Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 4 Mar 2011 21:04:06 GMT
From:      Vova Glas <uwl@mail.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/155275: ports-mgmt/portaudit does not report installed vulnerable packages
Message-ID:  <201103042104.p24L46fE066281@red.freebsd.org>
Resent-Message-ID: <201103042110.p24LA8wW055572@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         155275
>Category:       ports
>Synopsis:       ports-mgmt/portaudit does not report installed vulnerable packages
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 04 21:10:08 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Vova Glas
>Release:        7.3-RELEASE-p4
>Organization:
>Environment:
FreeBSD boo.iga.home 7.3-RELEASE-p3 FreeBSD 7.3-RELEASE-p3 #14: Thu Nov  4 13:22:35 CET 2010     root@boo.iga.home:/usr/src/sys/i386/compile/boo73  i386
>Description:
Vulnerable asterisk package is not reported:

$ pkg_info | grep asterisk-1
asterisk-1.4.29_4   An Open Source PBX and telephony toolkit

$ portaudit -d
Database created: Fri Mar  4 21:00:01 CET 2011
$ portaudit -a
Affected package: php52-5.2.17
Type of problem: php -- NULL byte poisoning.
Reference: http://portaudit.FreeBSD.org/3761df02-0f9c-11e0-becc-0022156e8794.html

1 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.

$ gzcat /var/db/portaudit/auditfile.tbz | strings | grep asterisk14
asterisk14>1.4.*<1.4.39.2|http://portaudit.FreeBSD.org/65d16342-3ec8-11e0-9df7-001c42d23634.html|asterisk -- Exploitable Stack and Heap Array Overflows
asterisk14>1.4.*<1.4.39.1|http://portaudit.FreeBSD.org/5ab9fb2a-23a5-11e0-a835-0003ba02bf30.html|asterisk -- Exploitable Stack Buffer Overflow

as I can see the asterisk-1.4.29_4 must be reported as affected
>How-To-Repeat:
$ echo asterisk-1.4.29_4 | portaudit -f -
0 problem(s) found.

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201103042104.p24L46fE066281>