git: f94b70f52d74 - main - security/vuxml: Revise SQLite3 entry

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Matthias Andree <mandree_at_FreeBSD.org>
Date: Fri, 07 Nov 2025 17:11:57 UTC
The branch main has been updated by mandree:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f94b70f52d74ead333820f1836d646c6447fbbd0

commit f94b70f52d74ead333820f1836d646c6447fbbd0
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2025-11-07 16:55:53 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2025-11-07 17:11:52 +0000

    security/vuxml: Revise SQLite3 entry
    
    - mention this bug is only for >= 3.49.1 according to
      https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g
    
    - advance the discovery date to Mid July per the same
    
    - strip double -9.6 from linux_base-rl9 name to get the entry to
      actually trigger for the package, and set it to ">= 0" because
      we don't want unrelated updates to linux_base-rl9-9.6 make this
      entry disappear.  It's left for emulation@ to clean up.
    
    Security:       CVE-2025-7709
    Security:       c5889223-b4e1-11f0-ae9b-b42e991fc52e
---
 security/vuxml/vuln/2025.xml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index eaf80f882338..ff7218235716 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -837,15 +837,15 @@
   </vuln>
 
   <vuln vid="c5889223-b4e1-11f0-ae9b-b42e991fc52e">
-    <topic>SQLite -- CWE-190 Integer Overflow or Wraparound</topic>
+    <topic>SQLite &lt; 3.50.3 -- CWE-190 Integer Overflow or Wraparound in FTS5 module</topic>
     <affects>
     <package>
 	<name>sqlite3</name>
-	<range><lt>3.50.3,1</lt></range>
+	<range><ge>3.49.1,1</ge><lt>3.50.3,1</lt></range>
     </package>
       <package>
-	<name>linux_base-rl9-9.6</name>
-	<range><le>9.6_1</le></range>
+	<name>linux_base-rl9</name>
+	<range><ge>0</ge></range> <!-- unknown and unrelated fixes might make this disappear, so set >= 0 instead of <= 9.6_1 to err on the safe side -->
       </package>
       <package>
 	<name>linux-c7-sqlite</name>
@@ -862,6 +862,7 @@
 	  A pointer to partially controlled data can then be written
 	  out of bounds.</p>
 	</blockquote>
+	<p>The FreeBSD build enables the FTS5 extension by default.</p>
 	</body>
     </description>
     <references>
@@ -869,8 +870,9 @@
       <url>https://cveawg.mitre.org/api/cve/CVE-2025-7709</url>
     </references>
     <dates>
-      <discovery>2025-09-08</discovery>
+      <discovery>2025-07-15</discovery>
       <entry>2025-10-29</entry>
+      <modified>2025-11-07</modified>
     </dates>
   </vuln>