From vadimnuclight@tpu.ru  Sat Sep 16 12:59:13 2006
Return-Path: <vadimnuclight@tpu.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9596916A403
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 16 Sep 2006 12:59:13 +0000 (UTC)
	(envelope-from vadimnuclight@tpu.ru)
Received: from relay1.tpu.ru (relay1.tpu.ru [213.183.112.102])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C32D343D62
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 16 Sep 2006 12:59:12 +0000 (GMT)
	(envelope-from vadimnuclight@tpu.ru)
Received: by relay1.tpu.ru (Postfix, from userid 501)
	id 4086B13D431; Sat, 16 Sep 2006 19:59:11 +0700 (NOVST)
Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3])
	by relay1.tpu.ru (Postfix) with ESMTP id 268A713D42A
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 16 Sep 2006 19:59:11 +0700 (NOVST)
Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with Microsoft SMTPSVC(6.0.3790.1830);
	 Sat, 16 Sep 2006 19:58:33 +0700
Received: from nuclight.avtf.net ([82.117.64.107]) by mail.tpu.ru over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830);
	 Sat, 16 Sep 2006 19:58:32 +0700
Message-Id: <optfy2bete4fjv08@nuclight.avtf.net>
Date: Sat, 16 Sep 2006 19:58:16 +0700
From: "Vadim Goncharov" <vadimnuclight@tpu.ru>
To: FreeBSD-gnats-submit@freebsd.org
Subject: portaudit reports bogus diablo-jdk15 vulnerabity due to incorrect pkg naming

>Number:         103313
>Category:       ports
>Synopsis:       portaudit reports bogus java/diablo-jdk15 vulnerabity due to incorrect pkg naming
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    glewis
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Sep 16 13:00:30 GMT 2006
>Closed-Date:    Sat Sep 16 17:26:54 GMT 2006
>Last-Modified:  Sun Sep 17 17:50:20 GMT 2006
>Originator:     Vadim S. Goncharov
>Release:        FreeBSD 5.5-STABLE i386
>Organization:
Tomsk Polytechnic University, AVTF Hostel
>Environment:
 System: FreeBSD hostel.avtf.net 5.5-STABLE FreeBSD 5.5-STABLE #1: Sat Sep  
 9 03:38:25 NOVST 2006
>Description:

 http://www.freebsdfoundation.org/downloads/java.shtml offers to
 download new diablo-jdk 1.5 Update 7 packages for different platforms.
 These package files (and +CONTENTS data inside) are incorrectly named,
 so that all version checks will report package version lower than 1.3,
 in particular, this causes portaudit to incorrectly report
 diablo-jdk15 to be vulnerable. It should be noted that previous
 diablo-jdk 1.5 Update 6 packages were named more correctly.
 To be more precise, two dots are placed too early in the name:
 
 # pkg_version -t freebsd5.i386.1.5.0.07.00 1.3
 <
 # pkg_version -t freebsd5-i386-1.5.0.07.00 1.3
 >
 
>How-To-Repeat:
 Just have portaudit installed and enabled, then install latest
 diablo-jdk15 package, and you'll see reports about year-2005
 vulnerability in your daily security reports.
 
>Fix:
 
 Suppose you have installed diablo-jdk-freebsd5.i386.1.5.0.07.00.tbz
 (for other versions and platforms change appropriate parts of name).
 Then go to /var/db/pkg directory and then do:
 
 # mv diablo-jdk-freebsd5.i386.1.5.0.07.00 \
      diablo-jdk-freebsd5-i386-1.5.0.07.00
 
 Then go into this directory and change package name inside +CONTENTS
 file:
 
 # sed -i -e 's/freebsd5.i386.1.5/freebsd5-i386-1.5/' '+CONTENTS'
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->glewis 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Sep 16 16:02:23 UTC 2006 
Responsible-Changed-Why:  
Reformat and assign to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=103313 
State-Changed-From-To: open->closed 
State-Changed-By: glewis 
State-Changed-When: Sat Sep 16 17:26:05 UTC 2006 
State-Changed-Why:  
This was fixed by remko@'s recent commit to vuln.xml (rev. 1.1131). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=103313 

