From nobody Tue Dec 12 09:34:08 2023
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SqD2t55tlz53hn4;
	Tue, 12 Dec 2023 09:34:14 +0000 (UTC)
	(envelope-from philip@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SqD2t4HH9z3FhH;
	Tue, 12 Dec 2023 09:34:14 +0000 (UTC)
	(envelope-from philip@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1702373654;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=sY3gmWfa1DoFZsdLhEh9/lByMcJzMDiDAX0St/ZuEw0=;
	b=bFGQe5ZCFBUP3a4j31l/5Rc39HRgmH5cpPtW0j1UMQrD0U5hBBGJsmsJkeSO+PxgjYVF0T
	aRV6FMmD75/e/uxvPQuKpMXj1q8LnFx0zNjnRuAWoJrbd/2qhA4Fp5HxghPTvsuhmXD8yZ
	YJJzyb8H80ywVOhchAzazA4kXcMPMv488QvnhauvSRbgm9xcu+vAtkuPqnwj2hftB81VBq
	L+rMTQbNXr4nqwHtxvfgQc74bXkVpTGTSzPIVEJeZZZwZ0q/yM+ZzhmMZsP1MV7OMg6X5M
	+M2Z3tGqbnvQ7v7BIH0o6P2qx/Cey8R+XK6Jx6ioZaxju/rEklpPzSw2CBE2yQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1702373654; a=rsa-sha256; cv=none;
	b=QqSPN/4txuWQYizC7NPZgJKEEQYP2wTlgh7ppbz6iMbQj6Hsr4xzfaaf6Icfh5JhlvZg2y
	a0IvXXlcAJKRwF/cb7WzwIibqmZ321TrM2sH0poaasOw3tnl7lvPA5IepZvf5c5OGWd+ll
	djBtyvG8sSAjPvkzVztJQXLPGtP0ioQUkSnn580w3dsUZjhe93ORwf3PyNBpxlpUB3la7r
	A++2n+W/qjWs4LFTxKGfmf0SGT6qpz8zj5P00poTtQMiO0BXLmmaB/3TR92H236JirwRRa
	pTuZHSMZFxpi4EPbns9exoQ7hJoqrtqE7Y0CZN3C/tLXuz8qdGTkwjWvyjkO5w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1702373654;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=sY3gmWfa1DoFZsdLhEh9/lByMcJzMDiDAX0St/ZuEw0=;
	b=ngRJRpXE7QjgixV14SHmAKsdPuu/f3/QGjproC33+OMOYWijWpQir1nTky1OgD7BWkxXqp
	wY0scVROIXIyTYI7PJeZl2OH+MKw7RDVIUIb+vAdn+6bBd5osMCs5sROk7hGumgSWyeSRW
	/NjuVl9LPTlWuaJbnlWSQST/WzIXXDisuUvOotX6EXX34vyk2TH77ydyhpKakGRgyGVwfA
	ejAPXzaJiOVtmTFZMQ1I8l7BUAQpwMVRrLaLQHZpCVDgFe3zmHQ0AAi35kHEelelx8Vydw
	3F6hDrbzqoRG/il4j8tsrZCJH2te+rAmeT6iifHilv3/EharA9gqK2Hx/H3uAg==
Received: from auth2-smtp.messagingengine.com (auth2-smtp.messagingengine.com [66.111.4.228])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: philip/mail)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4SqD2t33tQzCtp;
	Tue, 12 Dec 2023 09:34:14 +0000 (UTC)
	(envelope-from philip@freebsd.org)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
	by mailauth.nyi.internal (Postfix) with ESMTP id 4715027C0054;
	Tue, 12 Dec 2023 04:34:14 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
  by compute4.internal (MEProxy); Tue, 12 Dec 2023 04:34:14 -0500
X-ME-Sender: <xms:Fil4ZUE9lYLTA5foZ5zMQkIgan6CMuD4Td6J_qPIFZT3wTvKijsvYg>
    <xme:Fil4ZdWWdcwG8ho7vqNkQkxRaqiQkmftHxkghJDjocLF2F8YCcZfomStUoAPTBqGY
    1d64HDZBRvtzNufUiI>
X-ME-Received: <xmr:Fil4ZeLuUG2HmrVq6knPx4onbSV_DICOwPg_GTEfQ4ey6Pr1XB2SHFfRmAZL94wQ-8xoD47QzTyRQGTiw7QL6Gqebwm_C8Di8Q>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrudelgedgtdegucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefhvfevufffoffkjghfgggtgfesth
    hqmhdtredttdenucfhrhhomheprfhhihhlihhpucfrrggvphhsuceophhhihhlihhpsehf
    rhgvvggsshgurdhorhhgqeenucggtffrrghtthgvrhhnpeejudekfffgffekjeffgfefgf
    eltdehhfffgeegveegveehvdehgedtuddvteekieenucffohhmrghinhepfhhrvggvsghs
    ugdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh
    hmpehphhhilhhiphdomhgvshhmthhprghuthhhphgvrhhsohhnrghlihhthidqudduieei
    vdeivdegkedqvdefhedukedttdekqdhphhhilhhipheppehfrhgvvggsshgurdhorhhgse
    htrhhouhgslhgvrdhish
X-ME-Proxy: <xmx:Fil4ZWEuULvGbSPcoFv6RP7RqWtfkl1ygZCUcZrO-lfiKsJ-p641gg>
    <xmx:Fil4ZaWpfuZ93J1HJ41YH6av7fr0eOQioWZHc2iSs7d6II1IVvbsbg>
    <xmx:Fil4ZZMVW-t8O5FfCP2PC1Fkp1E4By3Mwx78GyWYt7uD4kTfDA5cWQ>
    <xmx:Fil4ZZR6CzqDshLzv8Pf0NgSycYHqRdhjFkA7J9HcWzXr8UqeRtIbQ>
Feedback-ID: ia691475d:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue,
 12 Dec 2023 04:34:12 -0500 (EST)
From: Philip Paeps <philip@freebsd.org>
To: Felix Palmen <zirias@freebsd.org>
Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org,
 dev-commits-ports-main@freebsd.org
Subject: Re: git: 4826396e5d15 - main - security/vuxml: correct last SA's
 affected range
Date: Tue, 12 Dec 2023 17:34:08 +0800
X-Mailer: MailMate (1.14r6010)
Message-ID: <17D0B34D-59E6-4B4F-9642-FE7FA6111A19@freebsd.org>
In-Reply-To: <5ykuv4fnes6axn2l7mkuxksknt2b5oqkkuixuunndvgr5zg6yr@h7bxl6ntwkg2>
References: <202312070452.3B74qCJr077470@gitrepo.freebsd.org>
 <4aoxukh3ddhkq3qmo4qi7vpeqo3wpxc6nivrlve67hr7oszr2m@3wydgx5pc7be>
 <5ykuv4fnes6axn2l7mkuxksknt2b5oqkkuixuunndvgr5zg6yr@h7bxl6ntwkg2>
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-main@freebsd.org
X-BeenThere: dev-commits-ports-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
Content-Transfer-Encoding: quoted-printable

On 2023-12-12 17:14:02 (+0800), Felix Palmen wrote:
> * Felix Palmen <zirias@freebsd.org> [20231207 18:48]:
>> * Philip Paeps <philip@FreeBSD.org> [20231207 04:52]:
>>>     FreeBSD-SA-23:17.pf only affects the kernel, not userland.  The =

>>> first
>>>     patch level of the kernel without the vulnerability is 13.2_4, =

>>> not
>>>     13.2_7.
>>
>> Please revert this commit. The first sentence of the message is =

>> correct,
>> the second one is wrong. The fixed kernel has version =

>> 13.2-RELEASE-p7.
>
> The more time passes the less important this will be, but I'm still
> convinced it is wrong and might be dangerous to someone only relying =

> on
> periodic security reports.
>
> I double-checked multiple times, and I see no way how a kernel could
> ever be built with a different version than the one listed in
> sys/conf/newvers.sh. If there *is* a way, please explain how this =

> could
> ever work (and how to ever avoid massive confusion, even for people =

> just
> building their custom kernel).
>
> So given that, the version was bumped to -p4 in
> https://cgit.freebsd.org/src/commit/?id=3Dd20ece445acfc5d29ca096b38e30e=
4c0cb0b0d95
> on 2023-10-03.
>
> After that, there were no changes to the kernel on releng/13.2 (so its
> version stayed at -p4 when using freebsd-update), *until* commit
> https://cgit.freebsd.org/src/commit/?id=3D45e256e24c976a55dc856907a5756=
4cbc30cfb60
> on 2023-12-05, fixing this very issue.
>
> I rest my case, there's no way a kernel with version 13.2-RELEASE-p4
> could ever include that fix. Therefore, please correct this, so people
> looking at periodic are properly warned.

vuxml cannot accurately encode the different expectations of =

freebsd-update and kernels built from source.

The issue described by FreeBSD-SA-23:17.pf only affects the pf kernel =

module, not the rest of the kernel.  Consequently, freebsd-update only =

rebuilt pf.ko.  kernel was not rebuilt.

There is no 100% correct way to document this category of =

vulnerabilities in vuxml.  There are three options:

- <package>FreeBSD</package> with the version reported by =

freebsd-version: this incorrectly presents the vulnerability as =

affecting userland.

- <package>FreeBSD-kernel</package> with the version reported by =

freebsd-version: this is how I originally documented the vulnerability.  =

Since the kernel was not rebuilt (only pf.ko), systems comparing the =

output of uname -k to the versions in the vuxml document cannot see that =

the system was upgraded.

- <package>FreeBSD-kernel</package> with the version reported by uname =

-k: this is how it is currently documented.  Users who have not upgraded =

anything will not realise they are affected, because uname -k has been =

at -p4 since October.  (As you correctly point out.)

Fundamentally, we cannot completely accurately document vulnerabilities =

that affect individual kernel modules in vuxml.  Perhaps "pkg audit" =

could be extended to look at more things than only "freebsd-version" and =

"uname -k", but there would still be edge cases.

The security-officer team is trying to come up with a way to forcibly =

rebuild the kernel for this category of vulnerabilities.  This is not a =

great solution either though.  It requires users to reboot the system =

whereas (in theory, in many/most cases), unloading and reloading the =

kernel module would address the vulnerability.

The good news is that pkgbase will solve this problem to some extent.  =

Kernel modules are distributed in the FreeBSD-kernel package.  While =

"pkg audit" won't be able to determine if the correct module is loaded, =

at least it will be able to see that the correct package has been =

installed.

Philip

-- =

Philip Paeps
Senior Reality Engineer
Alternative Enterprises