Date: Tue, 12 Dec 2023 10:45:14 +0100 From: Felix Palmen <zirias@freebsd.org> To: Philip Paeps <philip@freebsd.org> Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: 4826396e5d15 - main - security/vuxml: correct last SA's affected range Message-ID: <dl7ecei24o74oh3ccbai4yilaoot3gopnhltm2hciltugi23xd@oelmepg2kfie> In-Reply-To: <17D0B34D-59E6-4B4F-9642-FE7FA6111A19@freebsd.org> References: <202312070452.3B74qCJr077470@gitrepo.freebsd.org> <4aoxukh3ddhkq3qmo4qi7vpeqo3wpxc6nivrlve67hr7oszr2m@3wydgx5pc7be> <5ykuv4fnes6axn2l7mkuxksknt2b5oqkkuixuunndvgr5zg6yr@h7bxl6ntwkg2> <17D0B34D-59E6-4B4F-9642-FE7FA6111A19@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--wrg4ljrsloczaepj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
* Philip Paeps <philip@freebsd.org> [20231212 17:34]:
> The issue described by FreeBSD-SA-23:17.pf only affects the pf kernel
> module, not the rest of the kernel. Consequently, freebsd-update only
> rebuilt pf.ko. kernel was not rebuilt.
Thanks! That was the missing piece of information (for me) all the time!
> - <package>FreeBSD</package> with the version reported by freebsd-version:
> this incorrectly presents the vulnerability as affecting userland.
Wouldn't this be the "least wrong" approach for now then? Because:
> - <package>FreeBSD-kernel</package> with the version reported by
> freebsd-version: this is how I originally documented the vulnerability.
> Since the kernel was not rebuilt (only pf.ko), systems comparing the outp=
ut
> of uname -k to the versions in the vuxml document cannot see that the sys=
tem
> was upgraded.
Yes, this is clearly wrong then. Sorry, I wasn't aware the kernel wasn't
rebuilt when modules are affected by a fix ...
> - <package>FreeBSD-kernel</package> with the version reported by uname -k:
> this is how it is currently documented. Users who have not upgraded
> anything will not realise they are affected, because uname -k has been at
> -p4 since October. (As you correctly point out.)
And yes, this is pointless, and I still think somehow dangerous when
people expect to be warned by periodic.
> The security-officer team is trying to come up with a way to forcibly
> rebuild the kernel for this category of vulnerabilities. This is not a
> great solution either though. It requires users to reboot the system
> whereas (in theory, in many/most cases), unloading and reloading the kern=
el
> module would address the vulnerability.
This sounds like a "better than before" kind of approach as well,
thanks.
> The good news is that pkgbase will solve this problem to some extent.
> Kernel modules are distributed in the FreeBSD-kernel package. While "pkg
> audit" won't be able to determine if the correct module is loaded, at lea=
st
> it will be able to see that the correct package has been installed.
Sounds nice as well. Then I'll shut up for now. Still "wrong"
unfortunately, but good to know there's at least progress :)
Cheers, Felix
--=20
Felix Palmen <zirias@FreeBSD.org> {private} felix@palmen-it.de
-- ports committer -- {web} http://palmen-it.de
{pgp public key} http://palmen-it.de/pub.txt
{pgp fingerprint} 6936 13D5 5BBF 4837 B212 3ACC 54AD E006 9879 F231
--wrg4ljrsloczaepj
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iNUEABYKAH0WIQRpNhPVW79IN7ISOsxUreAGmHnyMQUCZXgrql8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0Njkz
NjEzRDU1QkJGNDgzN0IyMTIzQUNDNTRBREUwMDY5ODc5RjIzMQAKCRBUreAGmHny
MQSpAQD9d2ZScZwJvj9oRf7rDf0+WX3zN1tsu2VsrIQE91fiJgD+KkcOLl1Jz59M
UJVyH56xQnEQFM4/wDtf3/4p4Wv33As=
=7prQ
-----END PGP SIGNATURE-----
--wrg4ljrsloczaepj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?dl7ecei24o74oh3ccbai4yilaoot3gopnhltm2hciltugi23xd>