Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 28 Mar 2014 15:26:24 +0900 (JST)
From:      Yasuhiro KIMURA <yasu@utahime.org>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   ports/188022: [PATCH] security/vuxml: fix false positive about www/mod_php5 vulneravilities.
Message-ID:  <20140328062624.BDEA275942@eastasia.home.utahime.org>
Resent-Message-ID: <201403280630.s2S6U0lK012594@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         188022
>Category:       ports
>Synopsis:       [PATCH] security/vuxml: fix false positive about www/mod_php5 vulneravilities.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 28 06:30:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     Yasuhiro KIMURA
>Release:        FreeBSD 10.0-RELEASE amd64
>Organization:
>Environment:
System: FreeBSD xxxx 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260673: Thu Jan 23 22:36:39 JST 2014 xxxx amd64


	
>Description:
	
	- New port www/mod_php5 is added but 'pkg audit' reports 8
	  vulneravilities as following. They seem false positive so fix
	  range of corresponding entries in vuln.xml.
	- Add LICENSE.
	- Support staging.

>How-To-Repeat:
	
>Fix:

	

--- pkg-audit-F.log begins here ---
Script started on Fri Mar 28 14:31:03 2014
command: pkg audit -F
Vulnxml file up-to-date.
mod_php5-5.4.26 is vulnerable:
php -- multiple vulnerabilities
CVE: CVE-2006-4486
CVE: CVE-2006-4485
CVE: CVE-2006-4484
CVE: CVE-2006-4483
CVE: CVE-2006-4482
CVE: CVE-2006-4481
WWW: http://portaudit.FreeBSD.org/ea09c5df-4362-11db-81e1-000e0c2e438a.html

mod_php5-5.4.26 is vulnerable:
php -- vulnerability in RFC 1867 file upload processing
WWW: http://portaudit.FreeBSD.org/562a3fdf-16d6-11d9-bc4a-000c41e2cdad.html

mod_php5-5.4.26 is vulnerable:
php -- php_variables memory disclosure
WWW: http://portaudit.FreeBSD.org/ad74a1bd-16d2-11d9-bc4a-000c41e2cdad.html

mod_php5-5.4.26 is vulnerable:
php -- strip_tags cross-site scripting vulnerability
CVE: CVE-2004-0595
WWW: http://portaudit.FreeBSD.org/edf61c61-0f07-11d9-8393-000103ccf9d6.html

mod_php5-5.4.26 is vulnerable:
php -- memory_limit related vulnerability
CVE: CVE-2004-0594
WWW: http://portaudit.FreeBSD.org/dd7aa4f1-102f-11d9-8a8a-000c41e2cdad.html

mod_php5-5.4.26 is vulnerable:
php -- _ecalloc Integer Overflow Vulnerability
CVE: CVE-2006-4812
WWW: http://portaudit.FreeBSD.org/e329550b-54f7-11db-a5ae-00508d6a62df.html

mod_php5-5.4.26 is vulnerable:
php -- multiple vulnerabilities
CVE: CVE-2004-1065
CVE: CVE-2004-1019
WWW: http://portaudit.FreeBSD.org/d47e9d19-5016-11d9-9b5f-0050569f0001.html

mod_php5-5.4.26 is vulnerable:
php -- open_basedir Race Condition Vulnerability
CVE: CVE-2006-5178
WWW: http://portaudit.FreeBSD.org/edabe438-542f-11db-a5ae-00508d6a62df.html

1 problem(s) in the installed packages found.

