Re: [Tracker] embedded code copy in tracker is problematic
- From: Michael Biebl <mbiebl gmail com>
- To: Carlos Garnacho <carlosg gnome org>
- Cc: Tracker-List <tracker-list gnome org>
- Subject: Re: [Tracker] embedded code copy in tracker is problematic
- Date: Tue, 1 Mar 2016 23:02:14 +0100
Hi Carlos
2016-03-01 19:27 GMT+01:00 Carlos Garnacho <carlosg gnome org>:
I talked with them (Richard Hipp and Dan Kennedy) through private
email. The solutions basically seemed to be:
- Including a static sqlite copy wherever fts3_tokenizer() is needed
- Using FTS5, which offers a way to customize FTS tokenizing that are
not affected by this vulnerability
- Adding such a similar way to FTS3
Basically, the vulnerability is completely intrinsic to the
fts3_tokenizer() call with 2 arguments, they can't both fix the cve
and keep offering it unchanged. Of those three options, all three
require changes in the users of this call, plus for the third we'd
have to wait for an hypothetical change, and wouldn't erase 3.11 from
earth either...
So I took solutions 1 and 2 wherever they apply. I also considered
backporting the FTS5 changes to stable branches, but it's too many
changes and too bleeding edge for me to be comfortable with it...
Thanks for the explanation. I'm glad to hear that this embedded cope
copy is only a workaround for the stable 1.6 branch.
How far away is 1.7/1.8 from being declared stable?
Regards,
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
