From nobody Thu Nov 14 10:15:44 2024
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Xpwyn00xNz5cRx1
	for <bugs@mlmmj.nyi.freebsd.org>; Thu, 14 Nov 2024 10:15:44 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Xpwym562cz41kj
	for <bugs@FreeBSD.org>; Thu, 14 Nov 2024 10:15:44 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1731579344;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=LCt0OEv4Dn1golplZvMiWd10DfbJut2XcTM+LI9Tz5k=;
	b=HpBNFB3JX8ar2rkMlprigtASdHD9bMEIB9ZABF/peuMsxliVyKLAQoOJmGuiIUfrkZ+gAn
	sxIuiH0thdrt8i7Db5x+n/KyCyqtq8/SfHlqttnBD4AGQCaurT0LyVWz5GSpvzK+XlmPRN
	NY7BHe/2bp2pxdnFFudNwOj4tUraMkc4n5AMwDFkBNsNZJMHOAu1p95eIlHWFO+JMNQCNE
	pNw0ctUlDE3KqaIQ2c6HpvxXdYMOk+2Ic/NFOn/f5HlhOF2TSOUcYwOfd4BINAFsgjdhAr
	z16XjjJaFcEQ8NtQ8LnXPhodzKVpXJ8mNEJwa2a0Uq5CkArbdygLGkbUIi0CYA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1731579344; a=rsa-sha256; cv=none;
	b=gbjmtMTuYeWu7tYolf2GFcs4yGKSyDGOmjYg7OcU4a+nW5uITFgl+u3lNZ+rGrHpSk7rFt
	CktQRg+rf88lmNrO9W0AmWjeSaGAWJvngoGpsaf1Sv+EeCMfL4BvMiL2S3z3l6BgfFr8dZ
	LNd1vnK4Gyn/wN7Smhls+AqC8O7OadfWQVux83zSCJr3bNRsV8glnAonHPAKxfLvTCF8OD
	I5puY9RgAzoquvqr+9XZXa18tjRcVvoDKelOiOeB7exrsUd7TzOOPTkGO56JJmWUTA8lmH
	MN5Up/eN5+SDciCIQZNZkJ7+hhxL6BoJGQ5elLZFBGnR745QXiGlQ1MPptYk3w==
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Xpwym4YTyzb4V
	for <bugs@FreeBSD.org>; Thu, 14 Nov 2024 10:15:44 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 4AEAFiJR083838
	for <bugs@FreeBSD.org>; Thu, 14 Nov 2024 10:15:44 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 4AEAFiYF083837
	for bugs@FreeBSD.org; Thu, 14 Nov 2024 10:15:44 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 282755] `pkg audit` reports kernel vulnerability that was
 'fixed' in a userland update?
Date: Thu, 14 Nov 2024 10:15:44 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: bin
X-Bugzilla-Version: 14.1-STABLE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: marco+freebsd@glitchbox.nl
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-282755-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@FreeBSD.org
MIME-Version: 1.0

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D282755

            Bug ID: 282755
           Summary: `pkg audit` reports kernel vulnerability that was
                    'fixed' in a userland update?
           Product: Base System
           Version: 14.1-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: marco+freebsd@glitchbox.nl

Through the periodic system a daily security check runs, which creates a re=
port
if there are any issues with the installed kernel and userland versions.

Yesterday I upgraded my system with 'freebsd-update fetch install', to 'Fre=
eBSD
14.1-RELEASE-p6'

Output of=20
'freebsd-version -k': 14.1-RELEASE-p5
'freebsd-version -u': 14.1-RELEASE-p6


Last night the security check ran and reported this vulnerability:
> FreeBSD-kernel-14.1_5 is vulnerable:
>   FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer
>   CVE: CVE-2024-39281
>   WWW: https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1=
f29c.html
>=20
> 1 problem(s) in 1 installed package(s) found.

The `ctl` kernel driver was updated yesterday, but it seems to be part of t=
he
'userland' updates?
I saw no kernel patch, neither was the kernel version changed, it is still =
at
'p5'.

I looked at `405.pkg-base-audit`, which runs `pkg audit`.
It does these 2 actions, first the kernel check:
```
~# freebsd-version -k | sed
's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,'
FreeBSD-kernel-14.1_5

~# pkg audit -F FreeBSD-kernel-14.1_5
Fetching vuln.xml.xz: 100%    1 MiB   1.1MB/s    00:01
FreeBSD-kernel-14.1_5 is vulnerable:
  FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer
  CVE: CVE-2024-39281
  WWW:
https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html

1 problem(s) in 1 installed package(s) found.
```

And the userland check:
```
~# freebsd-version -u | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,'
FreeBSD-14.1_6

~# pkg audit -F FreeBSD-14.1_6
vulnxml file up-to-date
0 problem(s) in 0 installed package(s) found.
```

I looked at both vulnerability reports:
https://vuxml.freebsd.org/freebsd/eb5c615d-a173-11ef-9a62-002590c1f29c.html
(userland)
https://vuxml.freebsd.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html
(kernel)

Both state a version of <=3D 14.1_6

Which is the cause for the vulnerability report on the kernel.
The issue is fixed through a userland update? but since it is a kernel driv=
er
the vulnerability report falls within the realm of the kernel?

I'm not sure what the fix should be. I guess its a pickle since the kernel
strictly seen wasn't patched so that it doesn't warrant a p6 version.

--=20
You are receiving this mail because:
You are the assignee for the bug.=