Re: Multiple vulnerabilities

From: Polarian <polarian_at_polarian.dev>
Date: Thu, 10 Jul 2025 21:54:34 UTC
Good evening,

> There are many problems in ports, clamav so long but there are no any
> updates in packages. How long is usual the time that ara packages
> build, please or should I build them from ports.
> I am running FreeBSD 14.3-RELEASE and using latest packages.

Some packages can take a while to be updated due to patched versions
being incompatible and require extra work to port. In these cases
sometimes the security patch is backported to the old version if its
been around for long enough.

However there are other cases, so I will try to help you out.

> git-2.50.0 is vulnerable:
>   git -- multiple vulnerabilities
>   CVE: CVE-2025-48386
>   CVE: CVE-2025-48385
>   CVE: CVE-2025-48384
>   CVE: CVE-2025-46835
>   CVE: CVE-2025-27614
>   CVE: CVE-2025-27613
>   WWW: https://vuxml.FreeBSD.org/freebsd/2a4472ed-5c0d-11f0-b991-291fce777db8.html

The patch has been pushed on 8th July [1], however I believe there could
be a build issue because I can't find any builds for git, nor can
freshports. It has been backported to 2025Q3, and it appears you are
using the quarterly, you could give it a shot at building it yourself.

> clamav-1.4.2_4,1 is vulnerable:
>   clamav -- ClamAV PDF Scanning Buffer Overflow Vulnerability
>   CVE: CVE-2025-20260
>   WWW: https://vuxml.FreeBSD.org/freebsd/3dcc0812-4da5-11f0-afcc-f02f7432cf97.html

The patch has been pushed to the repository [3], however it is likely
waiting in queue to be built and pushed to the pkg repos. I do not
believe it has been backported to quarterly yet.

> xorg-server-21.1.16,1 is vulnerable:
>   xorg server -- Multiple vulnerabilities
>   CVE: CVE-2025-49180
>   CVE: CVE-2025-49179
>   CVE: CVE-2025-49178
>   CVE: CVE-2025-49177
>   CVE: CVE-2025-49175
>   WWW: https://vuxml.FreeBSD.org/freebsd/b14cabf7-5663-11f0-943a-18c04d5ea3dc.html
> 
>   xorg server -- Multiple vulnerabilities
>   CVE: CVE-2025-49176
>   WWW: https://vuxml.FreeBSD.org/freebsd/8df49466-5664-11f0-943a-18c04d5ea3dc.html

I was trying to tackle this one today, the patch has been committed
back on the 1st [4], however it is likely waiting to be built, the last
xorg cve took ~3-4 weeks to be built for latest, and quarterly came
about a week later (some may have seen me complain on IRC about it :P)

Where I attempted to compile it, it appeared there is dependency
conflicts between latest and quarterly which may be preventing the
backport. (don't hold me on that one, I am not a porter)

The solution for both claimav and xorg-server is to migrate to latest,
many people I know run -RELEASE base and then latest for ports as you
tend to get the updates much quicker, however you also get feature
updates much quicker which may have breaking changes.

When you move to latest, xorg-server and claimav can be built manually
from the port tree and *should* work.

Personally I have considered such a move a few times when security
patches have taken weeks to hit quarterly, sometimes you can ignore the
warning and compile a latest port for quarterly, other times it breaks
your system (hence the warning :P). Last time I considered the move one
or two clients I use had substantial changes, which can be annoying to
deal with on a regular basis (hence the reason quarterly is an option
for some).

However, I don't think anyone here will deny that quarterly can be
slower getting security patches, and the backports can take some time,
especially when it comes to being built for the pkg repos. It is up to
you what you want, the stability of slower feature updates (similar to
Debian Linux) but sometimes lacking behind on security patches, or
having much faster updates but getting all the feature updates with the
security patches.

Edit: I have tried to compile devel/git (2025Q3 branch), and it seems
the reason it likely isn't built looks like perl incompatibility:

===>  git-2.50.1 Invalid perl5 version 5.36.
*** Error code 1

Stop.
make: stopped in /usr/ports/devel/git

Maybe compiling this on latest might work, however I don't run latest
so I can't verify this.

TL;DR try migrating to latest, and building the ports manually to clear
your audit list, anything which doesn't compile, check bugzilla [5], if
there is nothing there report the port with the build log, and maybe
patch it yourself if you want to, otherwise hope someone else patches
it :)

Sorry if this is not what you wanted to hear, there is not much you can
do other than hope someone else fixes it soon, or contribute.

If I have made any mistakes, feel free to correct me :D

Take care,
-- 
Polarian
Jabber/XMPP: polarian@icebound.dev

[1] https://cgit.freebsd.org/ports/commit/devel/git/Makefile?id=d3f6c42d2f36989f583ea23cbbf14e5ae8665848
[2] https://cgit.freebsd.org/ports/commit/?h=2025Q3&id=42ee0f7c8a66eec10efaf5f6e9609370eeb43a19
[3] https://cgit.freebsd.org/ports/commit/?id=2c88607160fe6f0bf4e828f748c393f0cc6761fb
[4] https://cgit.freebsd.org/ports/commit/?id=e0120d0e14ad22c119f50502b34f8e4e38e9b93e
[5] https://bugs.freebsd.org/bugzilla/