pkg audit false negatives

Remko Lodder remko at FreeBSD.org
Sat Aug 12 07:57:48 UTC 2017 

> On 12 Aug 2017, at 02:37, Roger Marquis <marquis at roble.com> wrote:
> 
> On Fri, 11 Aug 2017, Remko Lodder wrote:
> 
>> If an entry is removed from the ports/pkg tree?s and it is also removed
>> from VuXML, then yes, it will no longer get marked in your local
>> installation. That?s a bit of a chicken and egg basically. Although I do
>> not recall that it ever happened that ports that are no longer there, are
>> removed from VuXML as well. (And I follow that since 2004).
>> Do you have a more concrete example that we can dive into to see what is
>> going on/going wrong?
> 
> Should be able to find missing vulxml entries for most anything that has
> been deprecated from the ports tree but most of the ones I've seen are
> for web programming languages, particularly php.

I do not think that holds:

<vuln vid="b6402385-533b-11e6-a7bd-14dae9d210b8">
17521	    <topic>php -- multiple vulnerabilities</topic>
17522	    <affects>
17523	      <package>
17524	        <name>php55</name>
17525	        <range><lt>5.5.38</lt></range>
17526	      </package>

This is an entry from svnweb, for php55, which was added in 2016(07-26).

So this entry is there. Thus it did not disappear from VuXML at least.

Can you show such a packet from your local installation(s) and present a
``pkg audit -F`` along side it. I would also like to see a detailed pkg info
from the affected pkg.

Thanks a lot in advance,
Remko

> 
> For example when php5X was dropped it also disappeared from vulxml, with
> no small number of servers still using it.  If those sites depended on
> pkg-audit to tell them they had a vulnerability, well, they were out of
> luck.  There was no warning, no error, no disclaimer, pkg-audit did and
> still does nothing different than it would for a non-vulnerable port or
> package.
> 
> There may be more vulnerabilities in the wild from non-packaged base as
> it is larger but at least people are working on that.  Pkg-audit
> tracking of installed but deprecated ports OTOH, seems to have fallen
> through the cracks.  Even the FreeBSD Foundation and the ports-security
> teams appear to be ignoring this issue.
> 
> Roger Marquis

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freebsd.org/pipermail/freebsd-pkg/attachments/20170812/5ae0e7ce/attachment.sig>

More information about the freebsd-pkg mailing list