Vulnerability in SQLite

[ionut-arm]

There's been an announcement about a new vulnerability in SQLite. We should investigate and see if this affects Parsec in any way.

[nullr0ute]

Is there a reason to bundle the sqlite crate and not just depend on a specific version?

[tgonzalezorlandoarm]

This has been solved since this merge request has been merged: #662 , which in turn points to this
As we use the "bundled" feature, according to what's written in the README of the currently used rusqlite version (which is more recent than the one marked in that #662 ), we are currently using SQLite 3.41.2.

Taking a look at https://nvd.nist.gov/vuln/detail/CVE-2022-35737 , the issue has been solved in SQLite >= 3.39.2, so this does not apply anymore.

[tgonzalezorlandoarm]

@nullr0ute We are following the indications from the rusqlite crate:

[dependencies]
# `bundled` causes us to automatically compile and link in an up to date
# version of SQLite for you. This avoids many common build issues, and
# avoids depending on the version of SQLite on the users system (or your
# system), which may be old or missing. It's the right choice for most
# programs that control their own SQLite databases.
#
# That said, it's not ideal for all scenarios and in particular, generic
# libraries built around `rusqlite` should probably not enable it, which
# is why it is not a default feature -- it could become hard to disable.
rusqlite = { version = "0.29.0", features = ["bundled"] }

We avoid build issues, have an up-to-date version of SQLite and don't depend on the system's SQLite and its compatibility with us in this way.

Are you getting a build issue from the use of the bundled feature or are you asking about this to get more configuration capabilities from the system's side?