FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-11-23 17:01:17 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
b927b654-7146-11ec-ad4b-5404a68ad561	uriparser -- Multiple vulnerabilities Upstream project reports: Fix a bug affecting both uriNormalizeSyntax* and uriMakeOwner* functions where the text range in .hostText would not be duped using malloc but remain unchanged (and hence "not owned") for URIs with an IPv4 or IPv6 address hostname; depending on how an application uses uriparser, this could lead the application into a use-after-free situation. As the second half, fix uriFreeUriMembers* functions that would not free .hostText memory for URIs with an IPv4 or IPv6 address host; also, calling uriFreeUriMembers* multiple times on a URI of this very nature would result in trying to free pointers to stack (rather than heap) memory. Fix functions uriNormalizeSyntax* for out-of-memory situations (i.e. malloc returning NULL) for URIs containing empty segments (any of user info, host text, query, or fragment) where previously pointers to stack (rather than heap) memory were freed. Discovery 2022-01-06 Entry 2022-01-09 uriparser < 0.9.6 CVE-2021-46141 CVE-2021-46142 https://github.com/uriparser/uriparser/blob/uriparser-0.9.6/ChangeLog
924bd4f8-11e7-11e9-9fe8-5404a68ad561	uriparser -- Out-of-bounds read Upstream project reports: Out-of-bounds read in uriParseEx for incomplete URIs with IPv6 addresses with embedded IPv4 address, e.g. "//[::44.1"; mitigated if passed parameter afterLast points to readable memory containing a '\0' byte. Discovery 2019-01-02 Entry 2019-01-06 uriparser < 0.9.1 https://github.com/uriparser/uriparser/blob/uriparser-0.9.1/ChangeLog

VuXML ID

Description

b927b654-7146-11ec-ad4b-5404a68ad561

uriparser -- Multiple vulnerabilities

Upstream project reports:

Fix a bug affecting both uriNormalizeSyntax* and uriMakeOwner* functions where the text range in .hostText would not be duped using malloc but remain unchanged (and hence "not owned") for URIs with an IPv4 or IPv6 address hostname; depending on how an application uses uriparser, this could lead the application into a use-after-free situation. As the second half, fix uriFreeUriMembers* functions that would not free .hostText memory for URIs with an IPv4 or IPv6 address host; also, calling uriFreeUriMembers* multiple times on a URI of this very nature would result in trying to free pointers to stack (rather than heap) memory. Fix functions uriNormalizeSyntax* for out-of-memory situations (i.e. malloc returning NULL) for URIs containing empty segments (any of user info, host text, query, or fragment) where previously pointers to stack (rather than heap) memory were freed.

Discovery 2022-01-06
Entry 2022-01-09
uriparser

< 0.9.6

CVE-2021-46141
CVE-2021-46142
https://github.com/uriparser/uriparser/blob/uriparser-0.9.6/ChangeLog

924bd4f8-11e7-11e9-9fe8-5404a68ad561

uriparser -- Out-of-bounds read

Upstream project reports:

Out-of-bounds read in uriParse*Ex* for incomplete URIs with IPv6 addresses with embedded IPv4 address, e.g. "//[::44.1"; mitigated if passed parameter afterLast points to readable memory containing a '\0' byte.

Discovery 2019-01-02
Entry 2019-01-06
uriparser

< 0.9.1

https://github.com/uriparser/uriparser/blob/uriparser-0.9.1/ChangeLog