sqlite vulnerability?

[herrxyz]

hey, can you please check (and fix) if selfoss is affected by sqlite vulnerability https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/ ? As far as I understand this text it could be triggered by any website in my feed. Kind regards

[jtojnar]

Hi, thanks for reporting.

We only use quote method here:

• https://github.com/fossar/selfoss/blob/3ac16cd741f2d6cf591dc17ab5238cd48fbc6f54/src/daos/mysql/Items.php#L183-L185
  • The sourceId will come from the database itself so that will be safe.
  • Item IDs come from the feed but:
  • For the social network ones, we can probably trust that user cannot manipulate it:
    • https://github.com/fossar/selfoss/blob/3ac16cd741f2d6cf591dc17ab5238cd48fbc6f54/src/spouts/twitter/usertimeline.php#L205
    • https://github.com/fossar/selfoss/blob/3ac16cd741f2d6cf591dc17ab5238cd48fbc6f54/src/spouts/github/commits.php#L104
    • https://github.com/fossar/selfoss/blob/3ac16cd741f2d6cf591dc17ab5238cd48fbc6f54/src/spouts/facebook/page.php#L104
  • And for RSS-based feeds and Reddit, we are not permitting long strings:
    • https://github.com/fossar/selfoss/blob/3ac16cd741f2d6cf591dc17ab5238cd48fbc6f54/src/spouts/rss/feed.php#L97-L100
    • https://github.com/fossar/selfoss/blob/3ac16cd741f2d6cf591dc17ab5238cd48fbc6f54/src/spouts/reddit/reddit2.php#L125-L128

For all other escaping, we use prepared statements so unless sqlite uses the printf function there as well it should be fine.

I would still recommend to update your systems to sqlite 3.39.4 (or version provided by your vendor that has the vulnerability patched).

[herrxyz]

thanks for your super-fast reply and sorry for my late closing (did read it in november but forget to close)