[Bug 282755] `pkg audit` reports kernel vulnerability that was 'fixed' in a userland update?

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 14 Nov 2024 10:15:44 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=282755

            Bug ID: 282755
           Summary: `pkg audit` reports kernel vulnerability that was
                    'fixed' in a userland update?
           Product: Base System
           Version: 14.1-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: marco+freebsd@glitchbox.nl

Through the periodic system a daily security check runs, which creates a report
if there are any issues with the installed kernel and userland versions.

Yesterday I upgraded my system with 'freebsd-update fetch install', to 'FreeBSD
14.1-RELEASE-p6'

Output of 
'freebsd-version -k': 14.1-RELEASE-p5
'freebsd-version -u': 14.1-RELEASE-p6


Last night the security check ran and reported this vulnerability:
> FreeBSD-kernel-14.1_5 is vulnerable:
>   FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer
>   CVE: CVE-2024-39281
>   WWW: https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html
> 
> 1 problem(s) in 1 installed package(s) found.

The `ctl` kernel driver was updated yesterday, but it seems to be part of the
'userland' updates?
I saw no kernel patch, neither was the kernel version changed, it is still at
'p5'.

I looked at `405.pkg-base-audit`, which runs `pkg audit`.
It does these 2 actions, first the kernel check:
```
~# freebsd-version -k | sed
's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,'
FreeBSD-kernel-14.1_5

~# pkg audit -F FreeBSD-kernel-14.1_5
Fetching vuln.xml.xz: 100%    1 MiB   1.1MB/s    00:01
FreeBSD-kernel-14.1_5 is vulnerable:
  FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer
  CVE: CVE-2024-39281
  WWW:
https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html

1 problem(s) in 1 installed package(s) found.
```

And the userland check:
```
~# freebsd-version -u | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,'
FreeBSD-14.1_6

~# pkg audit -F FreeBSD-14.1_6
vulnxml file up-to-date
0 problem(s) in 0 installed package(s) found.
```

I looked at both vulnerability reports:
https://vuxml.freebsd.org/freebsd/eb5c615d-a173-11ef-9a62-002590c1f29c.html
(userland)
https://vuxml.freebsd.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html
(kernel)

Both state a version of <= 14.1_6

Which is the cause for the vulnerability report on the kernel.
The issue is fixed through a userland update? but since it is a kernel driver
the vulnerability report falls within the realm of the kernel?

I'm not sure what the fix should be. I guess its a pickle since the kernel
strictly seen wasn't patched so that it doesn't warrant a p6 version.

-- 
You are receiving this mail because:
You are the assignee for the bug.