Firefox?
Might someone want to check which Firefox versions are affected if any?
Cisco Talos researchers have uncovered an SQLite use-after-free() vulnerability that could allow an attacker to, in theory, remotely execute code on an affected device. "An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0," said Talos in a blog post describing the vuln, …
I think I’ve seen warnings about this from static analysis tools in the past, but I can’t be certain.
I almost never write pure C code these days (ironically, the one exception in recent years has been the SDK for the Oso Memory Profiler </shamelessplug>), and my memory manager for all my C++ projects has a debug mode that catches things like this on the rare occasions they happen.
Exactly, it was one of the few ways that I found to produce a small executable without needing gigabytes of frameworks to produce a working program that would fit on a floppy disk - Ask kids these days, they have no idea, grumble...
To be serious though, it is an excellent solution for a number of applications. I have found it to be a really good data depository for medium sized websites (i.e. most of them written for small/medium businesses) sqlite.org ..Queries Are Efficient...
Mine's the one with "Using SQLite" in the pocket >>=====>
So what do you suggest instead?
Python? Written in C
PHP? Written in C
Go? ....you get the idea?
Whenever anyone tries to claim that "C is dead. Nobody uses C anymore" they should remember that virtually all the other languages are written in it (or some derivirive of it such as C++)
Besides, an ENOURMOUS amount of code is written every day in C/C++. And that's not changing any time soon.
And ALL the useful stuff (stuff that makes the phone network work, or runs your TV, or makes the Internet work, or heart monitors, or....) is (guess what?) written in C
In other news...
"It, realistically, requires the combination of an SQL injection flaw with this latest engine bug to do scary damage."
That's the typical MO to exploit a bug, according to Mr. Gibson. There are plenty of partially patched systems and regular findings of squilly injection flaws - https://www.theregister.co.uk/2018/12/18/sqlite_vulnerability/
So if you only upgraded to 3.26.0 or not much newer to fix December's injection flaw, you're now vulnerable to both flaws being used as a pair.
You can write C in perl (I do) and since perl's unicode is really getting there, probably in Thai. I know
a bunch of really obscure languages are now supported, even in perl5.
https://www.youtube.com/watch?v=gmmVGPdcItM&t=1033s
Regular expressions in any language now...(even if ones in my own language make my head hurt).
Lower case Cherokee anyone?
>How about learning to code securely in C?
Interesting concept - I always thought C was a powerful language and thus was insecure by design and hence should only be used by expert (and trustworthy?) programmers who understood the theory and practise of defensive programming.