Howard Chu wrote: > [email protected] wrote: >> Hi all, >> >> This CVE, >> >> https://nvd.nist.gov/vuln/detail/CVE-2019-16224 >> >> was raised against the py-lmdb library, who patched it here >> https://github.com/jnwatson/py-lmdb/blob/master/lib/py-lmdb/cve-2019-16224-validate-db-flags.patch >> (they bundle their own copy of the LMDB C library). >> >> It looks like there’s no similar mitigation in the LMDB C library >> https://github.com/LMDB/lmdb/blob/mdb.master/libraries/liblmdb/mdb.c . >> >> Have you looked at this one at all, any idea whether this CVE affects the >> LMDB library? > > We rejected this CVE as invalid. As an embedded library, it's the application > developer's > responsibility to ensure that sufficient access controls are used to prevent > malicious > actors from corrupting their DB files. > > It was reported to us as ITS#10466, for future reference.
Just another note - LMDB 1.0 supports page-level checksums and/or encryption. You can use a keyed hash / HMAC, or authenticated encryption, to detect or prevent tampering with the DB files. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
