On 12/22/15, Simon Slavin <slavins at bigfraud.org> wrote: > > On 22 Dec 2015, at 7:02am, Saurav Sarkar <saurav.sarkar1 at gmail.com> wrote: > >> But the queries will be always parametrized ones. > > Exploits 1 and 2 are controlled by things which can't be parameterised. > > I'm not 100% sure about the format string of a printf, but I can't think of > a way to parameterise it. So you would seem to be safe from those > exploits. > > I expect Richard to soon announce that the underlying problems have been > fixed, anyway.
I do not know where those vulnerability reports originated. They did not originate from me. For that matter, I was never consulted about them. None of them represent real vulnerabilities, in my assessment. All of the problems identified have been fixed for a long time. I think that these reports achieve nothing beyond vulnerability fatigue. I think it is shameful that nvd.nist.gov publishes them. -- D. Richard Hipp drh at sqlite.org
