Howard Chu wrote:
> [email protected] wrote:
>> Hi all,
>>
>> This CVE,
>>
>> https://nvd.nist.gov/vuln/detail/CVE-2019-16224 
>>
>> was raised against the py-lmdb library, who patched it here 
>> https://github.com/jnwatson/py-lmdb/blob/master/lib/py-lmdb/cve-2019-16224-validate-db-flags.patch
>>  (they bundle their own copy of the LMDB C library).
>>
>> It looks like there’s no similar mitigation in the LMDB C library 
>> https://github.com/LMDB/lmdb/blob/mdb.master/libraries/liblmdb/mdb.c .
>>
>> Have you looked at this one at all, any idea whether this CVE affects the 
>> LMDB library?
> 
> We rejected this CVE as invalid. As an embedded library, it's the application 
> developer's
> responsibility to ensure that sufficient access controls are used to prevent 
> malicious
> actors from corrupting their DB files.
> 
> It was reported to us as ITS#10466, for future reference.

Just another note - LMDB 1.0 supports page-level checksums and/or encryption. 
You can use
a keyed hash / HMAC, or authenticated encryption, to detect or prevent 
tampering with the
DB files.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Reply via email to