From nobody Mon Dec 02 16:29:22 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Y28Q263twz5g53k for ; Mon, 02 Dec 2024 16:29:46 +0000 (UTC) (envelope-from dan@langille.org) Received: from fout-b7-smtp.messagingengine.com (fout-b7-smtp.messagingengine.com [202.12.124.150]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Y28Q14t8Hz4Wt6; Mon, 2 Dec 2024 16:29:45 +0000 (UTC) (envelope-from dan@langille.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=langille.org header.s=fm1 header.b=OxsrtP8a; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=2LU7R8v2; spf=pass (mx1.freebsd.org: domain of dan@langille.org designates 202.12.124.150 as permitted sender) smtp.mailfrom=dan@langille.org; dmarc=pass (policy=none) header.from=langille.org Received: from phl-compute-06.internal (phl-compute-06.phl.internal [10.202.2.46]) by mailfout.stl.internal (Postfix) with ESMTP id 03D1B11401C9; Mon, 2 Dec 2024 11:29:44 -0500 (EST) Received: from phl-imap-08 ([10.202.2.84]) by phl-compute-06.internal (MEProxy); Mon, 02 Dec 2024 11:29:45 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langille.org; h= cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1733156984; x=1733243384; bh=TpF2Z3CR2W kZvb9EJ1PkPE4sNLJnVvHGOCU+Yfl3F4s=; b=OxsrtP8alghiMy3BoEaMcuzFEw rOEqIk8XPC1Ih2dRJ2qzHYE8US0PQgOweqOtI04MNE66NmoKNhPruylPH4mybGZ0 of7xZPtTBiEHPatUhMQa/yKiAE1pPUhB/f+CHiUjSdbthF4Rj0nIxWhX9Rdx+5Zz WHqNAOXZnmJntY9LdoUQXd/t4rYU82PONx+sZzsT2y7XbdcVvUuIUiFbtjRpAemF pq7Dbtmk+ghf1znWe6fSYxBwYPT9KZtCS4bwP97WBQEXO7O/qo8GKoK80SJX04/1 oTp4QBZoxyqQAXUzz6rREsT+OkPYKivANsakvyzqy+2CiVJ6rLmTa0hGLtmg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1733156984; x=1733243384; bh=TpF2Z3CR2WkZvb9EJ1PkPE4sNLJnVvHGOCU +Yfl3F4s=; b=2LU7R8v2ipoal7qzvWtvzDKq5SnyMmVsswO64aZIakAuZzJ8l/3 /udGaqYm4F7sSmAQhVCR51ry2G+CdmGeWHSeJfEeBfcraezmRwyfC8Z3YreTKKZn ZdhYBJGwJozo9aupGwnQt58eemt0vkC++SIsT87HTBgke/+1ayvIQuAPMXbdZCho 2SXqkhcGgp8PE71vnOLyzzSLBYImspClUJvrlR7cGuCGm12gjT1Qgmm56VjA6Z8H RCcwrA3gu6F3/ERSm5E9WJAk+EgCZ3B2CM5vXiy872QMa0hqgAZSJnEklwhdl7w+ RlzvOlCwInkzRfBsB0QiBUyBJn4HiZPyXfQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrheelgdekjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnth hsucdlqddutddtmdenucfjughrpefoggffhffvkfgjfhfutgesrgdtreerredttdenucfh rhhomhepfdffrghnucfnrghnghhilhhlvgdfuceouggrnheslhgrnhhgihhllhgvrdhorh hgqeenucggtffrrghtthgvrhhnpeehvdffveetteeuleefvefhhfefgedtvdfglefftdet jeegjeffudefgeeuveejveenucffohhmrghinhepfhhrvggvsghsugdrohhrghenucevlh hushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegurghnsehlrghn ghhilhhlvgdrohhrghdpnhgspghrtghpthhtohepfedpmhhouggvpehsmhhtphhouhhtpd hrtghpthhtohepjhhoshgtsegtlhhouhguiigvvghlrghnugdrnhhlpdhrtghpthhtohep fhhrvggvsghsugdqqhhuvghsthhiohhnshesfhhrvggvsghsugdrohhrghdprhgtphhtth hopehphhhilhhiphesfhhrvggvsghsugdrohhrgh X-ME-Proxy: Feedback-ID: ifbf9424e:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id 594DD18A0071; Mon, 2 Dec 2024 11:29:44 -0500 (EST) X-Mailer: MessagingEngine.com Webmail Interface List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 Date: Mon, 02 Dec 2024 11:29:22 -0500 From: "Dan Langille" To: "Jos Chrispijn" , "FreeBSD Mailing List" , "Philip Paeps" Message-Id: <798fddc5-c2e9-4c2a-a64d-3627a9bc36f7@app.fastmail.com> In-Reply-To: References: Subject: Re: FreeBSD-kernel-13.4_1 is vulnerable Content-Type: multipart/alternative; boundary=b6e301d2b9894164b72bcd70fc4e06fc X-Spamd-Result: default: False [-2.79 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; URI_COUNT_ODD(1.00)[9]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.70)[-0.701]; DMARC_POLICY_ALLOW(-0.50)[langille.org,none]; R_SPF_ALLOW(-0.20)[+ip4:202.12.124.128/27]; R_DKIM_ALLOW(-0.20)[langille.org:s=fm1,messagingengine.com:s=fm1]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[202.12.124.150:from]; XM_UA_NO_VERSION(0.01)[]; DWL_DNSWL_NONE(0.00)[messagingengine.com:dkim]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEFALL_USER(0.00)[dan]; RCVD_TLS_LAST(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[langille.org:+,messagingengine.com:+] X-Rspamd-Queue-Id: 4Y28Q14t8Hz4Wt6 X-Spamd-Bar: -- --b6e301d2b9894164b72bcd70fc4e06fc Content-Type: text/plain Content-Transfer-Encoding: 7bit In this reply, I have cc'd philip@ - we have discussed this issue over the years. On Fri, Nov 29, 2024, at 4:05 AM, Jos Chrispijn wrote: > Not sure if I oversee an update, but still get this message > > Checking for security vulnerabilities in base (userland & kernel): > Database fetched: 2024-11-27T23:30+01:00 > FreeBSD-kernel-13.4_1 is vulnerable: > FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer > CVE: CVE-2024-39281 > WWW: https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html > > Understand that for FreeBSD 14 this issue has been solved. > Can you tell me when a fix will be released for 13.4? I have the same issue with FreeBSD 14.1-RELEASE-p5 - the problem is not (in this case) an unpatched system. It is a false positive. The vuxml database seems to relate only to kernel vulns, and is not aware that sometimes a vuln affects userland. In this case, the userland is vuln (and patched) - pkg-base-audit is unaware of that. To me, it is important to fix the problem because false positives develop into alert fatigue and cause unnecessary work. [16:16 r730-01 dvl ~] % sudo /usr/local/etc/periodic/security/405.pkg-base-audit Checking for security vulnerabilities in base (userland & kernel): Host system: vulnxml file up-to-date FreeBSD-kernel-14.1_5 is vulnerable: FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer CVE: CVE-2024-39281 WWW: https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html [16:17 r730-01 dvl ~] % pkg which /usr/local/etc/periodic/security/405.pkg-base-audit /usr/local/etc/periodic/security/405.pkg-base-audit was installed by package pkg-1.21.3 The problem is the kernel version and user version differ: [16:17 r730-01 dvl ~] % freebsd-version -u 14.1-RELEASE-p6 [16:17 r730-01 dvl ~] % I believe the problem is with the 405.pkg-base-audit which is looking only at the kernel version: [16:18 r730-01 dvl ~] % freebsd-version -k 14.1-RELEASE-p5 ... not knowing that the vuln is in the userland, not the kernel. My wild idea here: * indicate with each vuln: userland or kernel? * when checking for a vuln, consult the above new flag and check the appropriate value Phillip: is my idea wildly offbase? -- Dan Langille dan@langille.org --b6e301d2b9894164b72bcd70fc4e06fc Content-Type: text/html Content-Transfer-Encoding: quoted-printable
In this reply, = I have cc'd philip@ - we have discussed this issue over the years.<= br>

