FreeBSD Mail Archives

To:        "Wall, Stephen" <stephen.wall@redcom.com>
Cc:        Kurt Jaeger <pi@freebsd.org>, FreeBSD Mailing List <freebsd-ports@freebsd.org>
Subject:   Re: Undocumented vulnerabilities in SQLite2 and erlang?

| raw e-mail | index | archive | help

--00000000000013da8a0642532289
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wed, Oct 29, 2025 at 2:36=E2=80=AFPM Wall, Stephen <stephen.wall@redcom.=
com>
wrote:

> > From: Kurt Jaeger <pi@freebsd.org>
> > Can you provide those entries ?
>
> And here's what I came up with for erlang.  I don't know if erlang-java o=
r
> erlang-wx should be included, and wasn't sure how to handle the older
> erlang-runtime versions, since they are not documented as having a fixed
> version in the reports I've found.
>
>
Thanks!

This is done in:
ae2563208a321c4cdd180a85500459e0974b9ee2
and 4f01a94bd54e66edc094265d9aeca1a27fb5ad22

Sorry that I failed to credit you as the original reporter in the first one=
.


>
>     <topic>Erlang - Absolute Path in Zip Module</topic>
>     <affects>
>       <package>
>         <name>erlang</name>
>         <range><ge>17.0</ge><lt>26.2.5.13,4</lt></range>
>       </package>
>       <package>
>         <name>erlang-runtime26</name>
>         <range><lt>26.2.5.13</lt></range>
>       </package>
>       <package>
>         <name>erlang-runtime27</name>
>         <range><lt>27.3.4.1</lt></range>
>       </package>
>       <package>
>         <name>erlang-runtime28</name>
>         <range><lt>28.0.1</lt></range>
>       </package>
>     </affects>
>     <description>
>       <body xmlns=3D"http://www.w3.org/1999/xhtml">;
>         <p>Erlang/OTP reports:</p>
>         <blockquote cite=3D"
> https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc">;
>           <p>Improper Limitation of a Pathname to a Restricted Directory
> ('Path Traversal')
>           vulnerability in Erlang OTP (stdlib modules) allows Absolute
> Path Traversal,
>           File Manipulation. This vulnerability is associated with progra=
m
> files
>           lib/stdlib/src/zip.erl and program routines zip:unzip/1,
> zip:unzip/2,
>           zip:extract/1, zip:extract/2 unless the memory option is passed=
.
> This issue
>           affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OT=
P
> 26.2.5.13,
>           corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and
> 5.2.3.4.</p>
>         </blockquote>
>         </body>
>     </description>
>     <references>
>       <cvename>CVE-2025-4748</cvename>
>       <url>https://nvd.nist.gov/vuln/detail/CVE-2025-4748</url>;
>     </references>
>     <dates>
>       <discovery>2025-06-16</discovery>
>       <entry>2025-10-29</entry>
>       <modified>2025-10-29</modified>
>     </dates>
>

