Date: Fri, 28 Mar 2014 15:26:24 +0900 (JST) From: Yasuhiro KIMURA <yasu@utahime.org> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/188022: [PATCH] security/vuxml: fix false positive about www/mod_php5 vulneravilities. Message-ID: <20140328062624.BDEA275942@eastasia.home.utahime.org> Resent-Message-ID: <201403280630.s2S6U0lK012594@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 188022 >Category: ports >Synopsis: [PATCH] security/vuxml: fix false positive about www/mod_php5 vulneravilities. >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Fri Mar 28 06:30:00 UTC 2014 >Closed-Date: >Last-Modified: >Originator: Yasuhiro KIMURA >Release: FreeBSD 10.0-RELEASE amd64 >Organization: >Environment: System: FreeBSD xxxx 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260673: Thu Jan 23 22:36:39 JST 2014 xxxx amd64 >Description: - New port www/mod_php5 is added but 'pkg audit' reports 8 vulneravilities as following. They seem false positive so fix range of corresponding entries in vuln.xml. - Add LICENSE. - Support staging. >How-To-Repeat: >Fix: --- pkg-audit-F.log begins here --- Script started on Fri Mar 28 14:31:03 2014 command: pkg audit -F Vulnxml file up-to-date. mod_php5-5.4.26 is vulnerable: php -- multiple vulnerabilities CVE: CVE-2006-4486 CVE: CVE-2006-4485 CVE: CVE-2006-4484 CVE: CVE-2006-4483 CVE: CVE-2006-4482 CVE: CVE-2006-4481 WWW: http://portaudit.FreeBSD.org/ea09c5df-4362-11db-81e1-000e0c2e438a.html mod_php5-5.4.26 is vulnerable: php -- vulnerability in RFC 1867 file upload processing WWW: http://portaudit.FreeBSD.org/562a3fdf-16d6-11d9-bc4a-000c41e2cdad.html mod_php5-5.4.26 is vulnerable: php -- php_variables memory disclosure WWW: http://portaudit.FreeBSD.org/ad74a1bd-16d2-11d9-bc4a-000c41e2cdad.html mod_php5-5.4.26 is vulnerable: php -- strip_tags cross-site scripting vulnerability CVE: CVE-2004-0595 WWW: http://portaudit.FreeBSD.org/edf61c61-0f07-11d9-8393-000103ccf9d6.html mod_php5-5.4.26 is vulnerable: php -- memory_limit related vulnerability CVE: CVE-2004-0594 WWW: http://portaudit.FreeBSD.org/dd7aa4f1-102f-11d9-8a8a-000c41e2cdad.html mod_php5-5.4.26 is vulnerable: php -- _ecalloc Integer Overflow Vulnerability CVE: CVE-2006-4812 WWW: http://portaudit.FreeBSD.org/e329550b-54f7-11db-a5ae-00508d6a62df.html mod_php5-5.4.26 is vulnerable: php -- multiple vulnerabilities CVE: CVE-2004-1065 CVE: CVE-2004-1019 WWW: http://portaudit.FreeBSD.org/d47e9d19-5016-11d9-9b5f-0050569f0001.html mod_php5-5.4.26 is vulnerable: php -- open_basedir Race Condition Vulnerability CVE: CVE-2006-5178 WWW: http://portaudit.FreeBSD.org/edabe438-542f-11db-a5ae-00508d6a62df.html 1 problem(s) in the installed packages found. Script done on Fri Mar 28 14:31:03 2014 --- pkg-audit-F.log ends here --- --- patch-security_vuxml begins here --- Index: Makefile =================================================================== --- Makefile (revision 349387) +++ Makefile (working copy) @@ -14,6 +14,8 @@ MAINTAINER= ports-secteam@FreeBSD.org COMMENT= Vulnerability and eXposure Markup Language DTD +LICENSE= BSD2CLAUSE + RUN_DEPENDS= ${XMLCATMGR}:${PORTSDIR}/textproc/xmlcatmgr \ ${LOCALBASE}/share/xml/dtd/xhtml-modularization/VERSION:${PORTSDIR}/textproc/xhtml-modularization \ ${LOCALBASE}/share/xml/dtd/xhtml-basic/xhtml-basic10.dtd:${PORTSDIR}/textproc/xhtml-basic @@ -46,7 +48,6 @@ VUXML_FILE?= ${PKGDIR}/vuln.xml -NO_STAGE= yes do-extract: @${RM} -rf ${WRKDIR} @${MKDIR} ${WRKDIR} @@ -65,13 +66,10 @@ ${PLIST} do-install: - @[ -d ${PREFIX}/${dir_DTD} ] || \ - ${MKDIR} ${PREFIX}/${dir_DTD} + @${MKDIR} ${STAGEDIR}${PREFIX}/${dir_DTD} .for f in ${DISTFILES} - ${INSTALL_DATA} ${WRKSRC}/${f} ${PREFIX}/${dir_DTD}/${f} + ${INSTALL_DATA} ${WRKSRC}/${f} ${STAGEDIR}${PREFIX}/${dir_DTD}/${f} .endfor - ${XMLCAT_ADD} - ${SGMLCAT_ADD} validate: tidy @${SH} ${FILESDIR}/validate.sh "${VUXML_FILE}" Index: vuln.xml =================================================================== --- vuln.xml (revision 349387) +++ vuln.xml (working copy) @@ -55637,7 +55637,7 @@ <name>php5-horde</name> <name>php5-nms</name> <name>mod_php5</name> - <range><ge>0</ge></range> + <range><lt>5.1.6_1</lt></range> </package> </affects> <description> @@ -55853,7 +55853,8 @@ <name>php5-nms</name> <name>mod_php4</name> <name>mod_php5</name> - <range><ge>0</ge></range> + <range><lt>4.4.4_1</lt></range> + <range><ge>5.*</ge><lt>5.1.6_2</lt></range> </package> </affects> <description> @@ -56832,7 +56833,8 @@ <name>php5-nms</name> <name>mod_php4</name> <name>mod_php5</name> - <range><ge>0</ge></range> + <range><lt>4.4.4</lt></range> + <range><ge>5</ge><lt>5.1.5</lt></range> </package> </affects> <description> @@ -76096,7 +76098,7 @@ </package> <package> <name>mod_php5</name> - <range><lt>5.0.3,1</lt></range> + <range><lt>5.0.3</lt></range> </package> </affects> <description> @@ -79080,7 +79082,7 @@ </package> <package> <name>mod_php5</name> - <range><le>5.0.1,1</le></range> + <range><le>5.0.1</le></range> </package> </affects> <description> @@ -79130,7 +79132,7 @@ </package> <package> <name>mod_php5</name> - <range><le>5.0.1,1</le></range> + <range><le>5.0.1</le></range> </package> </affects> <description> @@ -79816,7 +79818,7 @@ </package> <package> <name>mod_php5</name> - <range><le>5.0.0.r3_2,1</le></range> + <range><le>5.0.0.r3_2</le></range> </package> </affects> <description> @@ -79865,7 +79867,7 @@ </package> <package> <name>mod_php5</name> - <range><le>5.0.0.r3_2,1</le></range> + <range><le>5.0.0.r3_2</le></range> </package> </affects> <description> --- patch-security_vuxml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140328062624.BDEA275942>