a POC of the vulnerability:
http://chichou.0ginr.com/blog/1336/abuse-sqlite3-ext-to-bypass-php-security-restrictions
--DJ
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
