On Fri, Jan 03, 2020 at 10:19:33AM -0600, Douglas R. Reno via blfs-dev wrote: > > On 1/3/20 8:35 AM, Paul Menzel via blfs-dev wrote: > > Dear Beyond Linux From Scratch folks, > > > > > > The configuration instructions for SQLite [1] still enable the two-argument > > version of the fts3_tokenizer() interface. > > > > -DSQLITE_ENABLE_FTS3_TOKENIZER=1 > > > > The command explanations do not contain that. > > > > > CFLAGS="-g -O2 -DSQLITE_ENABLE_FTS3=1 -DSQLITE_ENABLE_FTS4=1 > > > -DSQLITE_ENABLE_COLUMN_METADATA=1 -DSQLITE_SECURE_DELETE > > > -DSQLITE_ENABLE_UNLOCK_NOTIFY=1 -DSQLITE_ENABLE_DBSTAT_VTAB=1": > > > Applications such as Firefox require secure delete and enable unlock > > > notify to be turned on. Since firefox-41 the dbstat virtual table and > > > FTS3/4 are also required. The only way to do this is to include them > > > in the CFLAGS. By default, these are set to "-g -O2" so we specify > > > that to preserve those settings. You may, of course, wish to omit the > > > '-g' if you do not wish to create debugging information. For further > > > information on what can be specified see > > > http://www.sqlite.org/compile.html. > > So, I wonder if that is an oversight, as the SQLite upstream say there are > > security concerns. > >
Looking more generally at that page, I am again reminded not to trust documentation! Specifically, for SQLITE_ENABLE_FTS4 it says: When this option is defined in the amalgamation, versions 3 and 4 of the full-text search engine is added to the build automatically. Been there, had to reinstate the enable of fts3 for sqlite-3.25 when I was building firefox-63.0 candidate 2. > > Hi Paul, > > This isn't due to an oversight. In 2016, a ticket was filed named > "sqlite-3.11.0 causes error in Thunderbird serarch" (Ticket #7991). In order > to get search to work again, we had to add -DSQLITE3_ENABLE_FTS3_TOKENISER=1 > to the sqlite CFLAGS. That option became required around Thunderbird-52.5.0. > I'll update the command explanations to match that though. > Looking at https://bugzilla.mozilla.org/show_bug.cgi?id=1270882 it seems there are indeed potential problems with that (used, apparently, by thunderbird and also by seamonkey). But it implies that it was fixed in firefox-66 and therefore thunderbird-68 should be ok without it. I've updated my local sqlite, currently building a firefox-68.4.0 candidate. Can try thunderbird after that, but I don't have a lot of mail in the account I use for that, not sure that a successful search would be proof it is ok. Some details of the problem from FreeBSD in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208500 : I guess I can see if that still happens for me. And then there is also seamonkey, which I do not use. For now, I'll close by quoting comment 7: greed that this fix is fine and better than the status quo. And it doesn't involve exposing additional API surface in mozStorage, which is nice! (The downside is that fts3_tokenizer() stays active all the time in Thunderbird. But as noted before, if an attacker can control the SQL invoked, Thunderbird is already compromised, so that particular issue doesn't really matter.) ĸen -- The right of the people to keep and arm Bears, shall not be infringed. -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
