May 062012
 

Ruslan wrote in to mention that the ‘Latest Vulnerabilities’ section is not current. I’m trying to find out why.

FreshPorts has processed the latest vuln entries; http://www.freshports.org/vuxml.php reports Revision: 1.2685.

But http://www.freshports.org/vuxml.php?all lists nothing later than 2012-04-27.

I just refreshed the security/vuxml port on the main FreshPorts server. It is now re-processing the latest vuln file. Let’s see what that gives me.

Ummm. nothing different. OK, let’s delete all existing vuxml entries from the table and try again:

$ touch ../dynamic/vuxml ../dynamic/job_waiting && tail -F /var/log/messages
May  6 15:03:27 supernews fp-daemon: yes, there is a job waiting
May  6 15:03:28 supernews FreshPorts[12281]: flag not set.  no work for process_updating.sh 
May  6 15:03:28 supernews FreshPorts[12281]: flag not set.  no work for process_moved.sh 
May  6 15:03:28 supernews FreshPorts[12281]: flag not set.  no work for process_www_en_ports_categories.sh 
May  6 15:03:28 supernews FreshPorts[12281]: /usr/websites/freshports.org/dynamic/vuxml exists.  About to run process_vuxml.sh 
May  6 15:03:28 supernews FreshPorts /usr/websites/freshports.org/scripts/process_vuxml.sh: vuxml processing begins
May  6 15:03:29 supernews FreshPorts /usr/websites/freshports.org/scripts/process_vuxml.sh: vuxml ident begins
May  6 15:03:29 supernews FreshPorts /usr/websites/freshports.org/scripts/process_vuxml.sh: vuxml latest begins
May  6 15:03:30 supernews FreshPorts /usr/websites/freshports.org/scripts/process_vuxml.sh: vuxml finishes
May  6 15:03:30 supernews FreshPorts /usr/websites/freshports.org/scripts/process_vuxml.sh: vuxml terminates
May  6 15:03:30 supernews FreshPorts[12281]: Finished running process_vuxml.sh 
May  6 15:03:31 supernews sudo:   nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/libexec/nagios/check_pid_sudo /var/run/dovecot/master.pid

Umm, that’s a problem. vuxml should take many minutes to run.

Running the command manually shows an error

[dan@supernews:/usr/websites/freshports.org/scripts] $ perl ./process_vuxml.pl -w <  ~dan/ports/security/vuxml/vuln.xml
Existing VuXML entries will be deleted
dbname = freshports.org
creating parsing engine
running parsing engine
vid:           60de13d5-95f0-11e1-806a-001143cd36d8
topic:         php -- vulnerability in certain CGI-based setups
packages:
    php5:
               gt: 5.4       lt: 5.4.2
               lt: 5.3.12        php53:
               lt: 5.3.12        php4:
               lt: 4.4.10        php52:
               lt: 5.2.17_8  description:
      
	<p>php development team reports:</p>
	<blockquote cite="http://www.php.net/archive/2012.php#id2012-05-03-1">
	  <p>Security Enhancements and Fixes in PHP 5.3.12:</p>
	  <ul>
	    <li>Initial fix for cgi-bin ?-s cmdarg parse issue
	      (CVE-2012-1823)</li>
	  </ul>
	</blockquote>
      
    
references:
    cvename:   CVE-2012-1823
dates:
    discovery: 2012-05-03
    entry:     2012-05-05

-----------------------------
sql is insert into vuxml_affected(id, vuxml_id, type) values (
				3252497,
				2145201,
				'package')
gt: 5.4       lt: 5.4.2
lt: 5.3.12    sql is insert into vuxml_affected(id, vuxml_id, type) values (
				3252498,
				2145201,
				'package')
lt: 5.3.12    sql is insert into vuxml_affected(id, vuxml_id, type) values (
				3252499,
				2145201,
				'package')
lt: 4.4.10    sql is insert into vuxml_affected(id, vuxml_id, type) values (
				3252500,
				2145201,
				'package')
lt: 5.2.17_8      cvename:   CVE-2012-1823
sql is insert into vuxml_references(id, vuxml_id, type, reference) values (
				7817623,
				2145201,
				'cvename',
				'CVE-2012-1823')
vid:           18dffa02-946a-11e1-be9d-000c29cc39d3
topic:         WebCalendar -- multiple vulnerabilities
packages:
    WebCalendar-devel:
               le: 1.2.4     description:
      
	<p>Hanno Boeck reports:</p>
	<blockquote cite="http://www.openwall.com/lists/oss-security/2012/04/28/1">
	  <p>Fixes [are now available] for various security vulnerabilities
            including LFI (local file inclusion), XSS (cross site scripting)
            and others.</p>
	</blockquote>
      
    
references:
    cvename:   CVE-2012-1495
    cvename:   CVE-2012-1496
    url:       http://packetstormsecurity.org/files/112332/WebCalendar-1.2.4-Remote-Code-Execution.html
    url:       http://packetstormsecurity.org/files/112323/WebCalendar-1.2.4-Pre-Auth-Remote-Code-Injection.html
    url:       http://archives.neohapsis.com/archives/bugtraq/2012-04/0182.html
dates:
    discovery: 2012-04-28
    entry:     2012-05-02

-----------------------------
sql is insert into vuxml_affected(id, vuxml_id, type) values (
				3252501,
				2145202,
				'package')
le: 1.2.4         cvename:   CVE-2012-1495
sql is insert into vuxml_references(id, vuxml_id, type, reference) values (
				7817624,
				2145202,
				'cvename',
				'CVE-2012-1495')
    cvename:   CVE-2012-1496
sql is insert into vuxml_references(id, vuxml_id, type, reference) values (
				7817625,
				2145202,
				'cvename',
				'CVE-2012-1496')
    url:       http://packetstormsecurity.org/files/112332/WebCalendar-1.2.4-Remote-Code-Execution.html
sql is insert into vuxml_references(id, vuxml_id, type, reference) values (
				7817626,
				2145202,
				'url',
				'http://packetstormsecurity.org/files/112332/WebCalendar-1.2.4-Remote-Code-Execution.html')
    url:       http://packetstormsecurity.org/files/112323/WebCalendar-1.2.4-Pre-Auth-Remote-Code-Injection.html
sql is insert into vuxml_references(id, vuxml_id, type, reference) values (
				7817627,
				2145202,
				'url',
				'http://packetstormsecurity.org/files/112323/WebCalendar-1.2.4-Pre-Auth-Remote-Code-Injection.html')
    url:       http://archives.neohapsis.com/archives/bugtraq/2012-04/0182.html
sql is insert into vuxml_references(id, vuxml_id, type, reference) values (
				7817628,
				2145202,
				'url',
				'http://archives.neohapsis.com/archives/bugtraq/2012-04/0182.html')
vid:           94c0ac4f-9388-11e1-b242-00262d5ed8ee
topic:         chromium -- multiple vulnerabilities
packages:
    chromium:
               lt: 18.0.1025.168description:
      
	<p>Google Chrome Releases reports:</p>
	<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
	  <p>[106413] High CVE-2011-3078: Use after free in floats handling.
	    Credit to Google Chrome Security Team (Marty Barbella) and
	    independent later discovery by miaubiz.</p>
	  <p>[117627] Medium CVE-2011-3079: IPC validation failure. Credit to
	    PinkiePie.</p>
	  <p>[121726] Medium CVE-2011-3080: Race condition in sandbox IPC.
	    Credit to Willem Pinckaers of Matasano.</p>
	  <p>[121899] High CVE-2011-3081: Use after free in floats handling.
	    Credit to miaubiz.</p>
	  <p>[117110] High CVE-2012-1521: Use after free in xml parser. Credit
	    to Google Chrome Security Team (SkyLined) and independent later
	    discovery by wushi of team509 reported through iDefense VCP
	    (V-874rcfpq7z).</p>
	</blockquote>
      
    
references:
    cvename:   CVE-2011-3078
    cvename:   CVE-2011-3079
    cvename:   CVE-2011-3080
    cvename:   CVE-2011-3081
    cvename:   CVE-2012-1521
    url:       http://googlechromereleases.blogspot.com/search/label/Stable%20updates
dates:
    discovery: 2012-04-30
    entry:     2012-05-01

-----------------------------
sql is insert into vuxml_affected(id, vuxml_id, type) values (
				3252502,
				2145203,
				'package')
lt: 18.0.1025.168    cvename:   CVE-2011-3078
sql is insert into vuxml_references(id, vuxml_id, type, reference) values (
				7817629,
				2145203,
				'cvename',
				'CVE-2011-3078')
    cvename:   CVE-2011-3079
sql is insert into vuxml_references(id, vuxml_id, type, reference) values (
				7817630,
				2145203,
				'cvename',
				'CVE-2011-3079')
    cvename:   CVE-2011-3080
sql is insert into vuxml_references(id, vuxml_id, type, reference) values (
				7817631,
				2145203,
				'cvename',
				'CVE-2011-3080')
    cvename:   CVE-2011-3081
sql is insert into vuxml_references(id, vuxml_id, type, reference) values (
				7817632,
				2145203,
				'cvename',
				'CVE-2011-3081')
    cvename:   CVE-2012-1521
sql is insert into vuxml_references(id, vuxml_id, type, reference) values (
				7817633,
				2145203,
				'cvename',
				'CVE-2012-1521')
    url:       http://googlechromereleases.blogspot.com/search/label/Stable%20updates
sql is insert into vuxml_references(id, vuxml_id, type, reference) values (
				7817634,
				2145203,
				'url',
				'http://googlechromereleases.blogspot.com/search/label/Stable%20updates')
vid:           2cde1892-913e-11e1-b44c-001fd0af1a4c
topic:         php -- multiple vulnerabilities
packages:
    php53:
               lt: 5.3.11        php5:
               lt: 5.3.11    description:
        
          <p>php development team reports:</p>
          <blockquote cite="http://www.php.net/archive/2012.php#id2012-04-26-1">
	    <p>Security Enhancements for both PHP 5.3.11 and PHP 5.4.1:</p>
	    <ul>
	      <li>Insufficient validating of upload name leading to corrupted $_FILES indices. (CVE-2012-1172) </li>
	      <li>Add open_basedir checks to readline_write_history and readline_read_history.</li>
	    </ul>
	    <p>Security Enhancements for both PHP 5.3.11 only:</p>
	    <ul>
	      <li>Regression in magic_quotes_gpc fix for CVE-2012-0831.</li>
	    </ul>
          </blockquote>
        
     
references:
    cvename:   CVE-2012-0831
    cvename:   CVE-2012-1172
    url:       http://www.php.net/archive/2012.php#id2012-04-26-1
dates:
    discovery: 2012-03-01
    entry:     2012-04-28
    modified:  2012-05-04

-----------------------------
sql is insert into vuxml_affected(id, vuxml_id, type) values (
				3252503,
				2145204,
				'package')
lt: 5.3.11    sql is insert into vuxml_affected(id, vuxml_id, type) values (
				3252504,
				2145204,
				'package')
lt: 5.3.11        cvename:   CVE-2012-0831
sql is insert into vuxml_references(id, vuxml_id, type, reference) values (
				7817635,
				2145204,
				'cvename',
				'CVE-2012-0831')
    cvename:   CVE-2012-1172
sql is insert into vuxml_references(id, vuxml_id, type, reference) values (
				7817636,
				2145204,
				'cvename',
				'CVE-2012-1172')
    url:       http://www.php.net/archive/2012.php#id2012-04-26-1
sql is insert into vuxml_references(id, vuxml_id, type, reference) values (
				7817637,
				2145204,
				'url',
				'http://www.php.net/archive/2012.php#id2012-04-26-1')
vid:           0fa15e08-92ec-11e1-a94a-00215c6a37bb
topic:         samba -- incorrect permission checks vulnerability
packages:
    samba34:
               gt: 3.4.*     lt: 3.4.17
    samba35:
               gt: 3.5.*     lt: 3.5.15
    samba36:
               gt: 3.6.*     lt: 3.6.5
description:
      
