From nobody Fri Jan 03 18:44:49 2025 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YPsv64pMXz5kJbN for ; Fri, 03 Jan 2025 18:44:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YPsv61h4wz3xhJ for ; Fri, 3 Jan 2025 18:44:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1735929890; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sMa4ENAo0GiXYoFjjF+E6mnvC9k3mCWbwGpa6WKAUos=; b=dYfi28DE7UZfc4MYSWJw2hZfqXqfvbEl2Fyj5Kcxcj4nEL4AWt9W852aU03wpv0tkHnSrW 9s734qQInsAiWyKOT1NF/cCfFy6Ffibbbq29O0V4HIv5a8yFEWHc9UDSIgEPLZkRxx50ju KsCAEcXkCvBe5oT7mgwPGFUFXlumdgZo98iOxE+HLQeYZaZMj6E+W7J6mDBsuFeAF6OjD7 J+0/owXLfXYilySGux/1mpNjEatjxLNYKh1h63XHc89ULJYn774a/b94+5JVf/Fnuv+VtO mxq5QRR1uLbgIUPw4BhMzppOHMDwXamFGr0sbSQDT0OM3446p0Rj9YIIK74C2A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1735929890; a=rsa-sha256; cv=none; b=Ldnye8gQhWlXvPRwywDYhitM+94zM9zpzsaONGZeCZNacoN0+WqIgjBgD72vas7TaRfd5N CXT0TyYm+U4H3MR2h2O4cibwSb8CocQnCPzIle3EZyZVe/608uD5X0/wmkBOtygmcpuHNL I4lOX4BvDI6bf2XF+OFdzztMs5UN1SOs1oHGhUkuicYNVgWVQY6SsiH1Gsvo9ULUxYVnS/ gmRiwQuALbt6KscorIH5aOmvLML5D+a/BROHhtDNv5htL+oE9jKQSM3UNDb5BrRlt+2r14 JNOBYSLRJQ2FC5U8nzq+NtDS8q/OKBNUVYMZ1qwwvrSClwX7XANJsr7so88lWw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YPsv60W6vz3SP for ; Fri, 03 Jan 2025 18:44:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 503Iin9d010114 for ; Fri, 3 Jan 2025 18:44:49 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 503Iingo010113 for ports-bugs@FreeBSD.org; Fri, 3 Jan 2025 18:44:49 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 283830] security/vuxml: fix sqlite vulnerable version range (CVE-2024-0232) Date: Fri, 03 Jan 2025 18:44:49 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: jcfyecrayz@liamekaens.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ports-secteam@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-ports-bugs@freebsd.org Sender: owner-freebsd-ports-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D283830 Bug ID: 283830 Summary: security/vuxml: fix sqlite vulnerable version range (CVE-2024-0232) Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: ports-secteam@FreeBSD.org Reporter: jcfyecrayz@liamekaens.com Assignee: ports-secteam@FreeBSD.org Flags: maintainer-feedback?(ports-secteam@FreeBSD.org) CVE-2024-0232 is about a possible buffer overflow for the json parser in sqlite. sqlite apparently didn't have the referenced vulnerable json parser function (jsonParseAddNodeArray) before 3.43.0, and the CVE references asse= rt that < 3.43.0 is not vulnerable. The 42ec2207-7e85-11ef-89a4-b42e991fc52e vuxml vid should reflect the lower= end of that range. Fixing the vulnerable range specification will avoid a false positive for databases/linux-rl9-sqlite3 (currently at 3.34.1-7). It will = also help avoid false positives for people who have databases/sqlite3 installed = with rev < 3.43.0 in case they have not updated since then (the only vulnerable official freebsd pkg - 3.43.1 - would have existed from ~Sep 2023 - ~Nov 20= 23). refs: ports 91064fdc5d6613c558832fb9ed26bdfaef107102 ports d94547d54ebe03dd72417b7d81e3f1f261e2cb06 https://nvd.nist.gov/vuln/detail/CVE-2024-0232 (see Known Affected Softw= are Configurations) https://security.netapp.com/advisory/ntap-20240315-0007/ https://sqlite.org/forum/forumpost/4aa381993a --=20 You are receiving this mail because: You are the assignee for the bug.=