I've been working on a draft web-page about CVEs and SQLite. It includes a
[table of recent CVEs][1].
[1]: https://www.sqlite.org/draft/cves.html#cvetab
But it occurs to me that I am perhaps giving this CVEs more weight than
they deserve. All of these CVEs can be safely ignored. Follow my
logic:
1. All of the CVEs have a precondition that the attacker must be able
to inject and run arbitrary SQL.
2. The worst outcome is denial-of-service.
3. But if an attacker has the ability to inject and run arbitrary SQL,
they don't need any bugs in SQLite in order to execute a denial of
service attack. All they have to do is puts in some SQL that uses
a lot of CPU or memory or disk I/O and they can effectively shut the
service down that way. It isn't hard to devise a small bit of
perfectly valid and legal SQL that uses an enormous amount of CPU or
memory.
4. Hence, none of the CVEs in the chart are "real". They are bugs
(now fixed), but none of them give an attacker any more leverage
for disrupting the system than the attacker had to begin with.
Am I completely off-base with this argument?