Discussion:
pkg audit systemwide vs pkg audit packagewise
(too old to reply)
Christoph Pilka
2016-05-03 08:27:36 UTC
Permalink
Hi,

I have a sort of weird behaviour when it comes to pkg audits. Same system:

#~ pkg audit -F

tells me:

Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01
0 problem(s) in the installed packages found.

but running pkg audit for a specific package, e.g. bash:

#~ pkg audit -F bash

tells me:

Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01
bash is vulnerable:
Affected versions:
< 4.3.25_2
bash -- remote code execution
CVE: CVE-2014-6278
CVE: CVE-2014-6277
WWW: https://vuxml.FreeBSD.org/freebsd/512d1301-49b9-11e4-ae2c-c80aa9043978.html

bash is vulnerable:
Affected versions:
< 4.3.27_1
bash -- out-of-bounds memory access in parser
CVE: CVE-2014-7187
CVE: CVE-2014-7186
WWW: https://vuxml.FreeBSD.org/freebsd/4a4e9f88-491c-11e4-ae2c-c80aa9043978.html
4.3 : < 4.3.25_1
4.2 : <= 4.2.48
4.1 : <= 4.1.12
4.0 : <= 4.0.39
3.2 : <= 3.2.52
3.1 : <= 3.1.18
3.0 : <= 3.0.17
bash -- remote code execution vulnerability
CVE: CVE-2014-7169
CVE: CVE-2014-6271
WWW: https://vuxml.FreeBSD.org/freebsd/71ad81da-4414-11e4-a33e-3c970e169bc2.html

1 problem(s) in the installed packages found.

That's confusing, especially because no one of the version numbers in the CVE's listed above does actually match the version of bash that is installed on the system:

#~ pkg info bash | grep ^Version

Version : 4.3.42_1

Am I doing something wrong or is it actually a bug?

Cheerio,
Chris
Ben Woods
2016-05-03 11:44:12 UTC
Permalink
Post by Christoph Pilka
Hi,
#~ pkg audit -F
Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01
0 problem(s) in the installed packages found.
#~ pkg audit -F bash
Fetching vuln.xml.bz2: 100% 595 KiB 609.6kB/s 00:01
< 4.3.25_2
bash -- remote code execution
CVE: CVE-2014-6278
CVE: CVE-2014-6277
https://vuxml.FreeBSD.org/freebsd/512d1301-49b9-11e4-ae2c-c80aa9043978.html
< 4.3.27_1
bash -- out-of-bounds memory access in parser
CVE: CVE-2014-7187
CVE: CVE-2014-7186
https://vuxml.FreeBSD.org/freebsd/4a4e9f88-491c-11e4-ae2c-c80aa9043978.html
4.3 : < 4.3.25_1
4.2 : <= 4.2.48
4.1 : <= 4.1.12
4.0 : <= 4.0.39
3.2 : <= 3.2.52
3.1 : <= 3.1.18
3.0 : <= 3.0.17
bash -- remote code execution vulnerability
CVE: CVE-2014-7169
CVE: CVE-2014-6271
https://vuxml.FreeBSD.org/freebsd/71ad81da-4414-11e4-a33e-3c970e169bc2.html
1 problem(s) in the installed packages found.
That's confusing, especially because no one of the version numbers in the
CVE's listed above does actually match the version of bash that is
#~ pkg info bash | grep ^Version
Version : 4.3.42_1
Am I doing something wrong or is it actually a bug?
Cheerio,
Chris
Hi Chris,

Whilst this behaviour is not described in the pkg-audit(8) man page, it
appears that when "pkg audit" is run without a specific package name it
only shows vulnerabilities that affect the install versions of packages,
whilst when fun with a specific package is shows all vulnerabilities
whether the installed package versions are affected or not.

If you review the output of "pkg audit -F bash" you will notice that none
of the vulnerabilities affect your installed version of bash 4.3.42_1.

Regards,
Ben
--
--
From: Benjamin Woods
***@gmail.com
Loading...