This is base-audit-0.4 on FreeBSD 12.2 - but it affects other FreeBSD versions as well. This is partly related to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245878 When kernel and userland do not match, false positives result. Case in point, this host is: $ freebsd-version -u -k 12.2-RELEASE-p1 12.2-RELEASE-p2 $ When running the script: [dan@tallboy:~] $ sudo /usr/local/etc/periodic/security/405.pkg-base-audit Checking for security vulnerabilities in base (userland & kernel): Host system: Database fetched: Sat Dec 12 16:51:55 UTC 2020 0 problem(s) in 0 installed package(s) found. FreeBSD-12.2_2 is vulnerable: OpenSSL -- NULL pointer de-reference CVE: CVE-2020-1971 WWW: https://vuxml.FreeBSD.org/freebsd/1d56cfc5-3970-11eb-929d-d4c9ef517024.html 1 problem(s) in 1 installed package(s) found. This false positive also arise from jails.
(In reply to Dan Langille from comment #0) Can you post separate output for kernel version and userland version tho be sure which is which? freebsd-version -u freebsd-version -k I am not running 12.x so I cannot test it at teh moment. I don't know what can be wrong in your case. Version mismatch should not metter because kernel (version) and userland (version) are checked separately. Two idependent commands with two results: if [ -z "`echo "$pkgargs" | egrep '^-[cj]'`" -a `sysctl -n security.jail.jailed` = 0 ]; then krnlv=$(freebsd-version -k | sed 's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,') ${pkgcmd} audit $f $q $krnlv || { rc=$?; [ $rc -lt 3 ] && rc=3; } fi ${pkgcmd} audit $f $q $usrlv || { rc=$?; [ $rc -lt 3 ] && rc=3; }
If there is some problem then I think it is not in base-audit but in "pkg audit" or vuln.xml I just checked the commands called by base-audit script: % pkg audit FreeBSD-kernel-12.2_1 0 problem(s) in 0 installed package(s) found. % pkg audit FreeBSD-kernel-12.2_2 0 problem(s) in 0 installed package(s) found. % pkg audit FreeBSD-12.2_1 FreeBSD-12.2_1 is vulnerable: OpenSSL -- NULL pointer de-reference CVE: CVE-2020-1971 WWW: https://vuxml.FreeBSD.org/freebsd/1d56cfc5-3970-11eb-929d-d4c9ef517024.html 1 problem(s) in 1 installed package(s) found. % pkg audit FreeBSD-12.2_2 FreeBSD-12.2_2 is vulnerable: OpenSSL -- NULL pointer de-reference CVE: CVE-2020-1971 WWW: https://vuxml.FreeBSD.org/freebsd/1d56cfc5-3970-11eb-929d-d4c9ef517024.html 1 problem(s) in 1 installed package(s) found. So "pkg audit" reports both userland versions as vulnerable and both Kernel versions as fixed. For the record - kernel version does not matter when base-audit checks jails because it is not used in this check. base-audit script extracts the jails userland version by this command: jexec $jid freebsd-version -u
[dan@tallboy:~] $ freebsd-version -u 12.2-RELEASE-p2 [dan@tallboy:~] $ freebsd-version -k 12.2-RELEASE-p1
(In reply to Dan Langille from comment #3) Thank you for the confirmation. As I wrote before, "pkg audit" returns "vulnerable" for FreeBSD-12.2_2 even it it should not be vulnerable. Your problem is not about kernel / userland mismatch. 405.pkg-base-audit properly checked for your userland version 12.2-p2 (as FreeBSD-12.2_2) but "pkg audit" report is wrong. Problably wrong xuln.xml entry.
In https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245878 (referenced at the top of this PR) I tried to get seuciryt/base-audit involved in a fix. I just referenced this PR in that PR. I hope we can all get together and agree upon required actions.
Until this morning, the entry was: <package> <name>FreeBSD</name> <range><ge>12.2</ge><lt>12.2_2</lt></range> <range><ge>12.1</ge><lt>12.1_12</lt></range> <range><ge>11.4</ge></range> </package> Did pkg audit interpret that as "everything above 11.4 is vulnerable" without taking into account the narrower ranges for 12.1 and 12.2? This morning I updated the entry to account for the recently released patch against 11.4: <package> <name>FreeBSD</name> <range><ge>12.2</ge><lt>12.2_2</lt></range> <range><ge>12.1</ge><lt>12.1_12</lt></range> <range><ge>11.4</ge><lt>11.4_6</lt></range> </package> Has this fixed pkg audit claiming that 12.2p2 is vulnerable?
(In reply to Philip Paeps from comment #6) Thank you for your explanation. This fixed the problem. Before: # pkg audit FreeBSD-12.2_2 FreeBSD-12.2_2 is vulnerable: OpenSSL -- NULL pointer de-reference CVE: CVE-2020-1971 WWW: https://vuxml.FreeBSD.org/freebsd/1d56cfc5-3970-11eb-929d-d4c9ef517024.html 1 problem(s) in 1 installed package(s) found. After: # pkg audit -F FreeBSD-12.2_2 Fetching vuln.xml.bz2: 100% 898 KiB 919.5kB/s 00:01 0 problem(s) in 0 installed package(s) found. But what can we do with it for a next time? a) teach pkg audit to compare only the same version branches? b) always put entry in some virtual range like 11.4 < 11.99? Both has pros and cons. Sometimes we can have vulnerabilities in more than one branch which can be covered by entry "anything higher then 11.4". If we choose a) then we need to always add ranges for all supported branches.
I tested just now: [dan@slocum:~] $ sudo /usr/local/etc/periodic/security/405.pkg-base-audit Checking for security vulnerabilities in base (userland & kernel): Host system: Database fetched: Tue Dec 15 02:37:51 UTC 2020 0 problem(s) in 0 installed package(s) found. 0 problem(s) in 0 installed package(s) found. This seems to be fixed now.
This is good to know. I think solution (b) proposed in comment #7 is the easiest to implement. Going forward, when we don't have patches for a specific branch, I'll encode it as <lt>x.y_99</lt> and replace 99 with the actual patch number if and when it becomes available. Thank you both for confirming the problem went away!