Bug 249110

Summary: security/gnupg: 2.2.23 is incorrectly marked as vulnerable by pkg audit
Product: Ports & Packages Reporter: Jose G. Juanino <jjuanino>
Component: Individual Port(s)Assignee: Adam Weinberger <adamw>
Status: Closed FIXED    
Severity: Affects Only Me Flags: bugzilla: maintainer-feedback? (adamw)
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   

Description Jose G. Juanino 2020-09-04 15:03:09 UTC 
Hi, I have updated security/gnupg to 2.2.23 version to address CVE-2013-4576, but the port is still considered vulnerable by pkg audit:

# pkg info -x gnupg
gnupg-2.2.23

# pkg audit gnupg-2.2.23
gnupg-2.2.23 is vulnerable:
gnupg -- AEAD key import overflow
CVE: CVE-2020-25125
WWW: https://vuxml.FreeBSD.org/freebsd/f9fa7adc-ee51-11ea-a240-002590acae31.html

1 problem(s) in 1 installed package(s) found.


I have inspected the registered item in vuxml database and it seems to be fine:

  <vuln vid="f9fa7adc-ee51-11ea-a240-002590acae31">
    <topic>gnupg -- AEAD key import overflow</topic>
    <affects>
      <package>
        <name>gnupg</name>
        <range><ge>2.2.21</ge></range>
        <range><lt>2.2.23</lt></range>
      </package>

As you can see, 2.2.23 is out of the range, and therefore 2.2.23 is not vulnerable.

Am I doing something wrong or misunderstanding something?

Regards
Comment 1 Adam Weinberger freebsd_committer freebsd_triage 2020-09-04 20:59:36 UTC 
Thanks for reporting this!

I clearly messed up the version range somehow, but I"m not clear what I did wrong. I've reached out to others.
Comment 2 commit-hook freebsd_committer freebsd_triage 2020-09-04 21:09:12 UTC 
A commit references this bug:

Author: adamw
Date: Fri Sep  4 21:08:42 UTC 2020
New revision: 547571
URL: https://svnweb.freebsd.org/changeset/ports/547571

Log:
  security/vuxml: Fix gnupg version range specification

  Thanks to swills for pointing me to the error here.

  PR:		249110
  Reported by:	jjuanino gmail

Changes:
  head/security/vuxml/vuln.xml
Comment 3 Adam Weinberger freebsd_committer freebsd_triage 2020-09-04 21:12:36 UTC 
Should be fixed now. Thanks again for reporting!