Re: Undocumented vulnerabilities in SQLite2 and erlang?

Wed, 29 Oct 2025 14:51:56 -0700 

On Wed, Oct 29, 2025 at 2:36 PM Wall, Stephen <[email protected]>
wrote:

> > From: Kurt Jaeger <[email protected]>
> > Can you provide those entries ?
>
> And here's what I came up with for erlang.  I don't know if erlang-java or
> erlang-wx should be included, and wasn't sure how to handle the older
> erlang-runtime versions, since they are not documented as having a fixed
> version in the reports I've found.
>
>
Thanks!

This is done in:
ae2563208a321c4cdd180a85500459e0974b9ee2
and 4f01a94bd54e66edc094265d9aeca1a27fb5ad22

Sorry that I failed to credit you as the original reporter in the first one.


>
>     <topic>Erlang - Absolute Path in Zip Module</topic>
>     <affects>
>       <package>
>         <name>erlang</name>
>         <range><ge>17.0</ge><lt>26.2.5.13,4</lt></range>
>       </package>
>       <package>
>         <name>erlang-runtime26</name>
>         <range><lt>26.2.5.13</lt></range>
>       </package>
>       <package>
>         <name>erlang-runtime27</name>
>         <range><lt>27.3.4.1</lt></range>
>       </package>
>       <package>
>         <name>erlang-runtime28</name>
>         <range><lt>28.0.1</lt></range>
>       </package>
>     </affects>
>     <description>
>       <body xmlns="http://www.w3.org/1999/xhtml";>
>         <p>Erlang/OTP reports:</p>
>         <blockquote cite="
> https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc";>
>           <p>Improper Limitation of a Pathname to a Restricted Directory
> ('Path Traversal')
>           vulnerability in Erlang OTP (stdlib modules) allows Absolute
> Path Traversal,
>           File Manipulation. This vulnerability is associated with program
> files
>           lib/stdlib/src/zip.erl and program routines zip:unzip/1,
> zip:unzip/2,
>           zip:extract/1, zip:extract/2 unless the memory option is passed.
> This issue
>           affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP
> 26.2.5.13,
>           corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and
> 5.2.3.4.</p>
>         </blockquote>
>         </body>
>     </description>
>     <references>
>       <cvename>CVE-2025-4748</cvename>
>       <url>https://nvd.nist.gov/vuln/detail/CVE-2025-4748</url>
>     </references>
>     <dates>
>       <discovery>2025-06-16</discovery>
>       <entry>2025-10-29</entry>
>       <modified>2025-10-29</modified>
>     </dates>
>

Reply via email to