Forum: Too Lazy BBS

Re: Undocumented vulnerabilities in SQLite2 and erlang?

From =?UTF-8?Q?Fernando_Apestegu=C3=ADa?=@fernando.apesteguia@gmail.com to muc.lists.freebsd.ports on Wed Oct 29 09:01:43 2025

From Newsgroup: muc.lists.freebsd.ports

--0000000000009a9ef606424785cc
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

El mar, 28 oct 2025, 18:35, Kurt Jaeger <pi@freebsd.org> escribi=C3=B3:

Hi!

I=E2=80=99ve recently become aware of CVE-2025-4748 for Erlang < 26.2.5=

.13, and

CVE-2025-7709 for SQLite3 < 3.50.3, and do not see these in the
vulnerability database.

Are these not applicable to FreeBSD=E2=80=99s ports of these packages, =

or does

the vuln.xml need to be updated?

The process to add entries to vuln.xml is not watertight, so I
would guess it needs updates to add those entries.

Can you provide those entries ?

I'll try to have a look at this today

--
pi@FreeBSD.org +49 171 3101372 Now what ?

--0000000000009a9ef606424785cc
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto"><div><br><br><div class=3D"gmail_quote gmail_quote_contai= ner"><div dir=3D"ltr" class=3D"gmail_attr">El mar, 28 oct 2025, 18:35, Kurt=
Jaeger <<a href=3D"mailto:pi@freebsd.org">pi@freebsd.org</a>> escrib= i=C3=B3:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .= 8ex;border-left:1px #ccc solid;padding-left:1ex">Hi!<br>

> I=E2=80=99ve recently become aware of CVE-2025-4748 for Erlang < 26= .2.5.13, and CVE-2025-7709 for SQLite3 < 3.50.3, and do not see these in=
the vulnerability database.<br>
> Are these not applicable to FreeBSD=E2=80=99s ports of these packages,=
or does the vuln.xml need to be updated?<br>

The process to add entries to vuln.xml is not watertight, so I<br>
would guess it needs updates to add those entries.<br>

Can you provide those entries ?</blockquote></div></div><div dir=3D"auto"><= br></div><div dir=3D"auto">I'll try to have a look at this today</div><= div dir=3D"auto"><br></div><div dir=3D"auto"><div class=3D"gmail_quote gmai= l_quote_container"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 = .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br>

-- <br>
pi@FreeBSD.org=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0+49 171 3101372=C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Now what ?<br>

</blockquote></div></div></div>

--0000000000009a9ef606424785cc--

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2

From =?UTF-8?Q?Fernando_Apestegu=C3=ADa?=@fernando.apesteguia@gmail.com to muc.lists.freebsd.ports on Wed Oct 29 22:51:08 2025

From Newsgroup: muc.lists.freebsd.ports

--00000000000013da8a0642532289
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wed, Oct 29, 2025 at 2:36=E2=80=AFPM Wall, Stephen <stephen.wall@redcom.=

wrote:

From: Kurt Jaeger <pi@freebsd.org>
Can you provide those entries ?

And here's what I came up with for erlang. I don't know if erlang-java o=

r

erlang-wx should be included, and wasn't sure how to handle the older erlang-runtime versions, since they are not documented as having a fixed version in the reports I've found.

Thanks!

This is done in:
ae2563208a321c4cdd180a85500459e0974b9ee2
and 4f01a94bd54e66edc094265d9aeca1a27fb5ad22

Sorry that I failed to credit you as the original reporter in the first one=
.

