misc/175381: pkg audit not detecting vulnerable packages
Darrell
denns at cknw.com
Thu Jan 17 18:20:01 UTC 2013
>Number: 175381
>Category: misc
>Synopsis: pkg audit not detecting vulnerable packages
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jan 17 18:20:01 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Darrell
>Release: 9.1-RELEASE
>Organization:
>Environment:
FreeBSD gt 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 root at farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
The pkgng command "pkg audit" is showing 0 vulnerabilities, even when a vulnerable package is installed. I am testing by installing vulnerability-test-port-2013.01.17 (which is listed in the audit file).
>How-To-Repeat:
[root at gt /usr/local/etc]# cat pkg.conf
# System-wide configuration file for pkg(1)
# For more information on the file format and
# options please refer to the pkg.conf(5) man page
# Configuration options
PACKAGESITE : http://pkg.freebsd.org/${ABI}/latest
#SRV_MIRRORS : NO
#PKG_DBDIR : /var/db/pkg
#PKG_CACHEDIR : /var/cache/pkg
#PORTSDIR : /usr/ports
#PUBKEY : /etc/ssl/pkg.conf
#HANDLE_RC_SCRIPTS : NO
#PKG_MULTIREPOS : NO
#ASSUME_ALWAYS_YES : NO
#SYSLOG : YES
#SHLIBS : NO
#AUTODEPS : NO
PORTAUDIT_SITE : http://portaudit.FreeBSD.org/auditfile.tbz
# Repository definitions
#repos:
# default : http://example.org/pkgng/
# repo1 : http://somewhere.org/pkgng/repo1/
# repo2 : http://somewhere.org/pkgng/repo2/
[root at gt ~]# curl -s http://portaudit.FreeBSD.org/auditfile.tbz|bunzip2 -c|head
auditfile000644 000121 000000 00002536414 12076036045 013644 0ustar00www-datawheel000000 000000 #CREATED: 2013-01-17 18:00:05
# Created by packaudit 0.2.3
vulnerability-test-port>=2000<2013.01.17|http://cvsweb.freebsd.org/ports/security/vulnerability-test-port/|Not vulnerable, just a test port (database: 2013-01-17)
# Please refer to the original document for copyright information:
# http://cvsweb.freebsd.org/ports/security/vuxml/vuln.xml?rev=1.2939
# Converted by vuxml2portaudit
nagios<3.4.3_1|http://portaudit.FreeBSD.org/97c22a94-5b8b-11e2-b131-000c299b62e1.html|nagios -- buffer overflow in history.cgi
chromium<24.0.1312.52|http://portaudit.FreeBSD.org/46bd747b-5b84-11e2-b06d-00262d5ed8ee.html|chromium -- multiple vulnerabilities
firefox>11.0,1<17.0.2,1|http://portaudit.FreeBSD.org/a4ed6632-5aa9-11e2-8fcb-c8600054b392.html|mozilla -- multiple vulnerabilities
firefox<10.0.12,1|http://portaudit.FreeBSD.org/a4ed6632-5aa9-11e2-8fcb-c8600054b392.html|mozilla -- multiple vulnerabilities
[root at gt ~]# pkg update
Updating repository catalogue
Repository catalogue is up-to-date, no need to fetch fresh copy
[root at gt ~]# pkg info |grep vuln
vulnerability-test-port-2013.01.17 Standard vulnerability test for port auditing systems
[root at gt ~]# pkg audit
0 problem(s) in your installed packages found.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list