--00000000000013da8a0642532289
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote g=
mail_quote_container"><div dir=3D"ltr" class=3D"gmail_attr">On Wed, Oct 29,=
 2025 at 2:36=E2=80=AFPM Wall, Stephen &lt;<a href=3D"mailto:stephen.wall@r=
edcom.com">stephen.wall@redcom.com</a>&gt; wrote:<br></div><blockquote clas=
s=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid r=
gb(204,204,204);padding-left:1ex">&gt; From: Kurt Jaeger &lt;<a href=3D"mai=
lto:pi@freebsd.org" target=3D"_blank">pi@freebsd.org</a>&gt;<br>
&gt; Can you provide those entries ?<br>
<br>
And here&#39;s what I came up with for erlang.=C2=A0 I don&#39;t know if er=
lang-java or erlang-wx should be included, and wasn&#39;t sure how to handl=
e the older erlang-runtime versions, since they are not documented as havin=
g a fixed version in the reports I&#39;ve found.<br>
<br></blockquote><div><br></div><div>Thanks!</div><div><br></div><div>This =
is done in:</div><div>ae2563208a321c4cdd180a85500459e0974b9ee2 and=C2=A04f0=
1a94bd54e66edc094265d9aeca1a27fb5ad22</div><div><br></div><div>Sorry that I=
 failed to credit you as the original reporter in the first one.</div><div>=
=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0=
.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
=C2=A0 =C2=A0 &lt;topic&gt;Erlang - Absolute Path in Zip Module&lt;/topic&g=
t;<br>
=C2=A0 =C2=A0 &lt;affects&gt;<br>
=C2=A0 =C2=A0 =C2=A0 &lt;package&gt;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 &lt;name&gt;erlang&lt;/name&gt;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 &lt;range&gt;&lt;ge&gt;17.0&lt;/ge&gt;&lt;lt&gt=
;26.2.5.13,4&lt;/lt&gt;&lt;/range&gt;<br>
=C2=A0 =C2=A0 =C2=A0 &lt;/package&gt;<br>
=C2=A0 =C2=A0 =C2=A0 &lt;package&gt;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 &lt;name&gt;erlang-runtime26&lt;/name&gt;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 &lt;range&gt;&lt;lt&gt;26.2.5.13&lt;/lt&gt;&lt;=
/range&gt;<br>
=C2=A0 =C2=A0 =C2=A0 &lt;/package&gt;<br>
=C2=A0 =C2=A0 =C2=A0 &lt;package&gt;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 &lt;name&gt;erlang-runtime27&lt;/name&gt;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 &lt;range&gt;&lt;lt&gt;27.3.4.1&lt;/lt&gt;&lt;/=
range&gt;<br>
=C2=A0 =C2=A0 =C2=A0 &lt;/package&gt;<br>
=C2=A0 =C2=A0 =C2=A0 &lt;package&gt;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 &lt;name&gt;erlang-runtime28&lt;/name&gt;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 &lt;range&gt;&lt;lt&gt;28.0.1&lt;/lt&gt;&lt;/ra=
nge&gt;<br>
=C2=A0 =C2=A0 =C2=A0 &lt;/package&gt;<br>
=C2=A0 =C2=A0 &lt;/affects&gt;<br>
=C2=A0 =C2=A0 &lt;description&gt;<br>
=C2=A0 =C2=A0 =C2=A0 &lt;body xmlns=3D&quot;<a href=3D"http://www.w3.org/19=
99/xhtml" rel=3D"noreferrer" target=3D"_blank">http://www.w3.org/1999/xhtml=
</a>&quot;&gt;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 &lt;p&gt;Erlang/OTP reports:&lt;/p&gt;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 &lt;blockquote cite=3D&quot;<a href=3D"https://=
github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc" rel=3D"noref=
errer" target=3D"_blank">https://github.com/erlang/otp/security/advisories/=
GHSA-9g37-pgj9-wrhc</a>&quot;&gt;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 &lt;p&gt;Improper Limitation of a Pathna=
me to a Restricted Directory (&#39;Path Traversal&#39;)<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 vulnerability in Erlang OTP (stdlib modu=
les) allows Absolute Path Traversal,<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 File Manipulation. This vulnerability is=
 associated with program files<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 lib/stdlib/src/zip.erl and program routi=
nes zip:unzip/1, zip:unzip/2,<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 zip:extract/1, zip:extract/2 unless the =
memory option is passed. This issue<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 affects OTP from OTP 17.0 until OTP 28.0=
.1, OTP 27.3.4.1 and OTP 26.2.5.13,<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 corresponding to stdlib from 2.0 until 7=
.0.1, 6.2.2.1 and 5.2.3.4.&lt;/p&gt;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 &lt;/blockquote&gt;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 &lt;/body&gt;<br>
=C2=A0 =C2=A0 &lt;/description&gt;<br>
=C2=A0 =C2=A0 &lt;references&gt;<br>
=C2=A0 =C2=A0 =C2=A0 &lt;cvename&gt;CVE-2025-4748&lt;/cvename&gt;<br>
=C2=A0 =C2=A0 =C2=A0 &lt;url&gt;<a href=3D"https://nvd.nist.gov/vuln/detail=
/CVE-2025-4748" rel=3D"noreferrer" target=3D"_blank">https://nvd.nist.gov/v=
uln/detail/CVE-2025-4748</a>&lt;/url&gt;<br>
=C2=A0 =C2=A0 &lt;/references&gt;<br>
=C2=A0 =C2=A0 &lt;dates&gt;<br>
=C2=A0 =C2=A0 =C2=A0 &lt;discovery&gt;2025-06-16&lt;/discovery&gt;<br>
=C2=A0 =C2=A0 =C2=A0 &lt;entry&gt;2025-10-29&lt;/entry&gt;<br>
=C2=A0 =C2=A0 =C2=A0 &lt;modified&gt;2025-10-29&lt;/modified&gt;<br>
=C2=A0 =C2=A0 &lt;/dates&gt;<br>
</blockquote></div></div>

--00000000000013da8a0642532289--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation