Date: Thu, 17 Jan 2013 18:10:48 GMT From: Darrell <denns@cknw.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/175381: pkg audit not detecting vulnerable packages Message-ID: <201301171810.r0HIAmtg000765@red.freebsd.org> Resent-Message-ID: <201301171820.r0HIK1bK014469@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 175381 >Category: misc >Synopsis: pkg audit not detecting vulnerable packages >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jan 17 18:20:01 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Darrell >Release: 9.1-RELEASE >Organization: >Environment: FreeBSD gt 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 >Description: The pkgng command "pkg audit" is showing 0 vulnerabilities, even when a vulnerable package is installed. I am testing by installing vulnerability-test-port-2013.01.17 (which is listed in the audit file). >How-To-Repeat: [root@gt /usr/local/etc]# cat pkg.conf # System-wide configuration file for pkg(1) # For more information on the file format and # options please refer to the pkg.conf(5) man page # Configuration options PACKAGESITE : http://pkg.freebsd.org/${ABI}/latest #SRV_MIRRORS : NO #PKG_DBDIR : /var/db/pkg #PKG_CACHEDIR : /var/cache/pkg #PORTSDIR : /usr/ports #PUBKEY : /etc/ssl/pkg.conf #HANDLE_RC_SCRIPTS : NO #PKG_MULTIREPOS : NO #ASSUME_ALWAYS_YES : NO #SYSLOG : YES #SHLIBS : NO #AUTODEPS : NO PORTAUDIT_SITE : http://portaudit.FreeBSD.org/auditfile.tbz # Repository definitions #repos: # default : http://example.org/pkgng/ # repo1 : http://somewhere.org/pkgng/repo1/ # repo2 : http://somewhere.org/pkgng/repo2/ [root@gt ~]# curl -s http://portaudit.FreeBSD.org/auditfile.tbz|bunzip2 -c|head auditfile000644 000121 000000 00002536414 12076036045 013644 0ustar00www-datawheel000000 000000 #CREATED: 2013-01-17 18:00:05 # Created by packaudit 0.2.3 vulnerability-test-port>=2000<2013.01.17|http://cvsweb.freebsd.org/ports/security/vulnerability-test-port/|Not vulnerable, just a test port (database: 2013-01-17) # Please refer to the original document for copyright information: # http://cvsweb.freebsd.org/ports/security/vuxml/vuln.xml?rev=1.2939 # Converted by vuxml2portaudit nagios<3.4.3_1|http://portaudit.FreeBSD.org/97c22a94-5b8b-11e2-b131-000c299b62e1.html|nagios -- buffer overflow in history.cgi chromium<24.0.1312.52|http://portaudit.FreeBSD.org/46bd747b-5b84-11e2-b06d-00262d5ed8ee.html|chromium -- multiple vulnerabilities firefox>11.0,1<17.0.2,1|http://portaudit.FreeBSD.org/a4ed6632-5aa9-11e2-8fcb-c8600054b392.html|mozilla -- multiple vulnerabilities firefox<10.0.12,1|http://portaudit.FreeBSD.org/a4ed6632-5aa9-11e2-8fcb-c8600054b392.html|mozilla -- multiple vulnerabilities [root@gt ~]# pkg update Updating repository catalogue Repository catalogue is up-to-date, no need to fetch fresh copy [root@gt ~]# pkg info |grep vuln vulnerability-test-port-2013.01.17 Standard vulnerability test for port auditing systems [root@gt ~]# pkg audit 0 problem(s) in your installed packages found. >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201301171810.r0HIAmtg000765>