Bug 249110 - security/gnupg: 2.2.23 is incorrectly marked as vulnerable by pkg audit
Summary: security/gnupg: 2.2.23 is incorrectly marked as vulnerable by pkg audit
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Adam Weinberger
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-04 15:03 UTC by Jose G. Juanino
Modified: 2020-09-04 21:12 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (adamw)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jose G. Juanino 2020-09-04 15:03:09 UTC 
Hi, I have updated security/gnupg to 2.2.23 version to address CVE-2013-4576, but the port is still considered vulnerable by pkg audit:

# pkg info -x gnupg
gnupg-2.2.23

# pkg audit gnupg-2.2.23
gnupg-2.2.23 is vulnerable:
gnupg -- AEAD key import overflow
CVE: CVE-2020-25125
WWW: https://vuxml.FreeBSD.org/freebsd/f9fa7adc-ee51-11ea-a240-002590acae31.html

1 problem(s) in 1 installed package(s) found.


I have inspected the registered item in vuxml database and it seems to be fine:

  <vuln vid="f9fa7adc-ee51-11ea-a240-002590acae31">
    <topic>gnupg -- AEAD key import overflow</topic>
    <affects>
      <package>
        <name>gnupg</name>
        <range><ge>2.2.21</ge></range>
        <range><lt>2.2.23</lt></range>
      </package>

As you can see, 2.2.23 is out of the range, and therefore 2.2.23 is not vulnerable.

Am I doing something wrong or misunderstanding something?

Regards
Comment 1 Adam Weinberger freebsd_committer freebsd_triage 2020-09-04 20:59:36 UTC 
Thanks for reporting this!

I clearly messed up the version range somehow, but I"m not clear what I did wrong. I've reached out to others.
Comment 2 commit-hook freebsd_committer freebsd_triage 2020-09-04 21:09:12 UTC 
A commit references this bug:

Author: adamw
Date: Fri Sep  4 21:08:42 UTC 2020
New revision: 547571
URL: https://svnweb.freebsd.org/changeset/ports/547571

Log:
  security/vuxml: Fix gnupg version range specification

  Thanks to swills for pointing me to the error here.

  PR:		249110
  Reported by:	jjuanino gmail

Changes:
  head/security/vuxml/vuln.xml
Comment 3 Adam Weinberger freebsd_committer freebsd_triage 2020-09-04 21:12:36 UTC 
Should be fixed now. Thanks again for reporting!