<topic>Erlang - Absolute Path in Zip Module</topic>
<affects>
<package>
<name>erlang</name>
<range><ge>17.0</ge><lt>26.2.5.13,4</lt></range>
</package>
<package>
<name>erlang-runtime26</name>
<range><lt>26.2.5.13</lt></range>
</package>
<package>
<name>erlang-runtime27</name>
<range><lt>27.3.4.1</lt></range>
</package>
<package>
<name>erlang-runtime28</name>
<range><lt>28.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns=3D"http://www.w3.org/1999/xhtml">
<p>Erlang/OTP reports:</p>
<blockquote cite=3D" https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc">
<p>Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulnerability in Erlang OTP (stdlib modules) allows Absolute
Path Traversal,
File Manipulation. This vulnerability is associated with progra=

m

files
lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2,
zip:extract/1, zip:extract/2 unless the memory option is passed=

.

This issue
affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OT=

P

26.2.5.13,
corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2025-4748</cvename>
<url>https://nvd.nist.gov/vuln/detail/CVE-2025-4748</url>
</references>
<dates>
<discovery>2025-06-16</discovery>
<entry>2025-10-29</entry>
<modified>2025-10-29</modified>
</dates>

--00000000000013da8a0642532289
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote g= mail_quote_container"><div dir=3D"ltr" class=3D"gmail_attr">On Wed, Oct 29,=
2025 at 2:36=E2=80=AFPM Wall, Stephen <<a href=3D"mailto:stephen.wall@r= edcom.com">stephen.wall@redcom.com</a>> wrote:<br></div><blockquote clas= s=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid r= gb(204,204,204);padding-left:1ex">> From: Kurt Jaeger <<a href=3D"mai= lto:pi@freebsd.org" target=3D"_blank">pi@freebsd.org</a>><br>
> Can you provide those entries ?<br>

And here's what I came up with for erlang.=C2=A0 I don't know if er= lang-java or erlang-wx should be included, and wasn't sure how to handl=
e the older erlang-runtime versions, since they are not documented as havin=
g a fixed version in the reports I've found.<br> <br></blockquote><div><br></div><div>Thanks!</div><div><br></div><div>This =
is done in:</div><div>ae2563208a321c4cdd180a85500459e0974b9ee2 and=C2=A04f0= 1a94bd54e66edc094265d9aeca1a27fb5ad22</div><div><br></div><div>Sorry that I=
failed to credit you as the original reporter in the first one.</div><div>= =C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0= .8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

=C2=A0 =C2=A0 <topic>Erlang - Absolute Path in Zip Module</topic&g= t;<br>
=C2=A0 =C2=A0 <affects><br>
=C2=A0 =C2=A0 =C2=A0 <package><br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 <name>erlang</name><br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 <range><ge>17.0</ge><lt&gt= ;26.2.5.13,4</lt></range><br>
=C2=A0 =C2=A0 =C2=A0 </package><br>
=C2=A0 =C2=A0 =C2=A0 <package><br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 <name>erlang-runtime26</name><br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 <range><lt>26.2.5.13</lt><= /range><br>
=C2=A0 =C2=A0 =C2=A0 </package><br>
=C2=A0 =C2=A0 =C2=A0 <package><br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 <name>erlang-runtime27</name><br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 <range><lt>27.3.4.1</lt></= range><br>
=C2=A0 =C2=A0 =C2=A0 </package><br>
=C2=A0 =C2=A0 =C2=A0 <package><br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 <name>erlang-runtime28</name><br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 <range><lt>28.0.1</lt></ra= nge><br>
=C2=A0 =C2=A0 =C2=A0 </package><br>
=C2=A0 =C2=A0 </affects><br>
=C2=A0 =C2=A0 <description><br>
=C2=A0 =C2=A0 =C2=A0 <body xmlns=3D"<a href=3D"http://www.w3.org/19= 99/xhtml" rel=3D"noreferrer" target=3D"_blank">http://www.w3.org/1999/xhtml= </a>"><br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 <p>Erlang/OTP reports:</p><br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 <blockquote cite=3D"<a href=3D"https://= github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc" rel=3D"noref= errer" target=3D"_blank">https://github.com/erlang/otp/security/advisories/= GHSA-9g37-pgj9-wrhc</a>"><br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <p>Improper Limitation of a Pathna=
me to a Restricted Directory ('Path Traversal')<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 vulnerability in Erlang OTP (stdlib modu= les) allows Absolute Path Traversal,<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 File Manipulation. This vulnerability is=
associated with program files<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 lib/stdlib/src/zip.erl and program routi= nes zip:unzip/1, zip:unzip/2,<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 zip:extract/1, zip:extract/2 unless the = memory option is passed. This issue<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 affects OTP from OTP 17.0 until OTP 28.0= .1, OTP 27.3.4.1 and OTP 26.2.5.13,<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 corresponding to stdlib from 2.0 until 7= .0.1, 6.2.2.1 and 5.2.3.4.</p><br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 </blockquote><br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 </body><br>
=C2=A0 =C2=A0 </description><br>
=C2=A0 =C2=A0 <references><br>
=C2=A0 =C2=A0 =C2=A0 <cvename>CVE-2025-4748</cvename><br>
=C2=A0 =C2=A0 =C2=A0 <url><a href=3D"https://nvd.nist.gov/vuln/detail= /CVE-2025-4748" rel=3D"noreferrer" target=3D"_blank">https://nvd.nist.gov/v= uln/detail/CVE-2025-4748</a></url><br>
=C2=A0 =C2=A0 </references><br>
=C2=A0 =C2=A0 <dates><br>
=C2=A0 =C2=A0 =C2=A0 <discovery>2025-06-16</discovery><br>
=C2=A0 =C2=A0 =C2=A0 <entry>2025-10-29</entry><br>
=C2=A0 =C2=A0 =C2=A0 <modified>2025-10-29</modified><br>
=C2=A0 =C2=A0 </dates><br>
</blockquote></div></div>

--00000000000013da8a0642532289--

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2

From =?UTF-8?Q?Fernando_Apestegu=C3=ADa?=@fernando.apesteguia@gmail.com to muc.lists.freebsd.ports on Thu Oct 30 08:15:26 2025

From Newsgroup: muc.lists.freebsd.ports

--0000000000002265f606425b04dc
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wed, Oct 29, 2025 at 11:10=E2=80=AFPM Wall, Stephen <stephen.wall@redcom= .com>
wrote:

Sorry that I failed to credit you as the original reporter in the first

one.
I did not originate either of these CVEs, I merely noticed they weren't i=

n

the FreeBSD vuln.xml.

Please note that the package name for sqlite is actually sqlite3, and
needs to appear that way in the <name> field or it won't appear in report=

s.

Fixed. Thanks for the heads up.

Note to self: do not commit when tired OR at night.

Thank you.

--0000000000002265f606425b04dc
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote g= mail_quote_container"><div dir=3D"ltr" class=3D"gmail_attr">On Wed, Oct 29,=
2025 at 11:10=E2=80=AFPM Wall, Stephen <<a href=3D"mailto:stephen.wall@= redcom.com">stephen.wall@redcom.com</a>> wrote:<br></div><blockquote cla= ss=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid = rgb(204,204,204);padding-left:1ex">> Sorry that I failed to credit you a=
s the original reporter in the first one.<br>
I did not originate either of these CVEs, I merely noticed they weren't=
in the FreeBSD vuln.xml.<br>

Please note that the package name for sqlite is actually sqlite3, and needs=
to appear that way in the <name> field or it won't appear in rep= orts.<br></blockquote><div><br></div><div>Fixed. Thanks for the heads up.</= div><div><br></div><div>Note to self: do not commit when tired OR at night.= </div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0p=
x 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

Thank you.<br>
</blockquote></div></div>

--0000000000002265f606425b04dc--

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2

Who's Online

System Info

Sysop:	Amessyroom
Location:	Fayetteville, NC
Users:	54
Nodes:	6 (0 / 6)
Uptime:	01:50:33
Calls:	743
Files:	1,218
Messages:	187,735

Re: Undocumented vulnerabilities in SQLite2 and erlang?

Who's Online

System Info