Please help un-confuse me about vuxml

Matthew Seaman matthew at FreeBSD.org
Fri Jul 3 13:36:41 UTC 2015 

On 2015/07/03 14:01, David Wolfskill wrote:
> And that combination of things catalyzed this note.
> 
> Here's what I'm seeing:
> - There is a claim that the port to which I was trying to update was
>   "vulnerable" per vuxml.

vuxml currently states that netpbm versions /less than/ 10.35.96 are
vulnerable, and has done since about 48h ago.

Given that the latest available version of netpbm is now 10.35.96
(committed at right about the same time as the vuxml update) you should
be able to upgrade to that without problems.

No idea why portmaster is getting this wrong.

> - The vuxml entry effectively required human intervention to update
>   the port.
>
> - The most recent update to the port itself claimed that it had a
>   fix to address said vulnerability.  (This gives one reason to
>   wonder why *this* version of the port had a vuxml entry, then.)

This is what the vuxml says:

      <package>
        <name>netpbm</name>
        <range><lt>10.35.96</lt></range>
      </package>

Which means that 10.35.95 or anything earlier is vulnerable, but
10.35.96 and above is not.

> - I had no feasible way to have a clue about any of this until the
>   artificial failure disrupted the usual update process.

For a second opinion on what vulnerabilities you may have, try 'pkg
audit -F' (which will work just fine no matter if you're installing
pre-compiled pkgs or building your own from ports).

> - As far as I can tell, there was no value in the existence of the vuxml
>   entry for this port under these circumstances.  Rather, it was merely
>   annoying and disruptive, for no gain whatsoever.  There wasn't even an
>   UPDATING entry to warn a person about what was going on.

There's no requirement that a fixed version be available from ports
before vuxml gets updated.  Quite the opposite in fact.  Admins should
be informed if they are running vulnerable software so they can take
some sort of ameliorative action even if the official fix is not yet
published.

Why would you expect an UPDATING entry here?  Documenting every
vulnerability in the ports isn't what UPDATING is for.  Only if the way
you would need to fix the vulnerability involved doing more than a
simple upgrade would that be legitimate UPDATING territory.

> So... what am I missing?  How is a vuxml entry for ports/graphics/netpbm
> @r391058 that claims it's vulnerable per CVE-2015-3885 useful or
> helpful?

A vuxml entry in general tells you what is vulnerable and gives you the
chance to do something about it -- even if what you do is to consider
the nature of the vulnerability and decide that it's an acceptable risk
in your environment and so simply ignore it -- rather than the
alternative of discovering there was a vulnerability because your
machine has now been compromised...

Another response (for the sufficiently paranoid) might have been to
delete the vulnerable package and do without it until the fix was available.

Although I have no idea why that particular version of netpbm was being
flagged as vulnerable for you.

	Cheers,

	Matthew

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20150703/91447044/attachment.bin>

More information about the freebsd-ports mailing list