Re: FreeBSD-kernel-13.4_1 is vulnerable

Reply: Philip Paeps : "Re: FreeBSD-kernel-13.4_1 is vulnerable"
In reply to: Jos Chrispijn : "FreeBSD-kernel-13.4_1 is vulnerable"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Dan Langille <dan_at_langille.org>
Date: Mon, 02 Dec 2024 16:29:22 UTC

In this reply, I have cc'd philip@ - we have discussed this issue over the years.

On Fri, Nov 29, 2024, at 4:05 AM, Jos Chrispijn wrote:
> Not sure if I oversee an update, but still get this message
> 
> Checking for security vulnerabilities in base (userland & kernel):
> Database fetched: 2024-11-27T23:30+01:00
> FreeBSD-kernel-13.4_1 is vulnerable:
>   FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer
>   CVE: CVE-2024-39281
>   WWW: https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html
> 
> Understand that for FreeBSD 14 this issue has been solved.
> Can you tell me when a fix will be released for 13.4?

I have the same issue with FreeBSD 14.1-RELEASE-p5 - the problem is not (in this case) an unpatched system. It is a false positive. The vuxml database seems to relate only to kernel vulns, and is not aware that sometimes a vuln affects userland.  In this case, the userland is vuln (and patched) - pkg-base-audit is unaware of that.

To me, it is important to fix the problem because false positives develop into alert fatigue and cause unnecessary work.

[16:16 r730-01 dvl ~] % sudo /usr/local/etc/periodic/security/405.pkg-base-audit

Checking for security vulnerabilities in base (userland & kernel):
Host system:
vulnxml file up-to-date
FreeBSD-kernel-14.1_5 is vulnerable:
  FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer
  CVE: CVE-2024-39281
  WWW: https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html <https://vuxml.freebsd.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html>

[16:17 r730-01 dvl ~] % pkg which /usr/local/etc/periodic/security/405.pkg-base-audit
/usr/local/etc/periodic/security/405.pkg-base-audit was installed by package pkg-1.21.3

The problem is the kernel version and user version differ:

[16:17 r730-01 dvl ~] % freebsd-version -u  
14.1-RELEASE-p6
[16:17 r730-01 dvl ~] % 

I believe the problem is with the 405.pkg-base-audit which is looking only at the kernel version:

[16:18 r730-01 dvl ~] % freebsd-version -k                                           
14.1-RELEASE-p5

... not knowing that the vuln is in the userland, not the kernel.

My wild idea here:

* indicate with each vuln: userland or kernel?
* when checking for a vuln, consult the above new flag and check the appropriate value

Phillip: is my idea wildly offbase?
--
  Dan Langille
  dan@langille.org