Date: Thu, 14 Nov 2024 10:15:44 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 282755] `pkg audit` reports kernel vulnerability that was 'fixed' in a userland update? Message-ID: <bug-282755-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D282755 Bug ID: 282755 Summary: `pkg audit` reports kernel vulnerability that was 'fixed' in a userland update? Product: Base System Version: 14.1-STABLE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: marco+freebsd@glitchbox.nl Through the periodic system a daily security check runs, which creates a re= port if there are any issues with the installed kernel and userland versions. Yesterday I upgraded my system with 'freebsd-update fetch install', to 'Fre= eBSD 14.1-RELEASE-p6' Output of=20 'freebsd-version -k': 14.1-RELEASE-p5 'freebsd-version -u': 14.1-RELEASE-p6 Last night the security check ran and reported this vulnerability: > FreeBSD-kernel-14.1_5 is vulnerable: > FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer > CVE: CVE-2024-39281 > WWW: https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1= f29c.html >=20 > 1 problem(s) in 1 installed package(s) found. The `ctl` kernel driver was updated yesterday, but it seems to be part of t= he 'userland' updates? I saw no kernel patch, neither was the kernel version changed, it is still = at 'p5'. I looked at `405.pkg-base-audit`, which runs `pkg audit`. It does these 2 actions, first the kernel check: ``` ~# freebsd-version -k | sed 's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,' FreeBSD-kernel-14.1_5 ~# pkg audit -F FreeBSD-kernel-14.1_5 Fetching vuln.xml.xz: 100% 1 MiB 1.1MB/s 00:01 FreeBSD-kernel-14.1_5 is vulnerable: FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer CVE: CVE-2024-39281 WWW: https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html 1 problem(s) in 1 installed package(s) found. ``` And the userland check: ``` ~# freebsd-version -u | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,' FreeBSD-14.1_6 ~# pkg audit -F FreeBSD-14.1_6 vulnxml file up-to-date 0 problem(s) in 0 installed package(s) found. ``` I looked at both vulnerability reports: https://vuxml.freebsd.org/freebsd/eb5c615d-a173-11ef-9a62-002590c1f29c.html (userland) https://vuxml.freebsd.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html (kernel) Both state a version of <=3D 14.1_6 Which is the cause for the vulnerability report on the kernel. The issue is fixed through a userland update? but since it is a kernel driv= er the vulnerability report falls within the realm of the kernel? I'm not sure what the fix should be. I guess its a pickle since the kernel strictly seen wasn't patched so that it doesn't warrant a p6 version. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-282755-227>