Created attachment 199735 [details] patch 1. New version 3.26.0. Changes log may be found on URL https://www.sqlite.org/releaselog/3_26_0.html 2. Reordered directives on the Makefile. 3. Added new option 'NORMALIZE'.
Created attachment 199736 [details] build log
Created attachment 199737 [details] portlint log
This bug https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=232248 is outdated.
(In reply to Pavel Volkov from comment #3) You could have edited the older PR for this, instead of opening a new one. For now, close the older one
A commit references this bug: Author: swills Date: Tue Dec 4 18:02:14 UTC 2018 New revision: 486622 URL: https://svnweb.freebsd.org/changeset/ports/486622 Log: databases/sqlite3: Update to 3.26.0 PR: 233712 Submitted by: Pavel Volkov <pavelivolkov@gmail.com> (maintainer) Changes: head/databases/sqlite3/Makefile head/databases/sqlite3/distinfo head/databases/sqlite3/files/
Committed, thanks!
Tencent Blade announced an SQLite vulnerability [1] "Magellan" a number of days ago, citing an RCE (primary example vector: Chromium). Within the announcement, they say "If your product uses SQLite, please update to 3.26.0". SQLite's changelog [2] was not obvious when it came to declaring the existence of, the source or nature of the vulnerability, so ports r486622 (3.26.0 update to head) was not / has not yet been merged to quarterly. [1] https://blade.tencent.com/magellan/index_en.html [2] https://www.sqlite.org/releaselog/3_26_0.html
Firefox builds now check to see if the new SQLITE_DBCONFIG_DEFENSIVE is enabled by default. We need to add this into the port somehow. Mozilla's {,old-}configure's detection logic for this may be dodgy, though. The compile-time option for this has not been documented apart from sqlite3.c, but digging through there reveals we just need to add CPPFLAGS+=-DSQLITE_DEFAULT_DEFENSIVE.
(In reply to Charlie Li from comment #8) Thanks for the report Charlie. This issue is strictly regarding the version update, please create a separate issue for this under www/firefox: Requires SQLite SQLITE_DBCONFIG_DEFENSIVE and cc the databases/sqlite3 maintainer, so that the issue can be considered and addressed independently. Feel free to See Also: and Blocks: the main Magellan issue: bug 234112 in the new bug
(In reply to Charlie Li from comment #8) Hello. SQLITE_DBCONFIG_DEFENSIVE - it is do not compilation flag. (See: https://sqlite.org/c3ref/c_dbconfig_defensive.html#sqlitedbconfigdefensive) It's constant. Configuration option for sqlite3_db_config() interface. You may used it with program products, that use sqlite. This port does not require additional changes. Thanks.
(In reply to Pavel Volkov from comment #10) Mozilla upstream reverted the check for now, as it is incorrect as you mentioned. However, there is a SQLITE_DEFAULT_DEFENSIVE compile-time option that sqlite upstream hasn't documented yet. When Mozilla decides to re-add the check correctly, a new issue will be opened. https://bugzilla.mozilla.org/show_bug.cgi?id=1514683
Missed 2018Q4 MFH window (new 2019Q1 created)