[Bug 283830] security/vuxml: fix sqlite vulnerable version range (CVE-2024-0232)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283830

            Bug ID: 283830
           Summary: security/vuxml: fix sqlite vulnerable version range
                    (CVE-2024-0232)
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-secteam@FreeBSD.org
          Reporter: jcfyecrayz@liamekaens.com
          Assignee: ports-secteam@FreeBSD.org
             Flags: maintainer-feedback?(ports-secteam@FreeBSD.org)

CVE-2024-0232 is about a possible buffer overflow for the json parser in
sqlite.  sqlite apparently didn't have the referenced vulnerable json parser
function (jsonParseAddNodeArray) before 3.43.0, and the CVE references assert
that < 3.43.0 is not vulnerable.

The 42ec2207-7e85-11ef-89a4-b42e991fc52e vuxml vid should reflect the lower end
of that range.  Fixing the vulnerable range specification will avoid a false
positive for databases/linux-rl9-sqlite3 (currently at 3.34.1-7).  It will also
help avoid false positives for people who have databases/sqlite3 installed with
rev < 3.43.0 in case they have not updated since then (the only vulnerable
official freebsd pkg - 3.43.1 - would have existed from ~Sep 2023 - ~Nov 2023).

refs:
 ports 91064fdc5d6613c558832fb9ed26bdfaef107102
 ports d94547d54ebe03dd72417b7d81e3f1f261e2cb06
 https://nvd.nist.gov/vuln/detail/CVE-2024-0232   (see Known Affected Software
Configurations)
 https://security.netapp.com/advisory/ntap-20240315-0007/
 https://sqlite.org/forum/forumpost/4aa381993a

-- 
You are receiving this mail because:
You are the assignee for the bug.