From owner-freebsd-ports@freebsd.org  Fri Jul  3 13:36:41 2015
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3F9B199424E
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Fri,  3 Jul 2015 13:36:41 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
 [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.infracaninophile.co.uk",
 Issuer "infracaninophile.co.uk" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id BAE2114BB
 for <freebsd-ports@FreeBSD.org>; Fri,  3 Jul 2015 13:36:40 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from zero-gravitas.local (no-reverse-dns.metronet-uk.com
 [85.199.232.226] (may be forged)) (authenticated bits=0)
 by smtp.infracaninophile.co.uk (8.15.1/8.15.1) with ESMTPSA id t63DaDG7067963
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
 Fri, 3 Jul 2015 14:36:21 +0100 (BST)
 (envelope-from matthew@FreeBSD.org)
Authentication-Results: smtp.infracaninophile.co.uk;
 dmarc=none header.from=FreeBSD.org
DKIM-Filter: OpenDKIM Filter v2.9.2 smtp.infracaninophile.co.uk t63DaDG7067963
Authentication-Results: smtp.infracaninophile.co.uk/t63DaDG7067963;
 dkim=none reason="no signature"; dkim-adsp=none; dkim-atps=neutral
X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host
 no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be
 zero-gravitas.local
Message-ID: <55968FC5.5010503@FreeBSD.org>
Date: Fri, 03 Jul 2015 14:36:05 +0100
From: Matthew Seaman <matthew@FreeBSD.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10;
 rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: David Wolfskill <david@catwhisker.org>, freebsd-ports@FreeBSD.org
Subject: Re: Please help un-confuse me about vuxml
References: <20150703130103.GM1472@albert.catwhisker.org>
In-Reply-To: <20150703130103.GM1472@albert.catwhisker.org>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="3X7c0nWuvFbqMleCnvTNGGnaCei1apn9m"
X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.1 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00
 autolearn=ham autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
 lucid-nonsense.infracaninophile.co.uk
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2015 13:36:41 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--3X7c0nWuvFbqMleCnvTNGGnaCei1apn9m
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 2015/07/03 14:01, David Wolfskill wrote:
> And that combination of things catalyzed this note.
>=20
> Here's what I'm seeing:
> - There is a claim that the port to which I was trying to update was
>   "vulnerable" per vuxml.

vuxml currently states that netpbm versions /less than/ 10.35.96 are
vulnerable, and has done since about 48h ago.

Given that the latest available version of netpbm is now 10.35.96
(committed at right about the same time as the vuxml update) you should
be able to upgrade to that without problems.

No idea why portmaster is getting this wrong.

> - The vuxml entry effectively required human intervention to update
>   the port.
>
> - The most recent update to the port itself claimed that it had a
>   fix to address said vulnerability.  (This gives one reason to
>   wonder why *this* version of the port had a vuxml entry, then.)

This is what the vuxml says:

      <package>
        <name>netpbm</name>
        <range><lt>10.35.96</lt></range>
      </package>

Which means that 10.35.95 or anything earlier is vulnerable, but
10.35.96 and above is not.

> - I had no feasible way to have a clue about any of this until the
>   artificial failure disrupted the usual update process.

For a second opinion on what vulnerabilities you may have, try 'pkg
audit -F' (which will work just fine no matter if you're installing
pre-compiled pkgs or building your own from ports).

> - As far as I can tell, there was no value in the existence of the vuxm=
l
>   entry for this port under these circumstances.  Rather, it was merely=

>   annoying and disruptive, for no gain whatsoever.  There wasn't even a=
n
>   UPDATING entry to warn a person about what was going on.

There's no requirement that a fixed version be available from ports
before vuxml gets updated.  Quite the opposite in fact.  Admins should
be informed if they are running vulnerable software so they can take
some sort of ameliorative action even if the official fix is not yet
published.

Why would you expect an UPDATING entry here?  Documenting every
vulnerability in the ports isn't what UPDATING is for.  Only if the way
you would need to fix the vulnerability involved doing more than a
simple upgrade would that be legitimate UPDATING territory.

> So... what am I missing?  How is a vuxml entry for ports/graphics/netpb=
m
> @r391058 that claims it's vulnerable per CVE-2015-3885 useful or
> helpful?

A vuxml entry in general tells you what is vulnerable and gives you the
chance to do something about it -- even if what you do is to consider
the nature of the vulnerability and decide that it's an acceptable risk
in your environment and so simply ignore it -- rather than the
alternative of discovering there was a vulnerability because your
machine has now been compromised...

Another response (for the sufficiently paranoid) might have been to
delete the vulnerable package and do without it until the fix was availab=
le.

Although I have no idea why that particular version of netpbm was being
flagged as vulnerable for you.

	Cheers,

	Matthew


--3X7c0nWuvFbqMleCnvTNGGnaCei1apn9m
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQJ8BAEBCgBmBQJVlo/NXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnvWEQAIc4WyRfxMJQc9oXPJdUNzHG
sTz+7A+gHfmqriYXPSzVyCwev7Og7BNazSdvwjlnz1zh4Y7FS7q5jx8NYqesW1wy
l23tZ8E4AQ3LUpT/vrVHvPFQZQRZVkXWoN4JjWEPqTdYaOs+WwtED+TJh59rTeUR
DitdmZQ1mmEh61CYq+Wt/t7U8sZXIx8IDhGj/Qudw4RkKpgpmdQaokEUaG5FL3gK
+6D1A1haSp4xZlgXXXqz7nXM8pqzgm6ZcmBmwjqjwEv8UiJIQGgVDYkPz+pJxt8U
BOM9O1KYb1mbeASysg7wXO5R6wB8eUt3d6LM4EhWJoKpRwvR8m7AhZ0Qm6ZiiRRZ
H7unf+m60er7fDA85YOxY1ZDptPqJ/QLU5tM2XizBKLzhKQG6HI8XxFD+QG5cK13
5ys4zOxqId2PawVDsp1rwG6fLpc0o5TUFTp9ukadKFlGpZhX0oJTS3ez2MQNf3hb
ye2Fke4+/gQIYp3z99pS2bkSso0gx8CB5rBpINdfm1nsbYJWls4Nokr+oYufJPCT
RZtNtkSSKqsqdNYUcbK87Pc8JqbaFh44lrS8YOyjzewD4QAvUr2GAwcuFhBT5d9B
KNL2AYyf4Z7k+o/lyKozZ6fjxYTteJXHmSyVZKXBG2c/QkzzdBBHmnDX1JzJ9RUN
D4apd3rwx/zgJ/lchDXG
=j11y
-----END PGP SIGNATURE-----

--3X7c0nWuvFbqMleCnvTNGGnaCei1apn9m--