Bug 283830

Summary: security/vuxml: fix sqlite vulnerable version range (CVE-2024-0232)
Product: Ports & Packages Reporter: John Hein <jcfyecrayz>
Component: Individual Port(s)Assignee: Fernando Apesteguía <fernape>
Status: Closed FIXED    
Severity: Affects Some People CC: fernape, jcfyecrayz
Priority: --- Flags: bugzilla: maintainer-feedback? (ports-secteam)
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
[patch] update sqlite vuxml per upstream advisories
none
[patch] update sqlite vuxml per upstream advisories [v2] none

Description John Hein 2025-01-03 18:44:49 UTC 
CVE-2024-0232 is about a possible buffer overflow for the json parser in sqlite.  sqlite apparently didn't have the referenced vulnerable json parser function (jsonParseAddNodeArray) before 3.43.0, and the CVE references assert that < 3.43.0 is not vulnerable.

The 42ec2207-7e85-11ef-89a4-b42e991fc52e vuxml vid should reflect the lower end of that range.  Fixing the vulnerable range specification will avoid a false positive for databases/linux-rl9-sqlite3 (currently at 3.34.1-7).  It will also help avoid false positives for people who have databases/sqlite3 installed with rev < 3.43.0 in case they have not updated since then (the only vulnerable official freebsd pkg - 3.43.1 - would have existed from ~Sep 2023 - ~Nov 2023).

refs:
 ports 91064fdc5d6613c558832fb9ed26bdfaef107102
 ports d94547d54ebe03dd72417b7d81e3f1f261e2cb06
 https://nvd.nist.gov/vuln/detail/CVE-2024-0232   (see Known Affected Software Configurations)
 https://security.netapp.com/advisory/ntap-20240315-0007/
 https://sqlite.org/forum/forumpost/4aa381993a
Comment 1 John Hein 2025-01-03 18:46:02 UTC 
CC vuxml committer for this
Comment 2 John Hein 2025-01-03 18:59:45 UTC 
Created attachment 256388 [details]
[patch] update sqlite vuxml per upstream advisories

Add a lower end of the version range for the sqlite CVE-2024-0232 (vid="42ec2207-7e85-11ef-89a4-b42e991fc52e") to avoid false positives.
Comment 3 John Hein 2025-01-03 19:19:57 UTC 
Created attachment 256389 [details]
[patch] update sqlite vuxml per upstream advisories [v2]

[v2] Remove conflicting < 3.43.2 spec
Comment 4 commit-hook freebsd_committer freebsd_triage 2025-01-06 16:56:10 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=dac8aadbd75999b500be4f8c2eb6ef53f5e7ab4e

commit dac8aadbd75999b500be4f8c2eb6ef53f5e7ab4e
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2025-01-06 16:54:50 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2025-01-06 16:54:50 +0000

    security/vuxml: Fix sqlite range

    PR:             283830
    Reported by:    John Hein <jcfyecrayz@liamekaens.com>

 security/vuxml/vuln/2024.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
Comment 5 Fernando Apesteguía freebsd_committer freebsd_triage 2025-01-06 16:56:22 UTC 
Committed,

Thanks!