Date: Tue, 12 Dec 2023 11:23:56 +0100 From: Felix Palmen <zirias@freebsd.org> To: Philip Paeps <philip@freebsd.org> Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: 4826396e5d15 - main - security/vuxml: correct last SA's affected range Message-ID: <lxsiotribdg577w5wrizqbdnwndxavmkes5tyucv7pk7v77pk3@3liohlyxu3qs> In-Reply-To: <4DF4EE0F-AAD7-41A7-B940-F8192C62758D@freebsd.org> References: <202312070452.3B74qCJr077470@gitrepo.freebsd.org> <4aoxukh3ddhkq3qmo4qi7vpeqo3wpxc6nivrlve67hr7oszr2m@3wydgx5pc7be> <5ykuv4fnes6axn2l7mkuxksknt2b5oqkkuixuunndvgr5zg6yr@h7bxl6ntwkg2> <17D0B34D-59E6-4B4F-9642-FE7FA6111A19@freebsd.org> <dl7ecei24o74oh3ccbai4yilaoot3gopnhltm2hciltugi23xd@oelmepg2kfie> <4DF4EE0F-AAD7-41A7-B940-F8192C62758D@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--g3ggrl5vu7xd2s43
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
* Philip Paeps <philip@freebsd.org> [20231212 17:57]:
> On 2023-12-12 17:45:14 (+0800), Felix Palmen wrote:
> > * Philip Paeps <philip@freebsd.org> [20231212 17:34]:
> > > The issue described by FreeBSD-SA-23:17.pf only affects the pf kernel
> > > module, not the rest of the kernel. Consequently, freebsd-update
> > > only
> > > rebuilt pf.ko. kernel was not rebuilt.
> >=20
> > Thanks! That was the missing piece of information (for me) all the time!
>=20
> It's a very subtle distinction. And we could try to be a bit clearer abo=
ut
> what exactly freebsd-update updates under different circumstances. In
> practice, this category of vulnerabilities doesn't come up very often. A=
nd
> when it does, it usually affects device drivers and not kernel modules th=
at
> a substantial fraction of our users can reasonably be expected to be usin=
g.
Indeed, I see that's a corner case, and maybe documentation could be
improved. I guess I'm not the only one who didn't know about that. Even
the common scenario of updates only touching userland is still kind of a
FAQ on the forums, although this one is widely known (and IMHO
documented well enough).
> > > - <package>FreeBSD-kernel</package> with the version reported by
> > > uname -k:
> > > this is how it is currently documented. Users who have not upgraded
> > > anything will not realise they are affected, because uname -k has
> > > been at
> > > -p4 since October. (As you correctly point out.)
> >=20
> > And yes, this is pointless, and I still think somehow dangerous when
> > people expect to be warned by periodic.
>=20
> Yeah ... I follow your reasoning. I will sleep on this.
I now have to agree there's just no *correct* way right now. So in a
nutshell, the effect is that the vulnerability belongs to the kernel,
but it's impossible to tell from the kernel version whether the patch is
properly applied :(
> Sorry for not replying earlier. I wasn't trying to quietly wait for the
> problem to be overcome by events. I started typing my reply earlier and =
=2E..
> then ... got ... distracted. :-)
No problem at all, I know very well these things happen :)
I just had to ask again, because I knew that *either* this commit here
was plain out wrong *or* I was missing some crucial piece of
information to understand it. Actually glad it was the latter and there
are things going on to improve on this, thanks again!
Cheers, Felix
--=20
Felix Palmen <zirias@FreeBSD.org> {private} felix@palmen-it.de
-- ports committer -- {web} http://palmen-it.de
{pgp public key} http://palmen-it.de/pub.txt
{pgp fingerprint} 6936 13D5 5BBF 4837 B212 3ACC 54AD E006 9879 F231
--g3ggrl5vu7xd2s43
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iNUEABYKAH0WIQRpNhPVW79IN7ISOsxUreAGmHnyMQUCZXg0vF8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0Njkz
NjEzRDU1QkJGNDgzN0IyMTIzQUNDNTRBREUwMDY5ODc5RjIzMQAKCRBUreAGmHny
MeXGAPwMU4iPxJqHEtQJt+p07eiTu/c9FJG4ZsN9v8ceep1zgwEAqEqLLrTUwZOw
RQqztu+yOm65X/jtyCa7IhBtMkOXAAc=
=ax40
-----END PGP SIGNATURE-----
--g3ggrl5vu7xd2s43--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?lxsiotribdg577w5wrizqbdnwndxavmkes5tyucv7pk7v77pk3>