Bug 200511 - net/proxychains-ng: [security] Document CVE-2015-3887 fix commited in r387705
Summary: net/proxychains-ng: [security] Document CVE-2015-3887 fix commited in r387705
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Xin LI
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-29 02:13 UTC by Jason Unovitch
Modified: 2015-05-29 22:26 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (nemysis)

Attachments
security/vuxml documentation for proxychains-ng (1.41 KB, patch)
2015-05-29 02:13 UTC, Jason Unovitch 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer freebsd_triage 2015-05-29 02:13:02 UTC 
Created attachment 157239 [details]
security/vuxml documentation for proxychains-ng

r387705 documents "fix a security issue CVE-2015-3887" and no associated vuln.xml entry matching the issue was made.

Attached security/vuxml entries covers the update with an extract of the technical details from the oss-security mailing list CVE request.

##
## vuln.xml syntax validation
##

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

##
## pkg audit validation with manually specifying fixed version
##

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit proxychains-ng-4.9
0 problem(s) in the installed packages found.

##
## pkg audit validation in vulnerable jail
##

# pkg audit
proxychains-ng-4.8.1 is vulnerable:
proxychains-ng -- current path as the first directory for the library search path
CVE: CVE-2015-3887
WWW: http://vuxml.FreeBSD.org/freebsd/9471ec47-05a2-11e5-8fda-002590263bf5.html

1 problem(s) in the installed packages found.
Comment 1 Rusmir Dusko freebsd_committer freebsd_triage 2015-05-29 05:10:29 UTC 
Please before make one Bug look recent commits and update yours Ports Tree.

https://www.freshports.org/net/proxychains-ng/
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2015-05-29 10:10:06 UTC 
PR is for the follow through commit to document the issue in security/vuxml.  Not everybody will read the commit log for security related fixes.  I don't see the entry as of r387787 so therefore this is still open.
Comment 3 Rusmir Dusko freebsd_committer freebsd_triage 2015-05-29 22:14:44 UTC 
look r387787, i not make more docs.

Make new PR for Documentation tim
Comment 4 commit-hook freebsd_committer freebsd_triage 2015-05-29 22:20:49 UTC 
A commit references this bug:

Author: delphij
Date: Fri May 29 22:20:32 UTC 2015
New revision: 387897
URL: https://svnweb.freebsd.org/changeset/ports/387897

Log:
  Document the issue with proxychains-ng which uses current directory when
  searching for its own shared library (CVE-2015-3887).

  PR:		200511
  Submitted by:	Jason Unovitch

Changes:
  head/security/vuxml/vuln.xml
Comment 5 Xin LI freebsd_committer freebsd_triage 2015-05-29 22:25:59 UTC 
Committed, thanks!
Comment 6 Jason Unovitch freebsd_committer freebsd_triage 2015-05-29 22:26:36 UTC 
(In reply to Xin LI from comment #5)

Thanks! Was just about to reassign to ports-secteam@ per request. Closed!