[Bug 281443] [Security] some unpatched code is in your repo

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 281443] [Security] some unpatched code is in your repo"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 281443] [Security] some unpatched code is in your repo"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 281443] [Security] some unpatched code is in your repo"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 11 Sep 2024 15:19:46 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281443

            Bug ID: 281443
           Summary: [Security] some unpatched code is in your repo
           Product: Base System
           Version: Unspecified
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: crispy.james.watt@gmail.com

Hi,
    Our tool have found that this repo has remained some unfixed CVE. Some of
there are as follows:
1. `netclear` and `nextitem` functions in the file
`crypto/heimdal/appl/telnet/telnetd/utility.c` shares the similarity with the
CVE-2020-10188, the fix is
https://github.com/freebsd/freebsd-src/commit/5760cb266e0ab04c221c2acdb4b6c4c141130ecd
2. `ppp_hdlc` function in the file `contrib/tcpdump/print-ppp.c` shares the
similarity with the CVE-2020-8037, the fix is
https://github.com/the-tcpdump-group/tcpdump/commit/32027e199368dad9508965aae8cd8de5b6ab5231
3. `pass` in the file `libexec/ftpd/ftpd.c` shares the similarity with the
CVE-2020-7468, the fix is
https://github.com/freebsd/freebsd-src/commit/2ac431003bde2219848a31064a02ceecc834fead
4. `freebsd32_copyin_control` functions in the file
`sys/compat/freebsd32/freebsd32_misc.c` shares the similarity with the
CVE-2020-7460, the fix is
https://github.com/freebsd/freebsd-src/commit/1b1428dcc82b54b7a2c332680d2f66945bf9899b.
5. `BF_crypt` function in the file `contrib/apr-util/crypto/crypt_blowfish.c`
shares the similarity with the CVE-2020-1916, the fix is
https://github.com/facebook/hhvm/commit/abe0b29e4d3a610f9bc920b8be4ad8403364c2d4


**We have preliminarily verified the correctness of the above list through
static analysis. Would you can help to check if this bug is true? If it's true,
please try to fix it, or I'd like to open a PR for that if necessary. Thank you
for your effort and patience!**

-- 
You are receiving this mail because:
You are the assignee for the bug.