From owner-freebsd-pkg@freebsd.org Mon Sep 7 09:15:41 2015 Return-Path: Delivered-To: freebsd-pkg@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5CB799CB67F for ; Mon, 7 Sep 2015 09:15:41 +0000 (UTC) (envelope-from baptiste.daroussin@gmail.com) Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E7AB01D89 for ; Mon, 7 Sep 2015 09:15:40 +0000 (UTC) (envelope-from baptiste.daroussin@gmail.com) Received: by wiclk2 with SMTP id lk2so76851773wic.1 for ; Mon, 07 Sep 2015 02:15:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=0gFmP3K/hB6zjRcF0RbZTwYpTPdQYXwmcAKoLIgJJ3s=; b=n+XLtZXBc/ao2qlEBXcm4Fi5zAzBBK0dXTvj3DBh8KDdU6erx6yUGwCzZ3v/uNM9Yt 6Emt9rmKRRhN8hdfAVhED/Q3gmU/8lcS5SsYCUNlk/CPWlRpZCEHDOdkLA/XR5g2RUrL Iz49jHb+vY3nrsrRrjvawcPP+hGTs6kmFNJotIAwyjVGJYxNJJT+j933VtJoV3tzua1H bRgfbIo1ER6EbeduaM1ymM98AYH5TloHd1HsOqyk0MCShK2U0veWLqwb601k+8BWWkfQ /uzLOaLf3HlSNpYWwjP5cYVKMtXiBSWcPaTmJEkgdtMwEF8xghF0U7JJDRStaKNt2YNg hGbA== X-Received: by 10.180.83.137 with SMTP id q9mr33861299wiy.68.1441617339283; Mon, 07 Sep 2015 02:15:39 -0700 (PDT) Received: from ivaldir.etoilebsd.net ([2001:41d0:8:db4c::1]) by smtp.gmail.com with ESMTPSA id p5sm19280577wiy.17.2015.09.07.02.15.38 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 Sep 2015 02:15:38 -0700 (PDT) Sender: Baptiste Daroussin Date: Mon, 7 Sep 2015 11:15:36 +0200 From: Baptiste Daroussin To: Marko Turk Cc: freebsd-pkg@freebsd.org Subject: Re: Pkg audit package not identified as vulnerable Message-ID: <20150907091536.GA38185@ivaldir.etoilebsd.net> References: <20150907075915.GA1702@vps.markoturk.info> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk" Content-Disposition: inline In-Reply-To: <20150907075915.GA1702@vps.markoturk.info> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Sep 2015 09:15:41 -0000 --qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 07, 2015 at 09:59:15AM +0200, Marko Turk wrote: > Hi, >=20 > I have both gstreamer1-libav and ffmpeg installed. Both are vulnerable > (according to vuxml.freebsd.org) but pkg audit prints one package > two times. Additionally, pkg audit -v prints only one package as > vulnerable. >=20 > Is this intended behavior? >=20 > BR, > Marko >=20 > root@shkatula:~ # pkg audit > gstreamer1-libav-1.4.5 is vulnerable: > ffmpeg -- use after free > CVE: CVE-2015-3417 > WWW: https://vuxml.FreeBSD.org/freebsd/da434a78-e342-4d9a-87e2-7497e5f117= ba.html >=20 > gstreamer1-libav-1.4.5 is vulnerable: > ffmpeg -- out-of-bounds array access > CVE: CVE-2015-3395 > WWW: https://vuxml.FreeBSD.org/freebsd/80c66af0-d1c5-449e-bd31-63b12525ff= 88.html >=20 > 1 problem(s) in the installed packages found. >=20 > root@shkatula:~ # pkg audit -q > gstreamer1-libav-1.4.5 > root@shkatula:~ # Which version of ffmpeg do you have installed? Best regards, Bapt --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlXtVbgACgkQ8kTtMUmk6Ewu0gCgutDNfvNP74c+VeBmM5RiP6t0 QEMAoLRhmWxdujEpRfjJQevo4h5qggHs =36tv -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk--