portaudit

Matthew Seaman m.seaman at infracaninophile.co.uk
Sun Jul 25 21:10:55 UTC 2010 

On 25/07/2010 19:06:30, ajtiM wrote:
> Hi!
>  portaudit -a shows:
> 
> Affected package: mDNSResponder-214
> Type of problem: mDNSResponder -- corrupted stack crash when parsing bad 
> resolv.conf.
> Reference: 
> <http://portaudit.FreeBSD.org/1cd87e2a-81e3-11df-81d8-00262d5ed8ee.html>
> 
> Affected package: opera-10.10.20091120_2
> Type of problem: opera -- Data URIs can be used to allow cross-site scripting.
> Reference: 
> <http://portaudit.FreeBSD.org/77b9f9bc-7fdf-11df-8a8d-0008743bf21a.html>
> 
> Affected package: linux-f10-pango-1.22.3_1
> Type of problem: pango -- integer overflow.
> Reference: <http://portaudit.FreeBSD.org/4b172278-3f46-11de-
> becb-001cc0377035.html>
> 
> 3 problem(s) in your installed packages found.
> 
> You are advised to update or deinstall the affected package(s) immediately.
> 
> Do I need to deinstall those ports or is safe anyway?

No, it's not in any way "safe" to ignore what portaudit tells you.
However that does not mean that you necessarily have to delete the
referenced packages.

What you need to do is read the referenced vuXML data, look at the
reports referenced therein and decide if:

   a) The vulnerability affects you, given your usage patterns.  For
      instance, you might be running a server where all users also have
      root access, in which case, you don't need to worry about
      privilege escalation attacks from logged in users.

   b) The vulnerability affects you, but you can mitigate or prevent
      any attack.  Eg. you can cause a vulnerable daemon to bind only
      to the loopback interface, or apply strict firewall rules to
      prevent attacks over the network.

   c) The software in question is mission critical, and removing it
      would have a worse effect on you than some possible exploit.

If the software fails all of the above, then yes, you should certainly
remove it.  Otherwise, you need to keep an eye out for any updates or
fixes and apply them ASAP.

In the particular case of linux-f10-pango -- this is a long standing
vulnerability with no real prospect of a software patch becoming
available.  Unfortunately that port is a vital part of the linuxulator,
so a lot of people are keeping it installed under case (c).

mDNSResponse can be fixed by a very simple patch, and exploiting the bug
depends on being able to control the contents of /etc/resolv.conf, which
pretty much implies the attacker would already have root access to your
machine.  Keep an eye out for when the update hits the ports and apply
it as soon as possible.

The opera bug is more severe.  Your vulnerability to it depends on your
usage patterns with that browser.  It looks like the opera devs are on
the case, but in the mean time it might be an idea to switch to using an
alternate browser temporarily.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20100725/d8e0cdd2/signature.pgp

More information about the freebsd-security mailing list