From: "Vadim Goncharov" <vadimnuclight@tpu.ru>
To: "Greg Lewis" <glewis@freebsd.org>
Cc: freebsd-bugs@freebsd.org, bug-followup@freebsd.org,
	freebsd-java@freebsd.org
Subject: Re: ports/103313: portaudit reports bogus java/diablo-jdk15 vulnerabity due to incorrect pkg naming
Date: Sun, 17 Sep 2006 01:45:10 +0700

 17.09.06 @ 00:26 Greg Lewis wrote:
 
 > Synopsis: portaudit reports bogus java/diablo-jdk15 vulnerabity due to  
 > incorrect pkg naming
 >
 > State-Changed-From-To: open->closed
 > State-Changed-By: glewis
 > State-Changed-When: Sat Sep 16 17:26:05 UTC 2006
 > State-Changed-Why:
 > This was fixed by remko@'s recent commit to vuln.xml (rev. 1.1131).
 >
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=103313
 
 That's VERY BAD method of fixing things. Package names should be changed,  
 not vuln.xml! As cause of illness should always be cured, not the  
 symptoms. And, after all, even that fix was partial: it fixed only jdk on  
 fbsd 6 - my fbsd 5 IS STILL "vulnerable". And this is only jdk, but we  
 have the same problem with jre. And not only for i386, but for amd64 also  
 - 6 packages total, not 1.
 
 -- 
 WBR, Vadim Goncharov

From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: Vadim Goncharov <vadimnuclight@tpu.ru>
Cc: Greg Lewis <glewis@freebsd.org>, freebsd-bugs@freebsd.org,
	bug-followup@freebsd.org, freebsd-java@freebsd.org
Subject: Re: ports/103313: portaudit reports bogus java/diablo-jdk15 vulnerabity due to incorrect pkg naming
Date: Sun, 17 Sep 2006 19:43:07 +0200

 --envbJBWh7q8WU6mo
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On 2006.09.17 01:45:10 +0700, Vadim Goncharov wrote:
 > 17.09.06 @ 00:26 Greg Lewis wrote:
 >=20
 > >Synopsis: portaudit reports bogus java/diablo-jdk15 vulnerabity due to =
 =20
 > >incorrect pkg naming
 > >
 > >State-Changed-From-To: open->closed
 > >State-Changed-By: glewis
 > >State-Changed-When: Sat Sep 16 17:26:05 UTC 2006
 > >State-Changed-Why:
 > >This was fixed by remko@'s recent commit to vuln.xml (rev. 1.1131).
 > >
 > >http://www.freebsd.org/cgi/query-pr.cgi?pr=3D103313
 >=20
 > That's VERY BAD method of fixing things. Package names should be changed,=
  =20
 
 No it's not.  While it sucks we have to add such workarounds to the
 VuXML document there really isn't any other way to do it, and it isn't
 the first time we have to do it.  The package with the bad name it out
 there and being flagged as vulnerable when it isn't.
 
 Yes, the package name should be fixed, but that doesn't change that
 the workaround is needed for people who already have it installed.
 
 Greg Lewis has already said that he's going to look at getting the
 package name fixed for the next release.
 
 > not vuln.xml! As cause of illness should always be cured, not the =20
 > symptoms. And, after all, even that fix was partial: it fixed only jdk on=
  =20
 > fbsd 6 - my fbsd 5 IS STILL "vulnerable". And this is only jdk, but we =
 =20
 > have the same problem with jre. And not only for i386, but for amd64 also=
  =20
 > - 6 packages total, not 1.
 
 Ah, yes those should also be handled.  Both remko@ and I missed that
 when looking at fixing this.  I will look at handling those packages
 also as soon as possible.
 
 --=20
 Simon L. Nielsen
 FreeBSD Deputy Security Officer
 
 --envbJBWh7q8WU6mo
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.5 (FreeBSD)
 
 iD8DBQFFDYkqNE7ltJU9KiERAuopAKDcLCEhRy0MciU3IsETjR7BMM6osgCgp7Rn
 hKFWdSCUbEZWKYKXT3GmMLk=
 =awK+
 -----END PGP SIGNATURE-----
 
 --envbJBWh7q8WU6mo--
>Unformatted:
