CVE-2024-0232 is about a possible buffer overflow for the json parser in sqlite. sqlite apparently didn't have the referenced vulnerable json parser function (jsonParseAddNodeArray) before 3.43.0, and the CVE references assert that < 3.43.0 is not vulnerable. The 42ec2207-7e85-11ef-89a4-b42e991fc52e vuxml vid should reflect the lower end of that range. Fixing the vulnerable range specification will avoid a false positive for databases/linux-rl9-sqlite3 (currently at 3.34.1-7). It will also help avoid false positives for people who have databases/sqlite3 installed with rev < 3.43.0 in case they have not updated since then (the only vulnerable official freebsd pkg - 3.43.1 - would have existed from ~Sep 2023 - ~Nov 2023). refs: ports 91064fdc5d6613c558832fb9ed26bdfaef107102 ports d94547d54ebe03dd72417b7d81e3f1f261e2cb06 https://nvd.nist.gov/vuln/detail/CVE-2024-0232 (see Known Affected Software Configurations) https://security.netapp.com/advisory/ntap-20240315-0007/ https://sqlite.org/forum/forumpost/4aa381993a
CC vuxml committer for this
Created attachment 256388 [details] [patch] update sqlite vuxml per upstream advisories Add a lower end of the version range for the sqlite CVE-2024-0232 (vid="42ec2207-7e85-11ef-89a4-b42e991fc52e") to avoid false positives.
Created attachment 256389 [details] [patch] update sqlite vuxml per upstream advisories [v2] [v2] Remove conflicting < 3.43.2 spec
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=dac8aadbd75999b500be4f8c2eb6ef53f5e7ab4e commit dac8aadbd75999b500be4f8c2eb6ef53f5e7ab4e Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2025-01-06 16:54:50 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2025-01-06 16:54:50 +0000 security/vuxml: Fix sqlite range PR: 283830 Reported by: John Hein <jcfyecrayz@liamekaens.com> security/vuxml/vuln/2024.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
Committed, Thanks!