linux_base-rl9 is incorrectly marked as vulnerable: ======== linux_base-rl9-9.7 is vulnerable: SQLite < 3.50.3 -- CWE-190 Integer Overflow or Wraparound in FTS5 module CVE: CVE-2025-7709 WWW: https://vuxml.FreeBSD.org/freebsd/c5889223-b4e1-11f0-ae9b-b42e991fc52e.html 1 problem(s) in 1 package(s) found. => Please update your ports tree and try again. => Note: Vulnerable ports are marked as such even if there is no update available. => If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes' ======== The sqlite installed as part of linux_base-rl9 is not vulnerable to this problem.
Created attachment 267336 [details] [patch] update vuxml for CVE-2025-7709 (v1) Attached is an update to the relevant vuxml entry. Main motivation: fix false positive for linux_base-rl9 Here is a description of the changes to the freebsd vuxml entry (vid c5889223-b4e1-11f0-ae9b-b42e991fc52e) [also included in the patch file]... (1) update lower bound for this vuxml id to 3.43.0 (see discussion in Prologue in the attached patch). (2) remove vuln entry for -rl9 - The freebsd linux_base-rl9 meta-package bundles the sqlite package. Any vuxml entry covering a rl9 sqlite vulnerability will have to key off versions of linux_base-rl9 (until vuxml can peer into meta-packages like this to determine versions of components contained therein - likely never). - 3.34.1 does not have the offending FTS5 code at all. It was not added to sqlite until later versions, and the rl9 3.34.1 version did not backport the change - nor should it ever. For RH packages on a given major release version, typically only stability and security fixes are backported or added. - Put another way, by RH policy, the code containing the feature based on this vulnerability will never be in the sqlite packaged for rl9. So just remove the linux_base-rl9 range description for this vuxml id. The rl9 sqlite was never vulnerable to CVE-2025-7709 and should never be. In the unlikely event the RH sqlite maintainers decide to backport this change [[1]], they should include the latest "fixed" version from 3.50.3+. But this original change appears to not be a rl9 backport candidate (not a stability or security update applicable to 3.34.1 nor its patched RH version). It certainly is not in any sqlite version of rl9 up to and including the current (202601) rl/rh 9.7. But since it is not CERTAIN what RH will do in the future during the active support cycle for RH9, if one wanted to be extra cautious one could have a range for this vuxml entry like the following for linux_base-rl9: <range><gt>9.7</gt></range> <!-- must manually verify sqlite in linux_base-rl9 > 9.7 is not vulnerable --> That is not typical vuxml practice, but this is an unusual situation. I also don't think it is necessary. It is not dissimilar to someone reintroducing this vulnerability in a future update to sqlite proper. In cases like that, it is up to the community (and / or scanning / testing frameworks) to identify the regression. [[1]] * commit 94c521295aa898eb07dcfc4cf4ccdeb04ff7d735 c44041e03bc4d7ad0a5edbe8277a325eaaf5f5e6 | Author: dan <Dan Kennedy> | AuthorDate: Sat Dec 2 18:14:07 2023 +0000 | Commit: dan <Dan Kennedy> | CommitDate: Sat Dec 2 18:14:07 2023 +0000 | | When tokendata=1 queries require multiple segment-cursors, allow those cursors to share a single array of in-memory tombstone pages. (3) update range for -c7's sqlite to match range of main sqlite port - c7 flavor is based on 3.7.17 currently (and will be forever since c7 is getting no upstream updates since 20240630), then plus RH stability/security patches - c7 flavor is based on 3.7.17 currently (and will be forever since c7 is not getting updates from the upstream project). (4) minor nearby whitespace alignment fix
Add some recent committers for this vid to CC. ports 6ee690a735724307a2312b5a655a7e491d1185c4 introduced the change that triggers this false positive for linux_base-rl9
Comment on attachment 267336 [details] [patch] update vuxml for CVE-2025-7709 (v1) LGTM
ping (maintainer approved > 1 month ago)
Committed, Thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=6c8efa3663aa773791c829284b77f5155d52019b commit 6c8efa3663aa773791c829284b77f5155d52019b Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2026-03-02 18:02:02 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2026-03-02 18:02:02 +0000 security/vuxml: Amend sqlite entry Fix vulnerable version range for sqlite-based ports (CVE-2025-7709) PR: 292617 Reported by: jcfyecrayz@liamekaens.com (maintainer) Reviewed by: fluffy@ security/vuxml/vuln/2025.xml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-)