Re: base and ports vulnerabilities
- In reply to: Graham Perrin : "Re: base and ports vulnerabilities"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 30 Jun 2025 06:24:11 UTC
On Sun, Jun 29, 2025 at 07:24:18AM +0100, Graham Perrin wrote: > <https://www.freebsd.org/security/advisories/FreeBSD-SA-24:09.libnv.asc> is > a security advisory that mentions CVE IDs but not VuXML. > <https://vuxml.freebsd.org/freebsd/8d1f9adf-6b4f-11ef-9a62-002590c1f29c.html> > is the VuXML entry for SA-24:09.libnv. But this case is different from the two I pointed out in my OP, in a way that makes me fear those two just "fell through the cracks". CVE-2024-45287 (the one you give, in libnv) is in code that is unquestionably specific to freebsd. It was reported to freebsd by external researchers and *freebsd itself* allocated the CVE. My two are in libarchive, which exists as an independent project from which freebsd seems to merge now and then. The bugs were reported against the upstream project and have been fixed there for months. Indeed, there is a port which is up to a fixed version -- 3.7.9. But the code in base is a vulnerable version -- somewhere after 3.5.1. At this point, freebsd has no relationship to the CVEs, doesn't even seem to know about them. That is precisely the problem. So my question now is, what can I do to help get this fixed? The process in https://www.freebsd.org/security/ seems to be only for freebsd specific code, IOW for problems like yours in libnv. -- Ian