"pkg audit -F" incorrectly reports ruby-2.0.0.647,1 as vulnerable. I have confirmed that it is NOT vulnerable by checking both https://www.ruby-lang.org/en/ and https://vuxml.freebsd.org/freebsd/d4379f59-3e9b-49eb-933b-61de4d0b0fdb.html. I have "DEFAULT_VERSIONS+=ruby=2.0" in my /etc/make.conf file. It appears that the problem is in the vuln.xml file, as it checks for installed ports named ruby20, ruby, and ruby22. If I remove the vuln.xml entry for "ruby", the ruby20 port is no longer marked as vulnerable. It appears that some part of the ports framework thinks that ruby20 is "ruby" for purposes of checking for vulnerabilities. I am not sure why that is happening, as "pkg info -o ruby" reports the origin as ruby20. Note: Bug filed after emailing ruby@freebsd.org and receiving no response after 10 days.
/usr/ports/lang/ruby20 # make -V PKGNAME ruby20-2.0.0.647,1 /usr/ports/lang/ruby21 # make -V PKGNAME ruby-2.1.7,1 /usr/ports/lang/ruby22 # make -V PKGNAME ruby22-2.2.3,1 If you're using ruby 2.0, the package name is "ruby20". You've indicated your intstalled package name is "ruby-2.0.0.647,1" but this is not correct and explains why it's being marked as vulnerable. Your installed pacakge should be ruby20-2.0.0.647,1. It appears you have a problem with your ports tree. Have you made local modifications? Are you checked out from SVN? Can you fetch a clean ports tree, delete your existing ruby install, and rebuild/reinstall it?
(In reply to Mark Felder from comment #1) > /usr/ports/lang/ruby20 # make -V PKGNAME > ruby20-2.0.0.647,1 > /usr/ports/lang/ruby21 # make -V PKGNAME > ruby-2.1.7,1 > /usr/ports/lang/ruby22 # make -V PKGNAME > ruby22-2.2.3,1 > > > If you're using ruby 2.0, the package name is "ruby20". You've indicated > your intstalled package name is "ruby-2.0.0.647,1" but this is not correct > and explains why it's being marked as vulnerable. Your installed pacakge > should be ruby20-2.0.0.647,1. If he's using DEFAULT_VERSIONS=ruby=20 or something, his ruby 2.0 port will be called ruby and not ruby20, a bit like the Perl ports do.
Created attachment 161239 [details] Demonstration of the bug depending on /etc/make.conf
No, if one follows the instructions in /usr/ports/UPDATING dated 20150301 (the most recent for ruby20), /usr/ports/lang/ruby20 is installed as "ruby". See the attachment, where I remove the entire /usr/ports/lang/ruby* tree, check it out again, and demonstrate the port name changing between ruby and ruby20 depending on the presence of "DEFAULT_VERSIONS+=ruby=2.0" in /etc/make.conf (as advised by the aforementioned UPDATING entry).
(In reply to Mathieu Arnold from comment #2) I'm not sure there's anything ports-secteam can do about this then. The vuxml entries match on PKGNAME and if this change alters PKGNAME the vuxml data will not accurately match. This sounds like both Perl and Ruby need to change their behavior because this is very unexpected.
Would it be possible to update the vuln.xml file to use: <range><ge>foo</ge><lt>bar</lt></range> so that it would only trigger for certain versions of Ruby, regardless of what the port was named?
(In reply to Mark Felder from comment #5) > (In reply to Mathieu Arnold from comment #2) > > I'm not sure there's anything ports-secteam can do about this then. The > vuxml entries match on PKGNAME and if this change alters PKGNAME the vuxml > data will not accurately match. > > This sounds like both Perl and Ruby need to change their behavior because > this is very unexpected. Sorry, what ? I'm sorry, but no, the *default* Perl or Ruby package is always called "perl5" or "ruby", and the non default Perl ports are called perl5.xx, and the non default Ruby ports are called rubyXX. This is not going to change, especially as I'm quite sure vuxml can cope easily.
(In reply to terry from comment #6) > Would it be possible to update the vuln.xml file to use: > > <range><ge>foo</ge><lt>bar</lt></range> > > so that it would only trigger for certain versions of Ruby, regardless of > what the port was named? It can be something like: <package> <name>ruby</name> <name>ruby20</name> <range><ge>2.0.0</ge><lt>2.0.4_12</lt></range> </package> or something, yes.
In order for this to work correctly I would have to alter the vuxml like this: <package> <name>ruby</name> <name>ruby20</name> <name>ruby22</name> <range><ge>2.0</ge><lt>2.0.0.645,1</lt></range> <range><ge>2.1</ge><lt>2.1.6,1</lt></range> <range><ge>2.2</ge><lt>2.2.2,1</lt></range> </package> Which would produce this: Affected packages 2.0 <= ruby < 2.0.0.645,1 2.1 <= ruby < 2.1.6,1 2.2 <= ruby < 2.2.2,1 2.0 <= ruby20 < 2.0.0.645,1 2.1 <= ruby20 < 2.1.6,1 2.2 <= ruby20 < 2.2.2,1 2.0 <= ruby22 < 2.0.0.645,1 2.1 <= ruby22 < 2.1.6,1 2.2 <= ruby22 < 2.2.2,1
Other than some unneeded checks (ruby20 should always refer to 2.0, ruby22 should always refer to 2.2 - it is only ruby (no suffix) that can refer to multiple versions) that type of solution seems fine. However, with the entry updated as you show above, it is still complaining that ruby-2.0.0.647,1 is vulnerable. If it helps, I can give you access to a system where this is happening and chown the vuln.xml file so you can modify it to help track down the issue.
