From owner-freebsd-pkg@freebsd.org  Sat Aug 12 00:37:57 2017
Return-Path: <owner-freebsd-pkg@freebsd.org>
Delivered-To: freebsd-pkg@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BBA25DD30D0;
 Sat, 12 Aug 2017 00:37:57 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [209.237.23.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id AC4286B744;
 Sat, 12 Aug 2017 00:37:57 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from roble.com (roble.com [209.237.23.50])
 by mx5.roble.com (Postfix) with ESMTP id C82053D395;
 Fri, 11 Aug 2017 17:37:56 -0700 (PDT)
Date: Fri, 11 Aug 2017 17:37:56 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
To: Remko Lodder <remko@FreeBSD.org>
cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org
Subject: Re: pkg audit false negatives
In-Reply-To: <B1E5DD0C-8BBD-4F37-855C-447F28B0B49C@FreeBSD.org>
Message-ID: <nycvar.OFS.7.76.1708111716080.86615@eboyr.pbz>
References: <nycvar.OFS.7.76.1708101931090.13252@eboyr.pbz>
 <C540BA50-5F06-4F99-A575-D27347A3F527@FreeBSD.org>
 <D12FD70B-2F2B-4895-AB9D-1BD72F8512B6@FreeBSD.org>
 <nycvar.OFS.7.76.1708111441430.53156@eboyr.pbz>
 <B1E5DD0C-8BBD-4F37-855C-447F28B0B49C@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
X-BeenThere: freebsd-pkg@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Binary package management and package tools discussion
 <freebsd-pkg.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pkg>,
 <mailto:freebsd-pkg-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pkg/>
List-Post: <mailto:freebsd-pkg@freebsd.org>
List-Help: <mailto:freebsd-pkg-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pkg>,
 <mailto:freebsd-pkg-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Aug 2017 00:37:57 -0000

On Fri, 11 Aug 2017, Remko Lodder wrote:

> If an entry is removed from the ports/pkg tree?s and it is also removed
> from VuXML, then yes, it will no longer get marked in your local
> installation. That?s a bit of a chicken and egg basically. Although I do
> not recall that it ever happened that ports that are no longer there, are
> removed from VuXML as well. (And I follow that since 2004).
> 
> Do you have a more concrete example that we can dive into to see what is
> going on/going wrong?

Should be able to find missing vulxml entries for most anything that has
been deprecated from the ports tree but most of the ones I've seen are
for web programming languages, particularly php.

For example when php5X was dropped it also disappeared from vulxml, with
no small number of servers still using it.  If those sites depended on
pkg-audit to tell them they had a vulnerability, well, they were out of
luck.  There was no warning, no error, no disclaimer, pkg-audit did and
still does nothing different than it would for a non-vulnerable port or
package.

There may be more vulnerabilities in the wild from non-packaged base as
it is larger but at least people are working on that.  Pkg-audit
tracking of installed but deprecated ports OTOH, seems to have fallen
through the cracks.  Even the FreeBSD Foundation and the ports-security
teams appear to be ignoring this issue.

Roger Marquis