Date: Wed, 10 Jun 2026 11:22:50 +0000 From: Piotr Smyrak <smyru@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 27367635aaad - main - security/vuxml: document devel/tree-sitter-cli vulnerabilities Message-ID: <6a29490a.36fb1.fe5557c@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by smyru: URL: https://cgit.FreeBSD.org/ports/commit/?id=27367635aaadde7d102c188e32f3867b6e7cd6ef commit 27367635aaadde7d102c188e32f3867b6e7cd6ef Author: Piotr Smyrak <smyru@FreeBSD.org> AuthorDate: 2026-06-08 13:56:25 +0000 Commit: Piotr Smyrak <smyru@FreeBSD.org> CommitDate: 2026-06-10 11:22:41 +0000 security/vuxml: document devel/tree-sitter-cli vulnerabilities PR: 294982 Approved by: 0mp Differential Revision: https://reviews.freebsd.org/D57502 --- security/vuxml/vuln/2026.xml | 45 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index d810b5da8c56..d7b938bf5bae 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -1,3 +1,48 @@ + <vuln vid="36ec75da-633d-11f1-9dbc-28d2443e6cfa"> + <topic>tree-sitter-cli -- Always-Incorrect Control Flow Implementation in wasmtime crate</topic> + <affects> + <package> + <name>tree-sitter-cli</name> + <range><lt>0.26.9</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw reports:</p> + <blockquote cite="https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw">; + <p>Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, +42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability +where the compilation of the table.fill instruction can result in +a host panic. This means that a valid guest can be compiled with +Winch, on any architecture, and cause the host to panic. This +represents a denial-of-service vulnerability in Wasmtime due to +guests being able to trigger a panic. The specific issue is that +a historical refactoring changed how compiled code referenced tables +within the table.* instructions. This refactoring forgot to update +the Winch code paths associated as well, meaning that Winch was +using the wrong indexing scheme. Due to the feature support of +Winch the only problem that can result is tables being mixed up or +nonexistent tables being used, meaning that the guest is limited +to panicking the host (using a nonexistent table), or executing +spec-incorrect behavior and modifying the wrong table. This +vulnerability is fixed in crate versions: 36.0.7, 42.0.2, and 43.0.1.</p> + </blockquote> + </body> + </description> + <references> + <cvename>RUSTSEC-2026-0089</cvename> + <url>https://rustsec.org/advisories/RUSTSEC-2026-0089</url>; + <cvename>CVE-2026-34946</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2026-34946</url>; + <cvename>GHSA-q49f-xg75-m9xw</cvename> + <url>https://github.com/advisories/GHSA-q49f-xg75-m9xw</url>; + </references> + <dates> + <discovery>2026-04-09</discovery> + <entry>2026-06-08</entry> + </dates> + </vuln> + <vuln vid="259b562f-64ab-11f1-8607-8447094a420f"> <topic>OpenSSL -- Multiple vulnerabilities</topic> <affects>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a29490a.36fb1.fe5557c>