pkg audit systemwide vs pkg audit packagewise
Ben Woods
woodsb02 at gmail.com
Tue May 3 11:44:14 UTC 2016
On Tuesday, 3 May 2016, Christoph Pilka <c.pilka at asconix.com> wrote:
> Hi,
>
> I have a sort of weird behaviour when it comes to pkg audits. Same system:
>
> #~ pkg audit -F
>
> tells me:
>
> Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01
> 0 problem(s) in the installed packages found.
>
> but running pkg audit for a specific package, e.g. bash:
>
> #~ pkg audit -F bash
>
> tells me:
>
> Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01
> bash is vulnerable:
> Affected versions:
> < 4.3.25_2
> bash -- remote code execution
> CVE: CVE-2014-6278
> CVE: CVE-2014-6277
> WWW:
> https://vuxml.FreeBSD.org/freebsd/512d1301-49b9-11e4-ae2c-c80aa9043978.html
>
> bash is vulnerable:
> Affected versions:
> < 4.3.27_1
> bash -- out-of-bounds memory access in parser
> CVE: CVE-2014-7187
> CVE: CVE-2014-7186
> WWW:
> https://vuxml.FreeBSD.org/freebsd/4a4e9f88-491c-11e4-ae2c-c80aa9043978.html
>
> bash is vulnerable:
> Affected versions:
> > 4.3 : < 4.3.25_1
> > 4.2 : <= 4.2.48
> > 4.1 : <= 4.1.12
> > 4.0 : <= 4.0.39
> > 3.2 : <= 3.2.52
> > 3.1 : <= 3.1.18
> > 3.0 : <= 3.0.17
> bash -- remote code execution vulnerability
> CVE: CVE-2014-7169
> CVE: CVE-2014-6271
> WWW:
> https://vuxml.FreeBSD.org/freebsd/71ad81da-4414-11e4-a33e-3c970e169bc2.html
>
> 1 problem(s) in the installed packages found.
>
> That's confusing, especially because no one of the version numbers in the
> CVE's listed above does actually match the version of bash that is
> installed on the system:
>
> #~ pkg info bash | grep ^Version
>
> Version : 4.3.42_1
>
> Am I doing something wrong or is it actually a bug?
>
> Cheerio,
> Chris
>
Hi Chris,
Whilst this behaviour is not described in the pkg-audit(8) man page, it
appears that when "pkg audit" is run without a specific package name it
only shows vulnerabilities that affect the install versions of packages,
whilst when fun with a specific package is shows all vulnerabilities
whether the installed package versions are affected or not.
If you review the output of "pkg audit -F bash" you will notice that none
of the vulnerabilities affect your installed version of bash 4.3.42_1.
Regards,
Ben
--
--
From: Benjamin Woods
woodsb02 at gmail.com
More information about the freebsd-questions
mailing list