Re: [Tracker] embedded code copy in tracker is problematic



Hey :),

On Tue, Mar 1, 2016 at 11:02 PM, Michael Biebl <mbiebl gmail com> wrote:
Hi Carlos

2016-03-01 19:27 GMT+01:00 Carlos Garnacho <carlosg gnome org>:
I talked with them (Richard Hipp and Dan Kennedy) through private
email. The solutions basically seemed to be:
- Including a static sqlite copy wherever fts3_tokenizer() is needed
- Using FTS5, which offers a way to customize FTS tokenizing that are
not affected by this vulnerability
- Adding such a similar way to FTS3

Basically, the vulnerability is completely intrinsic to the
fts3_tokenizer() call with 2 arguments, they can't both fix the cve
and keep offering it unchanged. Of those three options, all three
require changes in the users of this call, plus for the third we'd
have to wait for an hypothetical change, and wouldn't erase 3.11 from
earth either...

So I took solutions 1 and 2 wherever they apply. I also considered
backporting the FTS5 changes to stable branches, but it's too many
changes and too bleeding edge for me to be comfortable with it...

Thanks for the explanation. I'm glad to hear that this embedded cope
copy is only a workaround for the stable 1.6 branch.
How far away is 1.7/1.8 from being declared stable?

I'm following the gnome schedule, so roughly 3 weeks :). The version
numbers are totally misguiding, but we're supposedly RC1 now.

Cheers,
  Carlos


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]