Skip to content

chore(deps): update dependency duckdb to v1.1.0 [security] #675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency duckdb to v1.1.0 [security] #675

wants to merge 1 commit into from
+39 −49

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 13, 2025

This PR contains the following updates:

Package Change Age Confidence
duckdb (changelog) 1.0.0 -> 1.1.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-41672

Summary

Content in filesystem is accessible for reading using sniff_csv, even with enable_external_access=false.

Details

During a pentest, a security researcher was able to access environment variable data and other system data by using the sniff_csv function, even though we set enable_external_access to false.

PoC

SET enable_external_access=false;
SET lock_configuration=true;

SELECT Columns FROM sniff_csv('/proc/self/environ');

Impact

Provides an attacker with access to filesystem even when access is expected to be disabled and other similar functions do NOT provide access.

For example select * from read_csv('/proc/self/environ') fails with a permission error.

There seems to be two vectors to this vulnerability:

  1. Access to files that should otherwise not be allowed. (We expect Permission Error: Scanning CSV files is disabled through configuration and not to provide any access to the file or even acknowledge that it exists).
  2. The content from a (non-csv?) file can be read (e.g. /etc/hosts, proc/self/environ, etc) even though that doesn't seem to be the intent of the sniff_csv function (my understanding is it's intending to provide information about the shape of the data, but not provide the data itself).

Workaround

It is possible to work around the issue by disabling the local file system using the disabled_filesystems setting:

SET disabled_filesystems='LocalFileSystem';
SET lock_configuration=true;

SELECT Columns FROM sniff_csv('/proc/self/environ');

will result in Permission Error: File system LocalFileSystem has been disabled by configuration.

Fix

A fix has been merged into the main branch (https://github.com/duckdb/duckdb/pull/13133), and will be released with the next DuckDB release.

Release Notes

duckdb/duckdb (duckdb)

v1.1.0: DuckDB 1.1.0 "Eatoni"

Compare Source

This release of DuckDB is named "Eatoni" after Eaton's pintail (Anas Eatoni) from the southern Indian Ocean.

Please also refer to the announcement blog post: https://duckdb.org/2024/09/09/announcing-duckdb-110

What's Changed

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner August 13, 2025 16:30
@renovate renovate bot added the dependencies Pull requests that update a dependency file label Aug 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants