Re: git: 4826396e5d15 - main - security/vuxml: correct last SA's affected range

In reply to: Philip Paeps : "Re: git: 4826396e5d15 - main - security/vuxml: correct last SA's affected range"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Felix Palmen <zirias_at_freebsd.org>
Date: Tue, 12 Dec 2023 10:23:56 UTC

* Philip Paeps <philip@freebsd.org> [20231212 17:57]:
> On 2023-12-12 17:45:14 (+0800), Felix Palmen wrote:
> > * Philip Paeps <philip@freebsd.org> [20231212 17:34]:
> > > The issue described by FreeBSD-SA-23:17.pf only affects the pf kernel
> > > module, not the rest of the kernel.  Consequently, freebsd-update
> > > only
> > > rebuilt pf.ko.  kernel was not rebuilt.
> > 
> > Thanks! That was the missing piece of information (for me) all the time!
> 
> It's a very subtle distinction.  And we could try to be a bit clearer about
> what exactly freebsd-update updates under different circumstances.  In
> practice, this category of vulnerabilities doesn't come up very often.  And
> when it does, it usually affects device drivers and not kernel modules that
> a substantial fraction of our users can reasonably be expected to be using.

Indeed, I see that's a corner case, and maybe documentation could be
improved. I guess I'm not the only one who didn't know about that. Even
the common scenario of updates only touching userland is still kind of a
FAQ on the forums, although this one is widely known (and IMHO
documented well enough).

> > > - <package>FreeBSD-kernel</package> with the version reported by
> > > uname -k:
> > > this is how it is currently documented.  Users who have not upgraded
> > > anything will not realise they are affected, because uname -k has
> > > been at
> > > -p4 since October.  (As you correctly point out.)
> > 
> > And yes, this is pointless, and I still think somehow dangerous when
> > people expect to be warned by periodic.
> 
> Yeah ... I follow your reasoning.  I will sleep on this.

I now have to agree there's just no *correct* way right now. So in a
nutshell, the effect is that the vulnerability belongs to the kernel,
but it's impossible to tell from the kernel version whether the patch is
properly applied :(

> Sorry for not replying earlier.  I wasn't trying to quietly wait for the
> problem to be overcome by events.  I started typing my reply earlier and ...
> then ... got ... distracted. :-)

No problem at all, I know very well these things happen :)

I just had to ask again, because I knew that *either* this commit here
was plain out wrong *or* I was missing some crucial piece of
information to understand it. Actually glad it was the latter and there
are things going on to improve on this, thanks again!

Cheers, Felix

-- 
 Felix Palmen <zirias@FreeBSD.org>     {private}   felix@palmen-it.de
 -- ports committer --                     {web}  http://palmen-it.de
 {pgp public key}  http://palmen-it.de/pub.txt
 {pgp fingerprint} 6936 13D5 5BBF 4837 B212  3ACC 54AD E006 9879 F231