Re: portaudit



On Sunday 25 July 2010 16:10:42 Matthew Seaman wrote:
On 25/07/2010 19:06:30, ajtiM wrote:
Hi!

portaudit -a shows:
Affected package: mDNSResponder-214
Type of problem: mDNSResponder -- corrupted stack crash when parsing bad
resolv.conf.
Reference:
<http://portaudit.FreeBSD.org/1cd87e2a-81e3-11df-81d8-00262d5ed8ee.html>

Affected package: opera-10.10.20091120_2
Type of problem: opera -- Data URIs can be used to allow cross-site
scripting. Reference:
<http://portaudit.FreeBSD.org/77b9f9bc-7fdf-11df-8a8d-0008743bf21a.html>

Affected package: linux-f10-pango-1.22.3_1
Type of problem: pango -- integer overflow.
Reference: <http://portaudit.FreeBSD.org/4b172278-3f46-11de-
becb-001cc0377035.html>

3 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s)
immediately.

Do I need to deinstall those ports or is safe anyway?

No, it's not in any way "safe" to ignore what portaudit tells you.
However that does not mean that you necessarily have to delete the
referenced packages.

What you need to do is read the referenced vuXML data, look at the
reports referenced therein and decide if:

a) The vulnerability affects you, given your usage patterns. For
instance, you might be running a server where all users also have
root access, in which case, you don't need to worry about
privilege escalation attacks from logged in users.

b) The vulnerability affects you, but you can mitigate or prevent
any attack. Eg. you can cause a vulnerable daemon to bind only
to the loopback interface, or apply strict firewall rules to
prevent attacks over the network.

c) The software in question is mission critical, and removing it
would have a worse effect on you than some possible exploit.

If the software fails all of the above, then yes, you should certainly
remove it. Otherwise, you need to keep an eye out for any updates or
fixes and apply them ASAP.

In the particular case of linux-f10-pango -- this is a long standing
vulnerability with no real prospect of a software patch becoming
available. Unfortunately that port is a vital part of the linuxulator,
so a lot of people are keeping it installed under case (c).

mDNSResponse can be fixed by a very simple patch, and exploiting the bug
depends on being able to control the contents of /etc/resolv.conf, which
pretty much implies the attacker would already have root access to your
machine. Keep an eye out for when the update hits the ports and apply
it as soon as possible.

The opera bug is more severe. Your vulnerability to it depends on your
usage patterns with that browser. It looks like the opera devs are on
the case, but in the mean time it might be an idea to switch to using an
alternate browser temporarily.

Cheers,

Matthew

Thank you very much.

It is sad that port mDNSResponse is without maintainer:

mDNSResponder 214 net
This port version is marked as vulnerable.
Apple's mDNSResponder

There is no maintainer for this port.

Opera has update 10.11 long time ago but it was not response too. For linux
pango I understand because it is an old version which Fedora doesn't use also
very loooong time.


Thanks again.

Mitja
--------
http://starikarp.redbubble.com
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages