From owner-freebsd-bugs@FreeBSD.ORG Thu Jan 17 18:20:01 2013 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D66498D7 for ; Thu, 17 Jan 2013 18:20:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id BD6DD81E for ; Thu, 17 Jan 2013 18:20:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r0HIK1vZ014470 for ; Thu, 17 Jan 2013 18:20:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r0HIK1bK014469; Thu, 17 Jan 2013 18:20:01 GMT (envelope-from gnats) Resent-Date: Thu, 17 Jan 2013 18:20:01 GMT Resent-Message-Id: <201301171820.r0HIK1bK014469@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Darrell Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9A2956EA for ; Thu, 17 Jan 2013 18:10:48 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 711FE7CD for ; Thu, 17 Jan 2013 18:10:48 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r0HIAmbN000766 for ; Thu, 17 Jan 2013 18:10:48 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.5/8.14.5/Submit) id r0HIAmtg000765; Thu, 17 Jan 2013 18:10:48 GMT (envelope-from nobody) Message-Id: <201301171810.r0HIAmtg000765@red.freebsd.org> Date: Thu, 17 Jan 2013 18:10:48 GMT From: Darrell To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: misc/175381: pkg audit not detecting vulnerable packages X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jan 2013 18:20:01 -0000 >Number: 175381 >Category: misc >Synopsis: pkg audit not detecting vulnerable packages >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jan 17 18:20:01 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Darrell >Release: 9.1-RELEASE >Organization: >Environment: FreeBSD gt 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 >Description: The pkgng command "pkg audit" is showing 0 vulnerabilities, even when a vulnerable package is installed. I am testing by installing vulnerability-test-port-2013.01.17 (which is listed in the audit file). >How-To-Repeat: [root@gt /usr/local/etc]# cat pkg.conf # System-wide configuration file for pkg(1) # For more information on the file format and # options please refer to the pkg.conf(5) man page # Configuration options PACKAGESITE : http://pkg.freebsd.org/${ABI}/latest #SRV_MIRRORS : NO #PKG_DBDIR : /var/db/pkg #PKG_CACHEDIR : /var/cache/pkg #PORTSDIR : /usr/ports #PUBKEY : /etc/ssl/pkg.conf #HANDLE_RC_SCRIPTS : NO #PKG_MULTIREPOS : NO #ASSUME_ALWAYS_YES : NO #SYSLOG : YES #SHLIBS : NO #AUTODEPS : NO PORTAUDIT_SITE : http://portaudit.FreeBSD.org/auditfile.tbz # Repository definitions #repos: # default : http://example.org/pkgng/ # repo1 : http://somewhere.org/pkgng/repo1/ # repo2 : http://somewhere.org/pkgng/repo2/ [root@gt ~]# curl -s http://portaudit.FreeBSD.org/auditfile.tbz|bunzip2 -c|head auditfile000644 000121 000000 00002536414 12076036045 013644 0ustar00www-datawheel000000 000000 #CREATED: 2013-01-17 18:00:05 # Created by packaudit 0.2.3 vulnerability-test-port>=2000<2013.01.17|http://cvsweb.freebsd.org/ports/security/vulnerability-test-port/|Not vulnerable, just a test port (database: 2013-01-17) # Please refer to the original document for copyright information: # http://cvsweb.freebsd.org/ports/security/vuxml/vuln.xml?rev=1.2939 # Converted by vuxml2portaudit nagios<3.4.3_1|http://portaudit.FreeBSD.org/97c22a94-5b8b-11e2-b131-000c299b62e1.html|nagios -- buffer overflow in history.cgi chromium<24.0.1312.52|http://portaudit.FreeBSD.org/46bd747b-5b84-11e2-b06d-00262d5ed8ee.html|chromium -- multiple vulnerabilities firefox>11.0,1<17.0.2,1|http://portaudit.FreeBSD.org/a4ed6632-5aa9-11e2-8fcb-c8600054b392.html|mozilla -- multiple vulnerabilities firefox<10.0.12,1|http://portaudit.FreeBSD.org/a4ed6632-5aa9-11e2-8fcb-c8600054b392.html|mozilla -- multiple vulnerabilities [root@gt ~]# pkg update Updating repository catalogue Repository catalogue is up-to-date, no need to fetch fresh copy [root@gt ~]# pkg info |grep vuln vulnerability-test-port-2013.01.17 Standard vulnerability test for port auditing systems [root@gt ~]# pkg audit 0 problem(s) in your installed packages found. >Fix: >Release-Note: >Audit-Trail: >Unformatted: