Bug 245878 - security/vuxml ipfw invalid mbuf handling creates false positive with base-audit
Summary: security/vuxml ipfw invalid mbuf handling creates false positive with base-audit
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Ports Security Team
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-24 14:23 UTC by Dan Langille
Modified: 2020-05-23 12:09 UTC (History)
5 users (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dan Langille freebsd_committer 2020-04-24 14:23:16 UTC
re https://lists.freebsd.org/pipermail/svn-ports-all/2020-April/249659.html

The FreeBSD-SA-20:10.ipfw entry in vuxml is causing false positives for security/base-audit

To reproduce:

freebsd-update fetch install
reboot
pkg install base-audit
add security_status_baseaudit_enable="YES" to /etc/periodic.conf
pkg audit -F
/usr/local/etc/periodic/security/405.pkg-base-audit

$ freebsd-version -uk
12.1-RELEASE-p3
12.1-RELEASE-p4

$ /usr/local/etc/periodic/security/405.pkg-base-audit

Checking for security vulnerabilities in base (userland & kernel):
Host system:
Database fetched: Wed Apr 22 11:30:00 UTC 2020
FreeBSD-kernel-12.1_3 is vulnerable:
FreeBSD -- ipfw invalid mbuf handling
CVE: CVE-2019-15874
CVE: CVE-2019-5614
WWW: https://vuxml.FreeBSD.org/freebsd/33edcc56-83f2-11ea-92ab-00163e433440.html

1 problem(s) in 1 installed package(s) found.
0 problem(s) in 0 installed package(s) found.
Comment 1 Dan Langille freebsd_committer 2020-04-24 14:24:49 UTC
This PR is lodged against vuxml only because that is where the entry reside.

The issue is that the fix for the vuln did not issue a new kernel.

The current situation is continued false positives for base-audit until a new kernel is released.
Comment 2 PauAmma 2020-04-24 16:52:41 UTC
I'm also affected by this bug.

Checking for security vulnerabilities in base (userland & kernel):
Fetching vuln.xml.bz2: .......... done
FreeBSD-kernel-12.1_3 is vulnerable:
FreeBSD -- ipfw invalid mbuf handling
CVE: CVE-2019-15874
CVE: CVE-2019-5614
WWW: https://vuxml.FreeBSD.org/freebsd/33edcc56-83f2-11ea-92ab-00163e433440.html

This despite:

% freebsd-version -kru
12.1-RELEASE-p3
12.1-RELEASE-p3
12.1-RELEASE-p4
Comment 3 Dan Langille freebsd_committer 2020-05-01 14:48:35 UTC
It has been suggested that if something in the kernel changes, a new kernel is shipped.

What is involved in achieving that solution?
Comment 4 Jochen Neumeister freebsd_committer 2020-05-23 11:59:05 UTC
(In reply to Dan Langille from comment #3)

> On Tue, Apr 21, 2020, at 2:29 PM, Gordon Tetlow wrote:
> Author: gordon (src committer)

so i think, its a good point to ping gordon?
Comment 5 Dan Langille freebsd_committer 2020-05-23 12:06:08 UTC
ports-secteam@FreeBSD.org is not sufficient?
Comment 6 Dan Langille freebsd_committer 2020-05-23 12:07:09 UTC
(In reply to Dan Langille from comment #5)

Also, gordon@FreeBSD.org is on this ticket (see CC list).
Comment 7 Jochen Neumeister freebsd_committer 2020-05-23 12:08:36 UTC
if I understand this correctly, it is a problem with the FreeBSD version.
This update comes from a src committer.
Ports-secteam is responsible for the security of the ports and cannot really help with src releases.
Comment 8 Jochen Neumeister freebsd_committer 2020-05-23 12:09:34 UTC
(In reply to Dan Langille from comment #6)

I added him a few minutes ago :-)