Date: Mon, 02 Dec 2024 11:29:22 -0500 From: "Dan Langille" <dan@langille.org> To: "Jos Chrispijn" <josc@cloudzeeland.nl>, "FreeBSD Mailing List" <freebsd-questions@freebsd.org>, "Philip Paeps" <philip@freebsd.org> Subject: Re: FreeBSD-kernel-13.4_1 is vulnerable Message-ID: <798fddc5-c2e9-4c2a-a64d-3627a9bc36f7@app.fastmail.com> In-Reply-To: <b3545eca-5a07-4755-a01b-a5a461951770@cloudzeeland.nl> References: <b3545eca-5a07-4755-a01b-a5a461951770@cloudzeeland.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
--b6e301d2b9894164b72bcd70fc4e06fc Content-Type: text/plain Content-Transfer-Encoding: 7bit In this reply, I have cc'd philip@ - we have discussed this issue over the years. On Fri, Nov 29, 2024, at 4:05 AM, Jos Chrispijn wrote: > Not sure if I oversee an update, but still get this message > > Checking for security vulnerabilities in base (userland & kernel): > Database fetched: 2024-11-27T23:30+01:00 > FreeBSD-kernel-13.4_1 is vulnerable: > FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer > CVE: CVE-2024-39281 > WWW: https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html > > Understand that for FreeBSD 14 this issue has been solved. > Can you tell me when a fix will be released for 13.4? I have the same issue with FreeBSD 14.1-RELEASE-p5 - the problem is not (in this case) an unpatched system. It is a false positive. The vuxml database seems to relate only to kernel vulns, and is not aware that sometimes a vuln affects userland. In this case, the userland is vuln (and patched) - pkg-base-audit is unaware of that. To me, it is important to fix the problem because false positives develop into alert fatigue and cause unnecessary work. [16:16 r730-01 dvl ~] % sudo /usr/local/etc/periodic/security/405.pkg-base-audit Checking for security vulnerabilities in base (userland & kernel): Host system: vulnxml file up-to-date FreeBSD-kernel-14.1_5 is vulnerable: FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer CVE: CVE-2024-39281 WWW: https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html <https://vuxml.freebsd.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html>; [16:17 r730-01 dvl ~] % pkg which /usr/local/etc/periodic/security/405.pkg-base-audit /usr/local/etc/periodic/security/405.pkg-base-audit was installed by package pkg-1.21.3 The problem is the kernel version and user version differ: [16:17 r730-01 dvl ~] % freebsd-version -u 14.1-RELEASE-p6 [16:17 r730-01 dvl ~] % I believe the problem is with the 405.pkg-base-audit which is looking only at the kernel version: [16:18 r730-01 dvl ~] % freebsd-version -k 14.1-RELEASE-p5 ... not knowing that the vuln is in the userland, not the kernel. My wild idea here: * indicate with each vuln: userland or kernel? * when checking for a vuln, consult the above new flag and check the appropriate value Phillip: is my idea wildly offbase? -- Dan Langille dan@langille.org --b6e301d2b9894164b72bcd70fc4e06fc Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE html><html><head><title></title><style type=3D"text/css">p.Mso= Normal,p.MsoNoSpacing{margin:0}</style></head><body><div>In this reply, = I have cc'd philip@ - we have discussed this issue over the years.<= br></div><div><br></div><div>On Fri, Nov 29, 2024, at 4:05 AM, Jos Chris= pijn wrote:<br></div><blockquote type=3D"cite" id=3D"qt" style=3D""><spa= n class=3D"font" style=3D"font-family:"Courier New", Courier, = monospace;">Not sure if I oversee=0A an update, but still get this = message<br> <br> Checking for security vulnerabilities in base (userland= =0A & kernel):<br> Database fetched: 2024-11-27T23:30+01:00<br>= FreeBSD-kernel-13.4_1 is vulnerable:<br> <span style=3D""> </span= >FreeBSD --=0A Unbounded allocation in ctl(4) CAM Target Layer<br> = <span style=3D""> </span>CVE:=0A CVE-2024-39281<br> <span sty= le=3D""> </span>WWW: <a href=3D"https://vuxml.FreeBSD.org/freebsd/= 8caa5d60-a174-11ef-9a62-002590c1f29c.html">https://vuxml.FreeBSD.org/fre= ebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html</a><br> <br> Understand t= hat for FreeBSD 14 this issue has been solved.<br> Can you tell me when = a fix will be released for 13.4?<br> </span></blockquote><div><br></div>= <div>I have the same issue with FreeBSD 14.1-RELEASE-p5 - the probl= em is not (in this case) an unpatched system. It is a false positive. Th= e vuxml database seems to relate only to kernel vulns, and is not aware = that sometimes a vuln affects userland. In this case, the userland= is vuln (and patched) - pkg-base-audit is unaware of that.<br></div><di= v><br></div><div>To me, it is important to fix the problem because false= positives develop into alert fatigue and cause unnecessary work.</div><= div><br></div><div>[16:16 r730-01 dvl ~] % sudo /usr/local/etc/periodic/= security/405.pkg-base-audit<br></div><div><br style=3D"max-width:100%;he= ight:auto;"></div><div>Checking for security vulnerabilities in base (us= erland & kernel):<br style=3D"max-width:100%;height:auto;"></div><di= v>Host system:<br style=3D"max-width:100%;height:auto;"></div><div>vulnx= ml file up-to-date<br style=3D"max-width:100%;height:auto;"></div><div>F= reeBSD-kernel-14.1_5 is vulnerable:<br style=3D"max-width:100%;height:au= to;"></div><div> FreeBSD -- Unbounded allocation in ctl(4) CAM Tar= get Layer<br style=3D"max-width:100%;height:auto;"></div><div> CVE= : CVE-2024-39281<br style=3D"max-width:100%;height:auto;"></div><div>&nb= sp; WWW: <a href=3D"https://vuxml.freebsd.org/freebsd/8caa5d60-a174-11ef= -9a62-002590c1f29c.html">https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174= -11ef-9a62-002590c1f29c.html</a><br style=3D"max-width:100%;height:auto;= "></div><div><br></div><div>[16:17 r730-01 dvl ~] % pkg which /usr/local= /etc/periodic/security/405.pkg-base-audit<br></div><div>/usr/local/etc/p= eriodic/security/405.pkg-base-audit was installed by package pkg-1.21.3<= br style=3D"max-width:100%;height:auto;"></div><div><br></div><div>The p= roblem is the kernel version and user version differ:<br></div><div><br>= </div><div>[16:17 r730-01 dvl ~] % freebsd-version -u <br></d= iv><div>14.1-RELEASE-p6<br style=3D"max-width:100%;height:auto;"></div><= div>[16:17 r730-01 dvl ~] % <br></div><div><br></div><div>I believe= the problem is with the 405.pkg-base-audit which is looking only a= t the kernel version:<br></div><div><br></div><div>[16:18 r730-01 dvl ~]= % freebsd-version -k &nb= sp; &nb= sp; &nb= sp; <br></div= ><div>14.1-RELEASE-p5<br style=3D"max-width:100%;height:auto;"></div><di= v><br></div><div>... not knowing that the vuln is in the userland, not t= he kernel.<br></div><div><br></div><div>My wild idea here:<br></div><div= ><br></div><div>* indicate with each vuln: userland or kernel?<br></div>= <div>* when checking for a vuln, consult the above new flag and check th= e appropriate value<br></div><div><br></div><div>Phillip: is my idea wil= dly offbase?<br></div><div id=3D"sig65064480"><div class=3D"signature">-= -<br></div><div class=3D"signature"> Dan Langille<br></div><div cl= ass=3D"signature"> dan@langille.org<br></div><div class=3D"signatu= re"><br></div></div><div><br></div></body></html> --b6e301d2b9894164b72bcd70fc4e06fc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?798fddc5-c2e9-4c2a-a64d-3627a9bc36f7>