Bug 116115 - Bug in portaudit: it does not handle packagenames with ,
Summary: Bug in portaudit: it does not handle packagenames with ,
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: misc (show other bugs)
Version: Unspecified
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-09-05 11:20 UTC by Klavs Klavsen
Modified: 2007-09-05 12:30 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Klavs Klavsen 2007-09-05 11:20:01 UTC 
Hi guys,

I was just testing portaudit on FreeBSD 6.2.

I have mod_jk-1.2.19,1 installed.

a portaudit -Fda does not show it's vulnerable to anything.

However - it really is, and it's in the vulndb as well.

If I rename mod_jk-1.2.19,1 to mod_jk-1.2.19 a portaudit -Fda (or just -a)
says it's vulnerable.

So the conclusion is that portaudit's "version number" matching doesn't
seem to handle ,'s all that well.

How-To-Repeat: rename mod_jk to mod_jk-1.2.19,1 and see it NOT work.
Comment 1 Remko Lodder freebsd_committer freebsd_triage 2007-09-05 12:26:24 UTC 
Klavs Klavsen wrote:
>> Number:         116115
>> Category:       misc
>> Synopsis:       Bug in portaudit: it does not handle packagenames with ,
>> Confidential:   no
>> Severity:       critical
>> Priority:       high
>> Responsible:    freebsd-bugs
>> State:          open
>> Quarter:        
>> Keywords:       
>> Date-Required:
>> Class:          sw-bug
>> Submitter-Id:   current-users
>> Arrival-Date:   Wed Sep 05 10:20:01 GMT 2007
>> Closed-Date:
>> Last-Modified:
>> Originator:     Klavs Klavsen
>> Release:        FreeBSD-6.2
>> Organization:
> EnableIT
>> Environment:
> FreeBSD tomcat5-ny.telmore.dk 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 11:05:30 UTC 2007     root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP  i386
> 
>> Description:
> Hi guys,
> 
> I was just testing portaudit on FreeBSD 6.2.
> 
> I have mod_jk-1.2.19,1 installed.
> 
> a portaudit -Fda does not show it's vulnerable to anything.
> 
> However - it really is, and it's in the vulndb as well.
> 
> If I rename mod_jk-1.2.19,1 to mod_jk-1.2.19 a portaudit -Fda (or just -a)
> says it's vulnerable.
> 
> So the conclusion is that portaudit's "version number" matching doesn't
> seem to handle ,'s all that well.
>> How-To-Repeat:
> rename mod_jk to mod_jk-1.2.19,1 and see it NOT work. 
>> Fix:
> 
> 

Actually you are incorrect strictly seen. You are correct that there is
a problem though :-). Portaudit handles the ,\d perfectly, though
PORTEPOCH (as the ,\d is called) makes version handling very different.
If a port has PORTEPOCH, this always is 'newer' then any other version
available. This is to make sure we can rollback from newer version.

I fixed this in the vuxml document seconds ago.

Thanks for noting this!

Cheers
remko
-- 
Kind regards,

     Remko Lodder               ** remko@elvandar.org
     FreeBSD                    ** remko@FreeBSD.org

     /* Quis custodiet ipsos custodes */
Comment 2 dfilter service freebsd_committer freebsd_triage 2007-09-05 12:26:38 UTC 
remko       2007-09-05 11:26:32 UTC

  FreeBSD ports repository (src,doc committer)

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  Fix mod_jk's version since PORTEPOCH came into play.
  
  PR:             116115
  Reported by:    Klavs Klavsen <klavs at EnableIT dot dk>
  
  Revision  Changes    Path
  1.1412    +3 -2      ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 Remko Lodder freebsd_committer freebsd_triage 2007-09-05 12:28:46 UTC 
State Changed
From-To: open->closed

I fixed this some seconds ago in the Vuxml document. thank you for 
reporting!