Hi all,
This CVE,
https://nvd.nist.gov/vuln/detail/CVE-2019-16224
was raised against the py-lmdb library, who patched it here https://github.com/jnwatson/py-lmdb/blob/master/lib/py-lmdb/cve-2019-16224-v... (they bundle their own copy of the LMDB C library).
It looks like there’s no similar mitigation in the LMDB C library https://github.com/LMDB/lmdb/blob/mdb.master/libraries/liblmdb/mdb.c .
Have you looked at this one at all, any idea whether this CVE affects the LMDB library?
Thanks,
Alex Seaton
alex.seaton@man.com wrote:
Hi all,
This CVE,
https://nvd.nist.gov/vuln/detail/CVE-2019-16224
was raised against the py-lmdb library, who patched it here https://github.com/jnwatson/py-lmdb/blob/master/lib/py-lmdb/cve-2019-16224-v... (they bundle their own copy of the LMDB C library).
It looks like there’s no similar mitigation in the LMDB C library https://github.com/LMDB/lmdb/blob/mdb.master/libraries/liblmdb/mdb.c .
Have you looked at this one at all, any idea whether this CVE affects the LMDB library?
We rejected this CVE as invalid. As an embedded library, it's the application developer's responsibility to ensure that sufficient access controls are used to prevent malicious actors from corrupting their DB files.
It was reported to us as ITS#10466, for future reference.
Howard Chu wrote:
alex.seaton@man.com wrote:
Hi all,
This CVE,
https://nvd.nist.gov/vuln/detail/CVE-2019-16224
was raised against the py-lmdb library, who patched it here https://github.com/jnwatson/py-lmdb/blob/master/lib/py-lmdb/cve-2019-16224-v... (they bundle their own copy of the LMDB C library).
It looks like there’s no similar mitigation in the LMDB C library https://github.com/LMDB/lmdb/blob/mdb.master/libraries/liblmdb/mdb.c .
Have you looked at this one at all, any idea whether this CVE affects the LMDB library?
We rejected this CVE as invalid. As an embedded library, it's the application developer's responsibility to ensure that sufficient access controls are used to prevent malicious actors from corrupting their DB files.
It was reported to us as ITS#10466, for future reference.
Just another note - LMDB 1.0 supports page-level checksums and/or encryption. You can use a keyed hash / HMAC, or authenticated encryption, to detect or prevent tampering with the DB files.
openldap-technical@openldap.org