sqlite-net
sqlite-net copied to clipboard
praeclarum
Security issue: CVE-2022-35737
https://nvd.nist.gov/vuln/detail/CVE-2022-35737
This CVE has been getting some press as of late. If we can push this package forward to include the updated library, that would be great.
Better yet, we'd love to see a Software Bill of Material maintained in this repository. Something simple is fine. Mainly just want to know which version of the core C++ SQLite library is in use for any given release.
FWIW and AFAIK (since I am not a maintainer in this repo):
One of the nuget packages produced from this repo is sqlite-net-pcl. It does not include SQLite binaries.
But that package has a dependency on a set of packages called SQLitePCLRaw, which I do maintain, and some of those packages do contain native SQLite library binaries. For example, SQLitePCLRaw.lib.e_sqlite3.
On my GitHub releases page, I try to make it clear which version of the SQLite library was used for each release of SQLitePCLRaw:
https://github.com/ericsink/SQLitePCL.raw/releases
The version of SQLitePCLRaw that sqlite-net-pcl depends upon is simply a minimum. You can update it independently by adding another PackageReference item:
<PackageReference Include="SQLitePCLRaw.bundle_green" Version="2.1.2" />
This is a highly theoretical pseudo DDoS that can be caused if you directly allow gigantic strings to be pressed against the database and ran in the query.
DDoS is somewhat unavoidable, someone who is willing to craft such exploit, can easily go on any Tor underground group and pay for a targeted DDoS (they are really cheap now).
The security issue exists, but this is definitely not critical.
