misc/175381: pkg audit not detecting vulnerable packages

Darrell denns at cknw.com
Thu Jan 17 18:20:01 UTC 2013 

>Number:         175381
>Category:       misc
>Synopsis:       pkg audit not detecting vulnerable packages
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 17 18:20:01 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Darrell
>Release:        9.1-RELEASE
>Organization:
>Environment:
FreeBSD gt 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec  4 09:23:10 UTC 2012     root at farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
The pkgng command "pkg audit" is showing 0 vulnerabilities, even when a vulnerable package is installed. I am testing by installing vulnerability-test-port-2013.01.17 (which is listed in the audit file).
>How-To-Repeat:
[root at gt /usr/local/etc]# cat pkg.conf
# System-wide configuration file for pkg(1)
# For more information on the file format and
# options please refer to the pkg.conf(5) man page

# Configuration options
PACKAGESITE         : http://pkg.freebsd.org/${ABI}/latest
#SRV_MIRRORS        : NO
#PKG_DBDIR          : /var/db/pkg
#PKG_CACHEDIR       : /var/cache/pkg
#PORTSDIR           : /usr/ports
#PUBKEY             : /etc/ssl/pkg.conf
#HANDLE_RC_SCRIPTS   : NO
#PKG_MULTIREPOS     : NO
#ASSUME_ALWAYS_YES   : NO
#SYSLOG             : YES
#SHLIBS             : NO
#AUTODEPS           : NO
PORTAUDIT_SITE      : http://portaudit.FreeBSD.org/auditfile.tbz

# Repository definitions
#repos:
#  default : http://example.org/pkgng/
#  repo1 : http://somewhere.org/pkgng/repo1/
#  repo2 : http://somewhere.org/pkgng/repo2/

[root at gt ~]# curl -s http://portaudit.FreeBSD.org/auditfile.tbz|bunzip2 -c|head
auditfile000644 000121 000000 00002536414 12076036045 013644 0ustar00www-datawheel000000 000000 #CREATED: 2013-01-17 18:00:05
# Created by packaudit 0.2.3
vulnerability-test-port>=2000<2013.01.17|http://cvsweb.freebsd.org/ports/security/vulnerability-test-port/|Not vulnerable, just a test port (database: 2013-01-17)
# Please refer to the original document for copyright information:
# http://cvsweb.freebsd.org/ports/security/vuxml/vuln.xml?rev=1.2939
# Converted by vuxml2portaudit
nagios<3.4.3_1|http://portaudit.FreeBSD.org/97c22a94-5b8b-11e2-b131-000c299b62e1.html|nagios -- buffer overflow in history.cgi
chromium<24.0.1312.52|http://portaudit.FreeBSD.org/46bd747b-5b84-11e2-b06d-00262d5ed8ee.html|chromium -- multiple vulnerabilities
firefox>11.0,1<17.0.2,1|http://portaudit.FreeBSD.org/a4ed6632-5aa9-11e2-8fcb-c8600054b392.html|mozilla -- multiple vulnerabilities
firefox<10.0.12,1|http://portaudit.FreeBSD.org/a4ed6632-5aa9-11e2-8fcb-c8600054b392.html|mozilla -- multiple vulnerabilities

[root at gt ~]# pkg update
Updating repository catalogue
Repository catalogue is up-to-date, no need to fetch fresh copy

[root at gt ~]# pkg info |grep vuln
vulnerability-test-port-2013.01.17 Standard vulnerability test for port auditing systems

[root at gt ~]# pkg audit
0 problem(s) in your installed packages found.


>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list