portaudit

[ajtiM]

On Sunday 25 July 2010 16:10:42 Matthew Seaman wrote:
> On 25/07/2010 19:06:30, ajtiM wrote:
> > Hi!
> > 
> >  portaudit -a shows:
> > Affected package: mDNSResponder-214
> > Type of problem: mDNSResponder -- corrupted stack crash when parsing bad
> > resolv.conf.
> > Reference:
> > <http://portaudit.FreeBSD.org/1cd87e2a-81e3-11df-81d8-00262d5ed8ee.html>
> > 
> > Affected package: opera-10.10.20091120_2
> > Type of problem: opera -- Data URIs can be used to allow cross-site
> > scripting. Reference:
> > <http://portaudit.FreeBSD.org/77b9f9bc-7fdf-11df-8a8d-0008743bf21a.html>
> > 
> > Affected package: linux-f10-pango-1.22.3_1
> > Type of problem: pango -- integer overflow.
> > Reference: <http://portaudit.FreeBSD.org/4b172278-3f46-11de-
> > becb-001cc0377035.html>
> > 
> > 3 problem(s) in your installed packages found.
> > 
> > You are advised to update or deinstall the affected package(s)
> > immediately.
> > 
> > Do I need to deinstall those ports or is safe anyway?
> 
> No, it's not in any way "safe" to ignore what portaudit tells you.
> However that does not mean that you necessarily have to delete the
> referenced packages.
> 
> What you need to do is read the referenced vuXML data, look at the
> reports referenced therein and decide if:
> 
>    a) The vulnerability affects you, given your usage patterns.  For
>       instance, you might be running a server where all users also have
>       root access, in which case, you don't need to worry about
>       privilege escalation attacks from logged in users.
> 
>    b) The vulnerability affects you, but you can mitigate or prevent
>       any attack.  Eg. you can cause a vulnerable daemon to bind only
>       to the loopback interface, or apply strict firewall rules to
>       prevent attacks over the network.
> 
>    c) The software in question is mission critical, and removing it
>       would have a worse effect on you than some possible exploit.
> 
> If the software fails all of the above, then yes, you should certainly
> remove it.  Otherwise, you need to keep an eye out for any updates or
> fixes and apply them ASAP.
> 
> In the particular case of linux-f10-pango -- this is a long standing
> vulnerability with no real prospect of a software patch becoming
> available.  Unfortunately that port is a vital part of the linuxulator,
> so a lot of people are keeping it installed under case (c).
> 
> mDNSResponse can be fixed by a very simple patch, and exploiting the bug
> depends on being able to control the contents of /etc/resolv.conf, which
> pretty much implies the attacker would already have root access to your
> machine.  Keep an eye out for when the update hits the ports and apply
> it as soon as possible.
> 
> The opera bug is more severe.  Your vulnerability to it depends on your
> usage patterns with that browser.  It looks like the opera devs are on
> the case, but in the mean time it might be an idea to switch to using an
> alternate browser temporarily.
> 
> 	Cheers,
> 
> 	Matthew

Thank you very much.

It is sad that port mDNSResponse is without maintainer:

mDNSResponder 214 net 
 This port version is marked as vulnerable.
Apple's mDNSResponder
 
There is no maintainer for this port.

Opera has update 10.11 long time ago but it was not response too. For linux 
pango I understand because it is an old version which Fedora doesn't use also 
very loooong time.


Thanks again.

Mitja
--------
http://starikarp.redbubble.com