errer" target=3D"_blank">p= rocess_vuxml.pl --filename=3D/jails/freshports/usr/ports/security/vuxml= /vuln.xml --showreasons" | sudo su -fm freshports
pr= ocess_vuxml.pl starts
reasons will be displayed
(there is usually a delay before further output)

mismatched tag at line 34, column 3, byte 1421
error in processing external entity reference at line 84, column 0, byte 36= 78 at /usr/local/lib/perl5/site_perl/mach/5.38/XML/Parser.pm line 187.

`make validate` seems to confirm that:

[12:42 mydev dvl /usr/ports/security/vuxml] % sudo make validate
xmllint -noent /usr/ports/security/vuxml/vuln.xml > /usr/ports/security/= vuxml/vuln-flat.xml
/usr/ports/security/vuxml/vuln/2025.xml:34: parser error : Opening and endi= ng tag mismatch: p line 31 and blockquote
=C2=A0 =C2=A0 =C2=A0 =C2=A0 </blockquote>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0^
/usr/ports/security/vuxml/vuln/2025.xml:35: parser error : Opening and endi= ng tag mismatch: blockquote line 17 and body
=C2=A0 =C2=A0 =C2=A0 =C2=A0 </body>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0^
/usr/ports/security/vuxml/vuln/2025.xml:36: parser error : Opening and endi= ng tag mismatch: body line 15 and description
=C2=A0 =C2=A0 </description>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ^
/usr/ports/security/vuxml/vuln/2025.xml:44: parser error : Opening and endi= ng tag mismatch: description line 14 and vuln
=C2=A0 </vuln>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0^
/usr/ports/security/vuxml/vuln/2025.xml:1953: parser error : Premature end = of data in tag vuln line 1

^
/usr/ports/security/vuxml/vuln/2025.xml:1953: parser error : chunk is not w= ell balanced

^
/usr/ports/security/vuxml/vuln.xml:84: parser error : Entity 'vuln-2025= ' failed to parse
&vuln-2025;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0^
*** Error code 1

Stop.
make: stopped in /usr/ports/security/vuxml

On Sun, Mar 2, 2025, at 11:45 PM, Adam Weinberger wrote:
> The branch main has been updated by adamw:
>
> URL:
> https://cgi= t.FreeBSD.org/ports/commit/?id=3D003195a3c754204bc61aaa39fea85fd62004b014
>
> commit 003195a3c754204bc61aaa39fea85fd62004b014
> Author:=C2=A0 =C2=A0 =C2=A0Adam Weinberger <adamw@FreeBSD.org> > AuthorDate: 2025-03-03 04:45:48 +0000
> Commit:=C2=A0 =C2=A0 =C2=A0Adam Weinberger <adamw@FreeBSD.org> > CommitDate: 2025-03-03 04:45:48 +0000
>
>=C2=A0 =C2=A0 =C2=A0vuxml: Document vim code execution
> ---
>=C2=A0 security/vuxml/vuln/2025.xml | 45 ++++++++++++++++++++++++++++++= ++++++++++++++
>=C2=A0 1 file changed, 45 insertions(+)
>
> diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.x= ml
> index 15bf6827ba4e..b5008bde1e8a 100644
> --- a/security/vuxml/vuln/2025.xml
> +++ b/security/vuxml/vuln/2025.xml
> @@ -1,3 +1,48 @@
> +=C2=A0 <vuln vid=3D"398d1ec1-f7e6-11ef-bb15-002590af0794"= ;>
> +=C2=A0 =C2=A0 <topic>vim -- Potential code execution</topic&= gt;
> +=C2=A0 =C2=A0 <affects>
> +=C2=A0 =C2=A0 =C2=A0 <package>
> +=C2=A0 =C2=A0 =C2=A0<name>vim</name>
> +=C2=A0 =C2=A0 =C2=A0<name>vim-gtk2</name>
> +=C2=A0 =C2=A0 =C2=A0<name>vim-gtk3</name>
> +=C2=A0 =C2=A0 =C2=A0<name>vim-motif</name>
> +=C2=A0 =C2=A0 =C2=A0<name>vim-x11</name>
> +=C2=A0 =C2=A0 =C2=A0<name>vim-tiny</name>
> +=C2=A0 =C2=A0 =C2=A0<range><lt>9.1.1164</lt></ra= nge>
> +=C2=A0 =C2=A0 =C2=A0 </package>
> +=C2=A0 =C2=A0 </affects>
> +=C2=A0 =C2=A0 <description>
> +=C2=A0 =C2=A0 =C2=A0<body xmlns=3D"http://www.w3.org/1999/= xhtml">
> +=C2=A0 =C2=A0 =C2=A0<p>vim reports:</p>
> +=C2=A0 =C2=A0 =C2=A0<blockquote
> cite=3D"https://github.c= om/vim/vim/security/advisories/GHSA-wfmf-8626-q3r3">
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0<h1>Summary</h1>
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0<p>Potential code execution with tar= .vim and special crafted tar
> files</p>
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0<h1>Description</h1>
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0<p>Vim is distributed with the tar.v= im plugin, that allows easy
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0editing and viewing of (compressed or unco= mpressed) tar files.</p>
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0<p>Since commit 129a844 (Nov 11, 202= 4 runtime(tar): Update tar.vim
> to
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0support permissions), the tar.vim plugin u= ses the ":read " ex
> command
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0line to append below the cursor position, = however the is not
> sanitized
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0and is taken literaly from the tar archive= . This allows to execute
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0shell commands via special crafted tar arc= hives. Whether this really
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0happens, depends on the shell being used (= 'shell' option, which is
> set
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0using $SHELL).</p>
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0<h1>Impact</h1>
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0<p>Impact is high but a user must be= convinced to edit such a file
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0using Vim which will reveal the filename, = so a careful user may
> suspect
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0some strange things going on.
> +=C2=A0 =C2=A0 =C2=A0</blockquote>
> +=C2=A0 =C2=A0 =C2=A0</body>
> +=C2=A0 =C2=A0 </description>
> +=C2=A0 =C2=A0 <references>
> +=C2=A0 =C2=A0 =C2=A0
> <url>https://github.com= /vim/vim/security/advisories/GHSA-wfmf-8626-q3r3</url>
> +=C2=A0 =C2=A0 </references>
> +=C2=A0 =C2=A0 <dates>
> +=C2=A0 =C2=A0 =C2=A0 <discovery>2025-03-02</discovery> > +=C2=A0 =C2=A0 =C2=A0 <entry>2025-03-02</entry>
> +=C2=A0 =C2=A0 </dates>
> +=C2=A0 </vuln>
> +
>=C2=A0 =C2=A0 <vuln vid=3D"8fb9101e-f58a-11ef-b4e4-2cf05da270f3= ">
>=C2=A0 =C2=A0 =C2=A0 <topic>Gitlab -- Vulnerabilities</topic&g= t;
>=C2=A0 =C2=A0 =C2=A0 <affects>

--
=C2=A0 Dan Langille
=C2=A0 dan@langille.o= rg
--000000000000dc42e9062f6fa231--