Bug 169152 - security/vuxml: portaudit fails to recognize changes in port revision for irc/inspircd
Summary: security/vuxml: portaudit fails to recognize changes in port revision for irc...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Jason Helfman
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-16 12:30 UTC by Trond Endrestøl
Modified: 2012-06-22 06:53 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Trond Endrestøl 2012-06-16 12:30:18 UTC 
Despite having recently upgraded irc/inspircd from 2.0.5_1 to 2.0.5_2, i.e. port revision 2, portaudit -Fda keeps complaining about the need for further upgrades of irc/inspircd.

Example:

root@enterprise:~>portaudit -Fda
auditfile.tbz                                 100% of   77 kB   40 kBps
New database installed.
Database created: Sat 16 Jun 2012 13:15:04 CEST
Affected package: inspircd-2.0.5_2
Type of problem: inspircd -- buffer overflow.
Reference: http://portaudit.FreeBSD.org/f5f00804-a03b-11e1-a284-0023ae8e59f0.html

1 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.
root@enterprise:~>pkg_version -ov | grep inspircd
irc/inspircd                        =   up-to-date with port

End example.

According to http://portaudit.FreeBSD.org/f5f00804-a03b-11e1-a284-0023ae8e59f0.html, the DNS buffer overflow is only present in versions less than 2.0.5. I.e. 2.0.5_1, 2.0.5_2, 2.0.5_whatever should be unaffected by this definition.

I had the same issue with databases/postgresql91-server back in May 2012. portaudit was unable to differenciate between postgresql-server-9.1.3 and postgresql-server-9.1.3_1.

The ports infrastructure refused me to upgrade irc/inspircd from 2.0.5_1 to 2.0.5_2. I actually had to forcefully upgrade irc/inspircd using these commands:

setenv DISABLE_VULNERABILITIES yes
portupgrade -fprv irc/inspircd

The same was true when upgrading from 2.0.5 to 2.0.5_1.

The same steps were necessary for postgresql-server-9.1.3 back in May.

Fix: 

1. Forcefully upgrade affected ports, i.e. setenv DISABLE_VULNERABILITIES yes.
2. Keep in mind which ports are in fact upgraded to their latest available version/port revision, despite whatever portaudit tells you. The latter is clearly unacceptable.
How-To-Repeat: 1. Refresh the ports hierarchy.
2. Ensure ports-mgmt/portaudit is installed.
3. Run portaudit -Fda.
4. Attempt upgrade or fresh installation of irc/inspircd.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2012-06-22 03:07:09 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->jgh

jgh, you were the last one to work on the vuxml entry for this port -- 
can you take a look to see what's going on?  Thanks.
Comment 2 dfilter service freebsd_committer freebsd_triage 2012-06-22 06:42:29 UTC 
jgh         2012-06-22 05:42:13 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  - fix range for f5f00804-a03b-11e1-a284-0023ae8e59f0
  - add url
  - adjust modified accordingly
  
  PR:     ports/169152
  Submitted by:   Trond.Endrestol@ximalas.info
  
  Revision  Changes    Path
  1.2743    +5 -4      ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 Jason Helfman freebsd_committer freebsd_triage 2012-06-22 06:52:57 UTC 
State Changed
From-To: open->closed

Committed. Thanks!