[Bug 282755] `pkg audit` reports kernel vulnerability that was 'fixed' in a userland update?
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 282755] `pkg audit` reports kernel vulnerability that was 'fixed' in a userland update?"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 282755] `pkg audit` reports kernel vulnerability that was 'fixed' in a userland update?"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 14 Nov 2024 10:15:44 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=282755 Bug ID: 282755 Summary: `pkg audit` reports kernel vulnerability that was 'fixed' in a userland update? Product: Base System Version: 14.1-STABLE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: marco+freebsd@glitchbox.nl Through the periodic system a daily security check runs, which creates a report if there are any issues with the installed kernel and userland versions. Yesterday I upgraded my system with 'freebsd-update fetch install', to 'FreeBSD 14.1-RELEASE-p6' Output of 'freebsd-version -k': 14.1-RELEASE-p5 'freebsd-version -u': 14.1-RELEASE-p6 Last night the security check ran and reported this vulnerability: > FreeBSD-kernel-14.1_5 is vulnerable: > FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer > CVE: CVE-2024-39281 > WWW: https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html > > 1 problem(s) in 1 installed package(s) found. The `ctl` kernel driver was updated yesterday, but it seems to be part of the 'userland' updates? I saw no kernel patch, neither was the kernel version changed, it is still at 'p5'. I looked at `405.pkg-base-audit`, which runs `pkg audit`. It does these 2 actions, first the kernel check: ``` ~# freebsd-version -k | sed 's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,' FreeBSD-kernel-14.1_5 ~# pkg audit -F FreeBSD-kernel-14.1_5 Fetching vuln.xml.xz: 100% 1 MiB 1.1MB/s 00:01 FreeBSD-kernel-14.1_5 is vulnerable: FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer CVE: CVE-2024-39281 WWW: https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html 1 problem(s) in 1 installed package(s) found. ``` And the userland check: ``` ~# freebsd-version -u | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,' FreeBSD-14.1_6 ~# pkg audit -F FreeBSD-14.1_6 vulnxml file up-to-date 0 problem(s) in 0 installed package(s) found. ``` I looked at both vulnerability reports: https://vuxml.freebsd.org/freebsd/eb5c615d-a173-11ef-9a62-002590c1f29c.html (userland) https://vuxml.freebsd.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html (kernel) Both state a version of <= 14.1_6 Which is the cause for the vulnerability report on the kernel. The issue is fixed through a userland update? but since it is a kernel driver the vulnerability report falls within the realm of the kernel? I'm not sure what the fix should be. I guess its a pickle since the kernel strictly seen wasn't patched so that it doesn't warrant a p6 version. -- You are receiving this mail because: You are the assignee for the bug.