OT: is ruby2.0 still not default for us ?
(In reply to terry from comment #10) how are you testing your locally edited vuxml entry? Are you setting the PKG_DBDIR env ? $ env PKG_DBDIR=/usr/ports/security/vuxml pkg audit
(In reply to Mark Felder from comment #12) I was editing /var/db/pkg/vuln.xml and then doing "pkg audit". After each attempt, I removed the file and did a "pkg audit -F" to fetch a clean copy.
(In reply to Mark Felder from comment #9) actually I'm overthinking this. This change would be sufficient: <package> <name>ruby</name> <name>ruby20</name> <range><ge>2.0</ge><lt>2.0.0.645,1</lt></range> </package> <package> <name>ruby</name> <range><lt>2.1.6,1</lt></range> </package> <package> <name>ruby</name> <name>ruby22</name> <range><ge>2.2</ge><lt>2.2.2,1</lt></range> </package> which results in: Affected packages 2.0 <= ruby < 2.0.0.645,1 2.0 <= ruby20 < 2.0.0.645,1 ruby < 2.1.6,1 2.2 <= ruby < 2.2.2,1 2.2 <= ruby22 < 2.2.2,1
(In reply to terry from comment #13) You're right, it would fail because our <ge> entries don't have ,1 for the PORTEPOCH <package> <name>ruby</name> <name>ruby20</name> <range><ge>2.0,1</ge><lt>2.0.0.645,1</lt></range> </package> <package> <name>ruby</name> <range><ge>2.1,1</ge><lt>2.1.6,1</lt></range> </package> <package> <name>ruby</name> <name>ruby22</name> <range><ge>2.2,1</ge><lt>2.2.2,1</lt></range> </package> Try that. It seems to be working when I pass various ruby versions to pkg audit.
(In reply to Mark Felder from comment #15) Yes, that seems to fix it. I also tested changing the affected version from 2.0.0.645,1 to 2.0.0.648,1 and that correctly flagged my 2.0.0.647,1 install as vulnerable. So, it seem good to go here. My only comment would be to perhaps change: <package> <name>ruby</name> <range><ge>2.1,1</ge><lt>2.1.6,1</lt></range> </package> to: <package> <name>ruby</name> <name>ruby21</name> <range><ge>2.1,1</ge><lt>2.1.6,1</lt></range> </package> so that this doesn't pop up again if the default Ruby version is changed to 2.2 at some future time. Thanks!
(In reply to terry from comment #16) I can't disagree. I'll commit this.
(In reply to Mark Felder from comment #17) Thanks!
A commit references this bug: Author: feld Date: Wed Sep 23 20:24:29 UTC 2015 New revision: 397659 URL: https://svnweb.freebsd.org/changeset/ports/397659 Log: Fix older ruby vuxml entry If you follow official instructions to change your default ruby version it alters the ruby package name and vuxml will produce false positives. This change will solve these scenarios. PR: 203227 Changes: head/security/vuxml/vuln.xml
This has been broken again in the same manner by r404311. It needs the same fix that was developed for this PR. Also, is there a way to prevent ongoing breakage for this type of issue both in ruby and the other ports where the installed package name is constant regardless of the version (as shown in this PR, that covers at least perl).
(In reply to Terry Kennedy from comment #20) > This has been broken again in the same manner by r404311. It needs the same fix > that was developed for this PR. Yup, just tested locally. Changing <affects> <package> <name>ruby</name> <range><lt>2.0.0.648,1</lt></range> <range><lt>2.1.8,1</lt></range> <range><lt>2.2.4,1</lt></range> </package> </affects> to <affects> <package> <name>ruby</name> <name>ruby20</name> <range><ge>2.0,1</ge><lt>2.0.0.648,1</lt></range> </package> <package> <name>ruby</name> <name>ruby21</name> <range><ge>2.1,1</ge><lt>2.1.8,1</lt></range> </package> <package> <name>ruby</name> <name>ruby22</name> <range><ge>2.2,1</ge><lt>2.2.4,1</lt></range> </package> </affects> clears the false positive (in my case, pkg audit reports ruby-2.1.8,1 as being affected by 3b50881d-1860-4721-aab1-503290e23f6c).
How do I change this PR from closed/fixed to open? Or should I open a new PR, referencing this one?
@Terry I believe your proposed change was committed in 404357 [1] but this issue was not referenced in the commit log. [1] https://svnweb.freebsd.org/changeset/ports/404357 Assignging to Committer that resolved.
It seems that the updated vuln.xml didn't make it out of the ports tree and into wherever "pkg audit -F" fetches it from, as it told me "vulnxml file up-to-date". Manually copying vuln.xml from /usr/ports/security/vuxml/vuln.xml to /var/db/pkg/vuln.xml stopped the complaint. Thanks!