- 1. 概要
- 2. 状況
- 3. 対処
1. 概要
発生は、2025年6月23日。
「FreeBSD 14.2 RELEASE」「FreeBSD 14.3 RELEASE」で発生しています。
2. 状況
下記のような状態です。
$ portversion -v | grep '<'
[Reading data from pkg(8) ... - 561 packages found - done]
libxml2-2.11.9 < needs updating (port has 2.11.9_1)
py311-libxml2-2.11.9_2 < needs updating (port has 2.11.9_3)
「libxml2」をアップグレードしようとすると。
portupgrade -rR libxml2
[Reading data from pkg(8) ... - 561 packages found - done]
[Gathering depends for textproc/libxml2 ................................................................................ done]
[Gathering depends for textproc/xmlto ............................................................................ done]
[Gathering depends for dns/bind-tools .................................................................................. done]
・・・ 略 ・・・
[Gathering depends for textproc/php82-xmlwriter .... done]
[Gathering depends for textproc/augeas ....... done]
[Exclude up-to-date packages ........................................................................................... done]
---> Upgrading 'libxml2-2.11.9' to 'libxml2-2.11.9_1' (textproc/libxml2)
---> Building '/usr/ports/textproc/libxml2'
===> Cleaning for libxml2-2.11.9_1
===> libxml2-2.11.9_1 has known vulnerabilities:
libxml2-2.11.9_1 is vulnerable:
libxml2 -- Out-of-bounds memory access
CVE: CVE-2025-32414
WWW: https://vuxml.FreeBSD.org/freebsd/2926c487-3e53-11f0-95d4-00a098b42aeb.html
libxml2 -- Use After Free
CVE: CVE-2024-56171
WWW: https://vuxml.FreeBSD.org/freebsd/bd2af307-3e50-11f0-95d4-00a098b42aeb.html
libxml2 -- Stack-based Buffer Overflow
CVE: CVE-2025-24928
WWW: https://vuxml.FreeBSD.org/freebsd/fdd02be0-3e50-11f0-95d4-00a098b42aeb.html
3 problem(s) in 1 package(s) found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update available.
=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
*** Error code 1
Stop.
make[1]: stopped in /usr/ports/textproc/libxml2
*** Error code 1
Stop.
make: stopped in /usr/ports/textproc/libxml2
egrep: empty (sub)expression
** Command failed [exit code 1]: /usr/bin/script -qa /tmp/portupgrade20250623-44250-fvj2q5 env UPGRADE_TOOL=portupgrade UPGRADE_PORT=libxml2-2.11.9 UPGRADE_PORT_VER=2.11.9 make
** Fix the problem and try again.
---> Skipping 'textproc/py-libxml2' (py311-libxml2-2.11.9_2) because a requisite package 'libxml2-2.11.9' (textproc/libxml2) failed (specify -k to force)
** Listing the failed packages (-:ignored / *:skipped / !:failed)
! textproc/libxml2 (libxml2-2.11.9) (security vulnerabilities)
* textproc/py-libxml2 (py311-libxml2-2.11.9_2)
普通に「make」しようとすると。
cd /usr/ports/textproc/libxml2
make
===> libxml2-2.11.9_1 has known vulnerabilities:
libxml2-2.11.9_1 is vulnerable:
libxml2 -- Out-of-bounds memory access
CVE: CVE-2025-32414
WWW: https://vuxml.FreeBSD.org/freebsd/2926c487-3e53-11f0-95d4-00a098b42aeb.html
libxml2 -- Use After Free
CVE: CVE-2024-56171
WWW: https://vuxml.FreeBSD.org/freebsd/bd2af307-3e50-11f0-95d4-00a098b42aeb.html
libxml2 -- Stack-based Buffer Overflow
CVE: CVE-2025-24928
WWW: https://vuxml.FreeBSD.org/freebsd/fdd02be0-3e50-11f0-95d4-00a098b42aeb.html
3 problem(s) in 1 package(s) found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update available.
=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
*** Error code 1
Stop.
make[1]: stopped in /usr/ports/textproc/libxml2
*** Error code 1
Stop.
make: stopped in /usr/ports/textproc/libxml2
「clean」しても、やはり同じ。
3. 対処
言われているままにやってみます。
cd /usr/ports/textproc/libxml2
make DISABLE_VULNERABILITIES=yes
make reinstall
これで「py311-libxml2」の方を。
portupgrade -rR py311-libxml2
無事、アップグレードできました。
|
|
