ports/188022: [PATCH] security/vuxml: fix false positive about www/mod_php5 vulneravilities.
Yasuhiro KIMURA
yasu at utahime.org
Fri Mar 28 06:30:01 UTC 2014
>Number: 188022
>Category: ports
>Synopsis: [PATCH] security/vuxml: fix false positive about www/mod_php5 vulneravilities.
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Fri Mar 28 06:30:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator: Yasuhiro KIMURA
>Release: FreeBSD 10.0-RELEASE amd64
>Organization:
>Environment:
System: FreeBSD xxxx 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260673: Thu Jan 23 22:36:39 JST 2014 xxxx amd64
>Description:
- New port www/mod_php5 is added but 'pkg audit' reports 8
vulneravilities as following. They seem false positive so fix
range of corresponding entries in vuln.xml.
- Add LICENSE.
- Support staging.
>How-To-Repeat:
>Fix:
--- pkg-audit-F.log begins here ---
Script started on Fri Mar 28 14:31:03 2014
command: pkg audit -F
Vulnxml file up-to-date.
mod_php5-5.4.26 is vulnerable:
php -- multiple vulnerabilities
CVE: CVE-2006-4486
CVE: CVE-2006-4485
CVE: CVE-2006-4484
CVE: CVE-2006-4483
CVE: CVE-2006-4482
CVE: CVE-2006-4481
WWW: http://portaudit.FreeBSD.org/ea09c5df-4362-11db-81e1-000e0c2e438a.html
mod_php5-5.4.26 is vulnerable:
php -- vulnerability in RFC 1867 file upload processing
WWW: http://portaudit.FreeBSD.org/562a3fdf-16d6-11d9-bc4a-000c41e2cdad.html
mod_php5-5.4.26 is vulnerable:
php -- php_variables memory disclosure
WWW: http://portaudit.FreeBSD.org/ad74a1bd-16d2-11d9-bc4a-000c41e2cdad.html
mod_php5-5.4.26 is vulnerable:
php -- strip_tags cross-site scripting vulnerability
CVE: CVE-2004-0595
WWW: http://portaudit.FreeBSD.org/edf61c61-0f07-11d9-8393-000103ccf9d6.html
mod_php5-5.4.26 is vulnerable:
php -- memory_limit related vulnerability
CVE: CVE-2004-0594
WWW: http://portaudit.FreeBSD.org/dd7aa4f1-102f-11d9-8a8a-000c41e2cdad.html
mod_php5-5.4.26 is vulnerable:
php -- _ecalloc Integer Overflow Vulnerability
CVE: CVE-2006-4812
WWW: http://portaudit.FreeBSD.org/e329550b-54f7-11db-a5ae-00508d6a62df.html
mod_php5-5.4.26 is vulnerable:
php -- multiple vulnerabilities
CVE: CVE-2004-1065
CVE: CVE-2004-1019
WWW: http://portaudit.FreeBSD.org/d47e9d19-5016-11d9-9b5f-0050569f0001.html
mod_php5-5.4.26 is vulnerable:
php -- open_basedir Race Condition Vulnerability
CVE: CVE-2006-5178
WWW: http://portaudit.FreeBSD.org/edabe438-542f-11db-a5ae-00508d6a62df.html
1 problem(s) in the installed packages found.
Script done on Fri Mar 28 14:31:03 2014
--- pkg-audit-F.log ends here ---
--- patch-security_vuxml begins here ---
Index: Makefile
===================================================================
--- Makefile (revision 349387)
+++ Makefile (working copy)
@@ -14,6 +14,8 @@
MAINTAINER= ports-secteam at FreeBSD.org
COMMENT= Vulnerability and eXposure Markup Language DTD
+LICENSE= BSD2CLAUSE
+
RUN_DEPENDS= ${XMLCATMGR}:${PORTSDIR}/textproc/xmlcatmgr \
${LOCALBASE}/share/xml/dtd/xhtml-modularization/VERSION:${PORTSDIR}/textproc/xhtml-modularization \
${LOCALBASE}/share/xml/dtd/xhtml-basic/xhtml-basic10.dtd:${PORTSDIR}/textproc/xhtml-basic
@@ -46,7 +48,6 @@
VUXML_FILE?= ${PKGDIR}/vuln.xml
-NO_STAGE= yes
do-extract:
@${RM} -rf ${WRKDIR}
@${MKDIR} ${WRKDIR}
@@ -65,13 +66,10 @@
${PLIST}
do-install:
- @[ -d ${PREFIX}/${dir_DTD} ] || \
- ${MKDIR} ${PREFIX}/${dir_DTD}
+ @${MKDIR} ${STAGEDIR}${PREFIX}/${dir_DTD}
.for f in ${DISTFILES}
- ${INSTALL_DATA} ${WRKSRC}/${f} ${PREFIX}/${dir_DTD}/${f}
+ ${INSTALL_DATA} ${WRKSRC}/${f} ${STAGEDIR}${PREFIX}/${dir_DTD}/${f}
.endfor
- ${XMLCAT_ADD}
- ${SGMLCAT_ADD}
validate: tidy
@${SH} ${FILESDIR}/validate.sh "${VUXML_FILE}"
Index: vuln.xml
===================================================================
--- vuln.xml (revision 349387)
+++ vuln.xml (working copy)
@@ -55637,7 +55637,7 @@
<name>php5-horde</name>
<name>php5-nms</name>
<name>mod_php5</name>
- <range><ge>0</ge></range>
+ <range><lt>5.1.6_1</lt></range>
</package>
</affects>
<description>
@@ -55853,7 +55853,8 @@
<name>php5-nms</name>
<name>mod_php4</name>
<name>mod_php5</name>
- <range><ge>0</ge></range>
+ <range><lt>4.4.4_1</lt></range>
+ <range><ge>5.*</ge><lt>5.1.6_2</lt></range>
</package>
</affects>
<description>
@@ -56832,7 +56833,8 @@
<name>php5-nms</name>
<name>mod_php4</name>
<name>mod_php5</name>
- <range><ge>0</ge></range>
+ <range><lt>4.4.4</lt></range>
+ <range><ge>5</ge><lt>5.1.5</lt></range>
</package>
</affects>
<description>
@@ -76096,7 +76098,7 @@
</package>
<package>
<name>mod_php5</name>
- <range><lt>5.0.3,1</lt></range>
+ <range><lt>5.0.3</lt></range>
</package>
</affects>
<description>
@@ -79080,7 +79082,7 @@
</package>
<package>
<name>mod_php5</name>
- <range><le>5.0.1,1</le></range>
+ <range><le>5.0.1</le></range>
</package>
</affects>
<description>
@@ -79130,7 +79132,7 @@
</package>
<package>
<name>mod_php5</name>
- <range><le>5.0.1,1</le></range>
+ <range><le>5.0.1</le></range>
</package>
</affects>
<description>
@@ -79816,7 +79818,7 @@
</package>
<package>
<name>mod_php5</name>
- <range><le>5.0.0.r3_2,1</le></range>
+ <range><le>5.0.0.r3_2</le></range>
</package>
</affects>
<description>
@@ -79865,7 +79867,7 @@
</package>
<package>
<name>mod_php5</name>
- <range><le>5.0.0.r3_2,1</le></range>
+ <range><le>5.0.0.r3_2</le></range>
</package>
</affects>
<description>
--- patch-security_vuxml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list