From owner-freebsd-ports-bugs@freebsd.org  Mon Sep 21 06:24:09 2015
Return-Path: <owner-freebsd-ports-bugs@freebsd.org>
Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 02D53A06030
 for <freebsd-ports-bugs@mailman.ysv.freebsd.org>;
 Mon, 21 Sep 2015 06:24:09 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id E413E159E
 for <freebsd-ports-bugs@FreeBSD.org>; Mon, 21 Sep 2015 06:24:08 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t8L6O839013721
 for <freebsd-ports-bugs@FreeBSD.org>; Mon, 21 Sep 2015 06:24:08 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-ports-bugs@FreeBSD.org
Subject: [Bug 203227] vuln.xml incorrectly flagging ruby20 as insecure
Date: Mon, 21 Sep 2015 06:24:08 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Ports & Packages
X-Bugzilla-Component: Ports Framework
X-Bugzilla-Version: Latest
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: terry@tmk.com
X-Bugzilla-Status: New
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: portmgr@FreeBSD.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter cc
Message-ID: <bug-203227-13@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs/>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2015 06:24:09 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203227

            Bug ID: 203227
           Summary: vuln.xml incorrectly flagging ruby20 as insecure
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Ports Framework
          Assignee: portmgr@FreeBSD.org
          Reporter: terry@tmk.com
                CC: freebsd-ports-bugs@FreeBSD.org

"pkg audit -F" incorrectly reports ruby-2.0.0.647,1 as vulnerable. I have
confirmed that it is NOT vulnerable by checking both
https://www.ruby-lang.org/en/ and
https://vuxml.freebsd.org/freebsd/d4379f59-3e9b-49eb-933b-61de4d0b0fdb.html.

I have "DEFAULT_VERSIONS+=ruby=2.0" in my /etc/make.conf file.

It appears that the problem is in the vuln.xml file, as it checks for installed
ports named ruby20, ruby, and ruby22. If I remove the vuln.xml entry for
"ruby", the ruby20 port is no longer marked as vulnerable. It appears that some
part of the ports framework thinks that ruby20 is "ruby" for purposes of
checking for vulnerabilities.

I am not sure why that is happening, as "pkg info -o ruby" reports the origin
as ruby20.

Note: Bug filed after emailing ruby@freebsd.org and receiving no response after
10 days.

-- 
You are receiving this mail because:
You are on the CC list for the bug.