Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do you have plans to upgrade the SQLite vulnerabilities #1019

Open
jzonehu opened this issue Jan 18, 2024 · 2 comments
Open

Do you have plans to upgrade the SQLite vulnerabilities #1019

jzonehu opened this issue Jan 18, 2024 · 2 comments

Comments

@jzonehu
Copy link

jzonehu commented Jan 18, 2024

This package has been identified with the following CVEs:

CVE-2022-21227
CVE-2022-46908
CVE-2023-7104

It appears that the underlying libsqlc-ndk-native-driver.so needs to be upgraded from SQLite 3.40.0 to version 3.43.0 or higher.
Do you have plans to perform this upgrade?

@MikeDimmickMnetics
Copy link

The opinion of the SQLite developers towards CVEs can be found here: https://www.sqlite.org/cves.html.

The three CVEs you have listed are listed there:

  1. CVE-2022-21227 relates to the sqlite3 npm package, not this plugin, and not to the core SQLite engine.
  2. CVE-2022-46908 relates to the command line sqlite3 program and the possibility that its --safe switch allows some unsafe syntax. This plugin doesn't include the CLI.
  3. CVE-2023-7104 relates to the session extension, which is disabled by default. It has to be enabled at compile time. The distributed libsqlc-ndk-native-driver.so doesn't include it. The vulnerability is in a C-language API that this plugin doesn't use and doesn't expose.

@mirko77
Copy link

mirko77 commented May 25, 2024

No updates for two years, so I would consider this repo archived at this point.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants