[Info-vax] SQLite has a critical vulnerability
osuvman50 at gmail.com
osuvman50 at gmail.com
Mon Dec 17 22:03:20 EST 2018
On Monday, December 17, 2018 at 11:26:39 AM UTC-5, osuv... at gmail.com wrote:
> Inspection of the crash example linked to by the article points to a problem in the fts3 (full text search) virtual table module. The module exposes the index B-tree data as a table that can be updated by the application.
>
I built SQLite on VMS with FTS3/4 modules enabled and duplicated the crash seen on other systems. I then downloaded and built version 3.26.0.0, released 1 December, which purports to fix the vulnerability. The version doesn't ACCVIO,
but it fails in different ways depending upon whether 'defensive' mode is configured at run time. With defensive mode on, the attempt to corrupt the shadow table fails. With it off, you can corrupt the data but the virtual table module sees it as corrupted and unusable.
The docs on FTS say FTS3 was contributed by a Google employee, it's no surprise that Google apps made use of it.
More information about the Info-vax
mailing list