[email protected] wrote: > Hi all, > > This CVE, > > https://nvd.nist.gov/vuln/detail/CVE-2019-16224 > > was raised against the py-lmdb library, who patched it here > https://github.com/jnwatson/py-lmdb/blob/master/lib/py-lmdb/cve-2019-16224-validate-db-flags.patch > (they bundle their own copy of the LMDB C library). > > It looks like there’s no similar mitigation in the LMDB C library > https://github.com/LMDB/lmdb/blob/mdb.master/libraries/liblmdb/mdb.c . > > Have you looked at this one at all, any idea whether this CVE affects the > LMDB library?
We rejected this CVE as invalid. As an embedded library, it's the application developer's responsibility to ensure that sufficient access controls are used to prevent malicious actors from corrupting their DB files. It was reported to us as ITS#10466, for future reference. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
