Re: SQLite vulnerability

2018-12-17 Thread Ronald F. Guilmette
I just wanted to say that I'm sorry to see there being a somewhat, testy exchange here on this list with regards to the SQLite issue, but at least it gives me an opportunity to crack a rather lame joke that I just made up by accident. I'll be talking with another security professional by phone l

Re: SQLite vulnerability

2018-12-17 Thread Cameron, Frank J
On Mon, Dec 17, 2018 at 10:02:36AM -0800, Hugh LaMaster wrote: > On 12/17/18 6:14 AM, Cameron, Frank J wrote: > > 'The new SQLITE_DBCONFIG_DEFENSIVE features is more of a > > defense-in-depth, designed to head off future vulnerabilities by > > making shadow-tables read-only to ordinary SQL, along w

Re: SQLite vulnerability

2018-12-17 Thread Robert Simmons
I'm objecting to your tone, which is nearly always negative. The link I sent states the problem with your tone in a much better and more eloquent way than I can. I challenge you to change your tone when you post to the list in the future. On Mon, Dec 17, 2018 at 10:28 AM Roger Marquis wrote: >

RE: SQLite vulnerability

2018-12-17 Thread Cy Schubert
Base needs updating. --- Sent using a tiny phone keyboard. Apologies for any typos and autocorrect. Also, this old phone only supports top post. Apologies. Cy Schubert or The need of the many outweighs the greed of the few. --- -Original Message- From: Roger Marquis Sent: 17/12/2018 08

Re: SQLite vulnerability

2018-12-17 Thread Roger Marquis
On Mon, 17 Dec 2018, Kubilay Kocak wrote: Pretty close :) Original source/announcement: https://www.tenable.com/blog/magellan-remote-code-execution-vulnerability-in-sqlite-disclosed [December 14th, 2018] Not original though Tenable may have based their announcement on: https://meterpreter.o

Re: SQLite vulnerability

2018-12-17 Thread Roger Marquis
Robert Simmons acerbically replied: Since you may not read that essay on open source software, here is the salient point for you: - For users: remember when filing an issue, opening a pull request or making a comment on a project to be grateful that people spend their free time to build sof

Re: SQLite vulnerability

2018-12-17 Thread Cameron, Frank J
On Mon, Dec 17, 2018 at 01:09:37PM +0100, Piotr Kubaj via freebsd-security wrote: > Doesn't base also need to be patched? > AFAIK pkg uses sqlite database. Does pkg allow running arbitrary untrusted SQL? 'The vulnerability only exists in applications that allow a potential attacker to run arbitr

Re: SQLite vulnerability

2018-12-17 Thread Robert Simmons
Yes, pkg uses sqlite. It uses the amalgamation here: https://github.com/freebsd/pkg/tree/master/external/sqlite On Mon, Dec 17, 2018, 07:11 Piotr Kubaj via freebsd-security < freebsd-security@freebsd.org wrote: > Doesn't base also need to be patched? > > AFAIK pkg uses sqlite database. > > -- >

Re: SQLite vulnerability

2018-12-17 Thread Piotr Kubaj via freebsd-security
Doesn't base also need to be patched? AFAIK pkg uses sqlite database. -- _ / Drew's Law of Highway Biology: \ | | | The first bug to hit a clean windshield | | | \ l

Re: SQLite vulnerability

2018-12-17 Thread Kubilay Kocak
On 17/12/2018 7:44 pm, Brooks Davis wrote: On Sun, Dec 16, 2018 at 08:13:59AM -0800, Roger Marquis wrote: Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all over the news for a week now. It is patched on all Linux platforms but has not yet shown up in FreeBSD's vulxml data

Re: SQLite vulnerability

2018-12-17 Thread Brooks Davis
On Sun, Dec 16, 2018 at 08:13:59AM -0800, Roger Marquis wrote: > Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all > over the news for a week now. It is patched on all Linux platforms but > has not yet shown up in FreeBSD's vulxml database. Does this mean: > > A) FreeBSD

Re: SQLite vulnerability

2018-12-17 Thread Robert Simmons
Since you may not read that essay on open source software, here is the salient point for you: - For users: remember when filing an issue, opening a pull request or making a comment on a project to be grateful that people spend their free time to build software you get to use for free. Kee

Re: SQLite vulnerability

2018-12-17 Thread Robert Simmons
https://mikemcquaid.com/2018/03/19/open-source-maintainers-owe-you-nothing/ On Sun, Dec 16, 2018, 16:42 Roger Marquis Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all > over the news for a week now. It is patched on all Linux platforms but > has not yet shown up in FreeBS

Re: SQLite vulnerability

2018-12-17 Thread Franco Fichtner
> On 17. Dec 2018, at 8:59 AM, Robert Simmons wrote: > > You're being a jerk. This knee-jerk reaction defence is getting old. If you guys don't want to address it just leave it be or say "I'm not interested in doing x-y-z", even if it means "not interested in security" or "not interested in

Re: SQLite vulnerability

2018-12-17 Thread Robert Simmons
You're being a jerk. This is a volunteer project. It owes you nothing. On Sun, Dec 16, 2018, 16:42 Roger Marquis Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all > over the news for a week now. It is patched on all Linux platforms but > has not yet shown up in FreeBSD's