	<p>The Samba project reports:</p>
	<blockquote cite="http://www.samba.org/samba/security/CVE-2012-2111">
	  <p>Samba versions 3.4.x to 3.6.4 inclusive are affected
	    by a vulnerability that allows arbitrary users to modify
	    privileges on a file server.</p>
	  <p>Security checks were incorrectly applied to the Local
	    Security Authority (LSA) remote proceedure calls (RPC)
	    CreateAccount, OpenAccount, AddAccountRights and
	    RemoveAccountRights allowing any authenticated user
	    to modify the privileges database.</p>
	  <p>This is a serious error, as it means that authenticated
	    users can connect to the LSA and grant themselves the
	    "take ownership" privilege. This privilege is used by the
	    smbd file server to grant the ability to change ownership
	    of a file or directory which means users could take ownership
	    of files or directories they do not own.</p>
	</blockquote>
      
    
references:
    cvename:   CVE-2012-2111
dates:
    discovery: 2012-04-30
    entry:     2012-04-30

-----------------------------
sql is insert into vuxml_affected(id, vuxml_id, type) values (
				3252505,
				2145205,
				'package')
gt: 3.4.*     lt: 3.4.17
sql is insert into vuxml_affected(id, vuxml_id, type) values (
				3252506,
				2145205,
				'package')
gt: 3.5.*     lt: 3.5.15
sql is insert into vuxml_affected(id, vuxml_id, type) values (
				3252507,
				2145205,
				'package')
gt: 3.6.*     lt: 3.6.5
    cvename:   CVE-2012-2111
sql is insert into vuxml_references(id, vuxml_id, type, reference) values (
				7817638,
				2145205,
				'cvename',
				'CVE-2012-2111')
references_push(): Missing reference value at /usr/local/lib/perl5/site_perl/5.8.9/mach/XML/Parser/Expat.pm line 469
[dan@supernews:/usr/websites/freshports.org/scripts] $ 

The problem is caused by the vid entry after the above.

b428e6b3-926c-11e1-8d7b-003067b2972c contains this around line 276 of vuln.xml:

    <references>
      <freebsdsa/>
    </references>

If I delete that freebsdsa line, all goes well.

This is valid XML. However, the code expects something in there.

The template in the code for this section is:

    >vuxml>vuln>references
    >vuxml>vuln>references>url *
    >vuxml>vuln>references>mlist *
    >vuxml>vuln>references>cvename *
    >vuxml>vuln>references>bid *
    >vuxml>vuln>references>certsa *
    >vuxml>vuln>references>certvu *
    >vuxml>vuln>references>uscertsa *
    >vuxml>vuln>references>uscertta *
    >vuxml>vuln>references>freebsdsa *
    >vuxml>vuln>references>freebsdpr *

vuln.xml has been updated to give this tag some content. Ideally, my code should work without. At another time of year, I could look into this deeper, but… BSDCan.

But…

This appears to be the fix:

1331c1331
<     $VuXML->references_push( FREEBSDSA, $VuXML->{text_buffer} );
---
>     $VuXML->references_push( FREEBSDSA, $VuXML->{text_buffer} // '' );

FYI, this code was last changed 7 years, 3 months ago. My thanks to Mr Matthew Seaman for his fine work on the vuxml processing.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive