From owner-freebsd-security@freebsd.org Fri Aug 11 21:55:19 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2EC2EDC987F; Fri, 11 Aug 2017 21:55:19 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from smtp-out.elvandar.org (smtp-out.elvandar.org [IPv6:2a01:7c8:aaba:ae::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DACC466336; Fri, 11 Aug 2017 21:55:18 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from mail1.elvandar.org (mail1.elvandar.org [IPv6:2001:470:d701::3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-out.elvandar.org (Postfix) with ESMTPS id CB9274707BD; Fri, 11 Aug 2017 23:55:16 +0200 (CEST) Received: from [10.0.2.17] (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail1.elvandar.org (Postfix) with ESMTPSA id 7922020D7F; Fri, 11 Aug 2017 23:55:14 +0200 (CEST) From: Remko Lodder Message-Id: Content-Type: multipart/signed; boundary="Apple-Mail=_23F4A11B-E020-4A3F-8299-6D007D46EEFD"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: pkg audit false negatives Date: Fri, 11 Aug 2017 23:55:13 +0200 In-Reply-To: Cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org To: Roger Marquis References: X-Mailer: Apple Mail (2.3273) X-Rspamd-Queue-Id: CB9274707BD X-Spamd-Result: default: False [-3.41 / 15.00] RCVD_NO_TLS_LAST(0.00)[] HAS_ATTACHMENT(0.00)[] RCVD_COUNT_TWO(0.00)[2] FROM_HAS_DN(0.00)[] DMARC_NA(0.00)[FreeBSD.org] BAYES_HAM(-0.00)[23.92%] RCPT_COUNT_THREE(0.00)[3] MV_CASE(0.50)[] R_SPF_SOFTFAIL(0.00)[~all] TO_DN_SOME(0.00)[] MID_RHS_MATCH_FROM(0.00)[] TO_MATCH_ENVRCPT_ALL(0.00)[] RCVD_VIA_SMTP_AUTH(0.00)[] ARC_NA(0.00)[] ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US] FROM_EQ_ENVFROM(0.00)[] RECEIVED_SPAMHAUS(0.00)[26.239.56.80.zen.spamhaus.org] IP_SCORE(-3.71)[ip: (-8.72), ipnet: 2001:470::/32(-6.83), asn: 6939(-2.27), country: US(-0.74)] MIME_GOOD(-0.20)[multipart/signed,text/plain] R_DKIM_NA(0.00)[] X-Rspamd-Server: mx2.jr-hosting.nl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2017 21:55:19 -0000 --Apple-Mail=_23F4A11B-E020-4A3F-8299-6D007D46EEFD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 11 Aug 2017, at 23:47, Roger Marquis wrote: >=20 >> It had been resolved for dovecot (it will now match both variants, = since people might still have >> the old variant of the port installed) and there is a new paragraph = added to the porters handbook >> which tells that we need to have a look at the vuxml entries. >=20 > Thanks Remko. No problemo :) >=20 >> Hope this solves your issue, >=20 > It may for renamed ports/pkgs but doesn't appear to for deprecations. > Once ports are dropped they do not show up in pkg-audit despite having > been installed via pkg and/or ports. That's the false negative that > appears to still be a problem. Ports / pkgs that get renamed are now changed and/or added in VuXML as = well. So the old variant and the new variant of the name=E2=80=99s would both = be listed in pkg audit. pkg audit parses VuXML, it also does a check on what is locally = registered in it=E2=80=99s database. For example if you have a/b installed. And that has a marking in VuXML : = b then it would hit on the package you have. If a/b gets removed for some = reason, and it is still in VuXML and you have it locally registered. Then it would be still be matched = (or should). If an entry is removed from the ports/pkg tree=E2=80=99s and it is also = removed from VuXML, then yes, it will no longer get marked in your local installation. That=E2=80=99s a bit of = a chicken and egg basically. Although I do not recall that it ever happened that ports that are no longer = there, are removed from VuXML as well. (And I follow that since 2004). Do you have a more concrete example that we can dive into to see what is = going on/going wrong? Cheers Remko >=20 > Roger --Apple-Mail=_23F4A11B-E020-4A3F-8299-6D007D46EEFD Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZjifBAAoJEHE1jtY/d0B5CRkP/iPVVWv9ZhpTFjXCf2duTnsP zaHYlZVlBZ3dPOEd/F5maMQ5Q/Mf1MdBEjt3vai10BgHNDE6bplIn7j1XMRh9y3R qxPFOJNFKH7GJ9vcsQzv8VcsrIY1cYpCaEbveBJDJr53R7Yiq6LY049P5HdMZF3l qdY8jJbNdBxr8RVO7fTZMexz/VpQdOC6vTThhoC08eBkx6dFd5r2Gfjl1d4fF5dB 1tfowdISFN2ghVtF1tjh8MfDYvcCjQ1ay/7mdSrACjvqdqTF21i6IQ88PVMZI8nV iiBpJRFLxCPxRKkFmTZbkWnykMpc+SoU/UjgIWIBGXW8bJA96y/Z8UmWgPkYEycd 1SUOj+wBIjldUj8hyv+29jDQMpV5Y2hZQ+AXzUwdS8pt8zKK54XDHXGDVl7nSviF pSrB18xvGUDDRIpnWNNxuXY0LyVjh+U2UY1gSc1AC1OcMJbvypaCiOWIa3ksfmCX 4poeECse8Xn51V++DZvUyy9Xn9fRd+uP233gdNMvZfEHzHQxe98gjyuOk7Jab24q dPeTMHltbaeEA3GRb1KUIv/Tvf4P7qN3mo53mopaYbInD5myO5LOtUhCY3aova+L OaZqdzkzcjqlQcxW4YV/mQcjmvKWKFhwFfinJ5xkTXn7+Y3+v0Cf1gCLff32AMog Gpiu/aQ1iTEdwcElJfzk =RYqE -----END PGP SIGNATURE----- --Apple-Mail=_23F4A11B-E020-4A3F-8299-6D007D46EEFD--