Script done on Fri Mar 28 14:31:03 2014
--- pkg-audit-F.log ends here ---

--- patch-security_vuxml begins here ---
Index: Makefile
===================================================================
--- Makefile	(revision 349387)
+++ Makefile	(working copy)
@@ -14,6 +14,8 @@
 MAINTAINER=	ports-secteam@FreeBSD.org
 COMMENT=	Vulnerability and eXposure Markup Language DTD
 
+LICENSE=	BSD2CLAUSE
+
 RUN_DEPENDS=	${XMLCATMGR}:${PORTSDIR}/textproc/xmlcatmgr \
 		${LOCALBASE}/share/xml/dtd/xhtml-modularization/VERSION:${PORTSDIR}/textproc/xhtml-modularization \
 		${LOCALBASE}/share/xml/dtd/xhtml-basic/xhtml-basic10.dtd:${PORTSDIR}/textproc/xhtml-basic
@@ -46,7 +48,6 @@
 
 VUXML_FILE?=	${PKGDIR}/vuln.xml
 
-NO_STAGE=	yes
 do-extract:
 	@${RM} -rf ${WRKDIR}
 	@${MKDIR} ${WRKDIR}
@@ -65,13 +66,10 @@
 	    ${PLIST}
 
 do-install:
-	@[ -d ${PREFIX}/${dir_DTD} ] || \
-	    ${MKDIR} ${PREFIX}/${dir_DTD}
+	@${MKDIR} ${STAGEDIR}${PREFIX}/${dir_DTD}
 .for f in ${DISTFILES}
-	${INSTALL_DATA} ${WRKSRC}/${f} ${PREFIX}/${dir_DTD}/${f}
+	${INSTALL_DATA} ${WRKSRC}/${f} ${STAGEDIR}${PREFIX}/${dir_DTD}/${f}
 .endfor
-	${XMLCAT_ADD}
-	${SGMLCAT_ADD}
 
 validate: tidy
 	@${SH} ${FILESDIR}/validate.sh "${VUXML_FILE}"
Index: vuln.xml
===================================================================
--- vuln.xml	(revision 349387)
+++ vuln.xml	(working copy)
@@ -55637,7 +55637,7 @@
 	<name>php5-horde</name>
 	<name>php5-nms</name>
 	<name>mod_php5</name>
-	<range><ge>0</ge></range>
+	<range><lt>5.1.6_1</lt></range>
       </package>
     </affects>
     <description>
@@ -55853,7 +55853,8 @@
 	<name>php5-nms</name>
 	<name>mod_php4</name>
 	<name>mod_php5</name>
-	<range><ge>0</ge></range>
+	<range><lt>4.4.4_1</lt></range>
+	<range><ge>5.*</ge><lt>5.1.6_2</lt></range>
       </package>
     </affects>
     <description>
@@ -56832,7 +56833,8 @@
 	<name>php5-nms</name>
 	<name>mod_php4</name>
 	<name>mod_php5</name>
-	<range><ge>0</ge></range>
+	<range><lt>4.4.4</lt></range>
+	<range><ge>5</ge><lt>5.1.5</lt></range>
       </package>
     </affects>
     <description>
@@ -76096,7 +76098,7 @@
       </package>
       <package>
 	<name>mod_php5</name>
-	<range><lt>5.0.3,1</lt></range>
+	<range><lt>5.0.3</lt></range>
       </package>
     </affects>
     <description>
@@ -79080,7 +79082,7 @@
       </package>
       <package>
 	<name>mod_php5</name>
-	<range><le>5.0.1,1</le></range>
+	<range><le>5.0.1</le></range>
       </package>
     </affects>
     <description>
@@ -79130,7 +79132,7 @@
       </package>
       <package>
 	<name>mod_php5</name>
-	<range><le>5.0.1,1</le></range>
+	<range><le>5.0.1</le></range>
       </package>
     </affects>
     <description>
@@ -79816,7 +79818,7 @@
       </package>
       <package>
 	<name>mod_php5</name>
-	<range><le>5.0.0.r3_2,1</le></range>
+	<range><le>5.0.0.r3_2</le></range>
       </package>
     </affects>
     <description>
@@ -79865,7 +79867,7 @@
       </package>
       <package>
 	<name>mod_php5</name>
-	<range><le>5.0.0.r3_2,1</le></range>
+	<range><le>5.0.0.r3_2</le></range>
       </package>
     </affects>
     <description>
--- patch-security_vuxml ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140328062624.BDEA275942>