Re: git: 4826396e5d15 - main - security/vuxml: correct last SA's affected range

Reply: Philip Paeps : "Re: git: 4826396e5d15 - main - security/vuxml: correct last SA's affected range"
In reply to: Philip Paeps : "Re: git: 4826396e5d15 - main - security/vuxml: correct last SA's affected range"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Felix Palmen <zirias_at_freebsd.org>
Date: Tue, 12 Dec 2023 09:45:14 UTC

* Philip Paeps <philip@freebsd.org> [20231212 17:34]:
> The issue described by FreeBSD-SA-23:17.pf only affects the pf kernel
> module, not the rest of the kernel.  Consequently, freebsd-update only
> rebuilt pf.ko.  kernel was not rebuilt.

Thanks! That was the missing piece of information (for me) all the time!

> - <package>FreeBSD</package> with the version reported by freebsd-version:
> this incorrectly presents the vulnerability as affecting userland.

Wouldn't this be the "least wrong" approach for now then? Because:

> - <package>FreeBSD-kernel</package> with the version reported by
> freebsd-version: this is how I originally documented the vulnerability.
> Since the kernel was not rebuilt (only pf.ko), systems comparing the output
> of uname -k to the versions in the vuxml document cannot see that the system
> was upgraded.

Yes, this is clearly wrong then. Sorry, I wasn't aware the kernel wasn't
rebuilt when modules are affected by a fix ...

> - <package>FreeBSD-kernel</package> with the version reported by uname -k:
> this is how it is currently documented.  Users who have not upgraded
> anything will not realise they are affected, because uname -k has been at
> -p4 since October.  (As you correctly point out.)

And yes, this is pointless, and I still think somehow dangerous when
people expect to be warned by periodic.

> The security-officer team is trying to come up with a way to forcibly
> rebuild the kernel for this category of vulnerabilities.  This is not a
> great solution either though.  It requires users to reboot the system
> whereas (in theory, in many/most cases), unloading and reloading the kernel
> module would address the vulnerability.

This sounds like a "better than before" kind of approach as well,
thanks.

> The good news is that pkgbase will solve this problem to some extent.
> Kernel modules are distributed in the FreeBSD-kernel package.  While "pkg
> audit" won't be able to determine if the correct module is loaded, at least
> it will be able to see that the correct package has been installed.

Sounds nice as well. Then I'll shut up for now. Still "wrong"
unfortunately, but good to know there's at least progress :)

Cheers, Felix

-- 
 Felix Palmen <zirias@FreeBSD.org>     {private}   felix@palmen-it.de
 -- ports committer --                     {web}  http://palmen-it.de
 {pgp public key}  http://palmen-it.de/pub.txt
 {pgp fingerprint} 6936 13D5 5BBF 4837 B212  3ACC 54AD E006 9879 F231