SQLite security bug v3.25 (and lower?)

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Walter Dnes
Astronaut
Astronaut
Posts: 650
Joined: 2015-07-30, 20:29
Location: Vaughan, ON, Canada

SQLite security bug v3.25 (and lower?)

Unread post by Walter Dnes » 2018-12-17, 16:31

https://www.zdnet.com/article/sqlite-bu ... -browsers/
Article about an SQLite bug. Fix shipped in 3.26.0 on Dec 1st. I don't see any mention of SQLite in the 28.2.2 release notes, so a patch will probably need to be applied for 28.2.3?
There's a right way
There's a wrong way
And then there's my way

JustOff

Re: SQLite security bug v3.25 (and lower?)

Unread post by JustOff » 2018-12-17, 17:09

Pale Moon does not support Web SQL API, so it is not affected.

User avatar
therube
Board Warrior
Board Warrior
Posts: 1650
Joined: 2018-06-08, 17:02

Re: SQLite security bug v3.25 (and lower?)

Unread post by therube » 2018-12-17, 18:17

ZDnet also talks about "local attacks" (however unlikely).

And PM uses what an SQLite .js (.jsm) library kind of thing.

FF regularly updates SQLite, Bug 1511646 (SQLIte3.26.0) Upgrade to SQLite 3.26.0 & I'd think PM would follow suite too, as a matter of course (though seemingly not of great importance at this time, even if it happens to be "dated").
Last edited by therube on 2018-12-17, 18:17, edited 1 time in total.

vannilla
Moon Magic practitioner
Moon Magic practitioner
Posts: 2183
Joined: 2018-05-05, 13:29

Re: SQLite security bug v3.25 (and lower?)

Unread post by vannilla » 2018-12-17, 21:20

therube wrote:ZDnet also talks about "local attacks" (however unlikely).

And PM uses what an SQLite .js (.jsm) library kind of thing.

FF regularly updates SQLite, Bug 1511646 (SQLIte3.26.0) Upgrade to SQLite 3.26.0 & I'd think PM would follow suite too, as a matter of course (though seemingly not of great importance at this time, even if it happens to be "dated").
Sqlite.jsm is available only to extensions though, so the only way to exploit it would be to create a malicious extension.
SQLite is directly accessible only through extensions on Pale Moon in general, so until someone manages to distribute said malicious extension, it's as JustOff said.

Locked