On Fri, Nov 29, 2024, at 4:05 AM, Jos Chris= pijn wrote:
Not sure if I oversee=0A an update, but still get this = message

Checking for security vulnerabilities in base (userland= =0A & kernel):
Database fetched: 2024-11-27T23:30+01:00
= FreeBSD-kernel-13.4_1 is vulnerable:
  FreeBSD --=0A Unbounded allocation in ctl(4) CAM Target Layer
=   CVE:=0A CVE-2024-39281
  WWW: https://vuxml.FreeBSD.org/fre= ebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html

Understand t= hat for FreeBSD 14 this issue has been solved.
Can you tell me when = a fix will be released for 13.4?

=
I have the same issue with FreeBSD 14.1-RELEASE-p5 - the probl= em is not (in this case) an unpatched system. It is a false positive. Th= e vuxml database seems to relate only to kernel vulns, and is not aware = that sometimes a vuln affects userland.  In this case, the userland= is vuln (and patched) - pkg-base-audit is unaware of that.

To me, it is important to fix the problem because false= positives develop into alert fatigue and cause unnecessary work.
<= div>
[16:16 r730-01 dvl ~] % sudo /usr/local/etc/periodic/= security/405.pkg-base-audit

Checking for security vulnerabilities in base (us= erland & kernel):
Host system:
vulnx= ml file up-to-date
F= reeBSD-kernel-14.1_5 is vulnerable:
  FreeBSD -- Unbounded allocation in ctl(4) CAM Tar= get Layer
  CVE= : CVE-2024-39281

[16:17 r730-01 dvl ~] % pkg which /usr/local= /etc/periodic/security/405.pkg-base-audit
/usr/local/etc/p= eriodic/security/405.pkg-base-audit was installed by package pkg-1.21.3<= br style=3D"max-width:100%;height:auto;">

The p= roblem is the kernel version and user version differ:

=
[16:17 r730-01 dvl ~] % freebsd-version -u  
14.1-RELEASE-p6
<= div>[16:17 r730-01 dvl ~] % 

I believe= the problem is with the 405.pkg-base-audit which is looking only a= t the kernel version:

[16:18 r730-01 dvl ~]= % freebsd-version -k        &nb= sp;           &nb= sp;           &nb= sp;          
14.1-RELEASE-p5

... not knowing that the vuln is in the userland, not t= he kernel.

My wild idea here:

* indicate with each vuln: userland or kernel?
=
* when checking for a vuln, consult the above new flag and check th= e appropriate value

Phillip: is my idea wil= dly offbase?
-= -
  Dan Langille
  dan@langille.org


--b6e301d2b9894164b72bcd70fc4e06fc--