Vulnerability on these ports!

[teo]

I'm using www/palemoon 27.9.4 and DownThemAll! 2.0.18.1-signed.1-let-fixed.

View attachment 5456

What I don't understand is how did you install those extensions DownThemAll!, NoScript and uBlock Origin 1.16 in palemoon, when they are incompatible as I visualize it in the images, how did you proceed to install them?

The uBlock Origin Updater installed filters out abundant advertising that is not the what you install.

 

[Deleted member 30996]

Here is the Github link to uBlock Origin. I update the filters from its menu and have never used the updater myself. Down toward the bottom of the page.


Scroll down the page till you see the version of DownThemAll! I show in my screenshot:

Version 2.0.18.1-signed.1-let-fixed

https://addons.mozilla.org/en-US/firefox/addon/downthemall/versions/

If just downloading smaller single files www/youtube_dl is what I use.

 

[gessel]

With respect to the original question, the vulnerabilities in graphics/openjpeg that are blocking updates, Martin Paredes advice ( -m DISABLE_VULNERABILITIES=yes) should be considered a work around, but only with appropriate research.

If you look at the commit history , 2.3.0_2 fixes CVE-2018-5785. There were 5 vulns at one point, now there are 4. Upgrading from 2.3.0_1 to 2.3.0_2 reduces the attack surface, a Good Thing.

Of the 4 still reported, it appears from the vulnxml report that two have patches and two are not fixed yet. Hopefully those patches will be integrated soon.

Given that there are unpatched vulnerabilities, the user should first determine if the version they are running is vulnerable (in this case, probably). If the current version isn't affected by the vulnerability and the new one is, don't update.

If both the current one and the update are vulnerable, the user has to decide whether it is tolerable to completely remove or disable the port until it is patched (for most of us, probably not; it isn't like everyone stopped using computers when we found out about Meltdown/Spectre and lived an analog life until we could buy secure hardware).

If both current and update are vulnerable and especially if the update is less vulnerable than the current (which is the case from 2.3.0_1 to 2.3.0_2), and if the port is essential, then use the necessary command to override the check and update anyway.

 

[Deleted member 30996]

I hadn't noticed the difference and was still at 2.3.0_1 so I upgraded it. The only 2 remaining vulnerabilities involve .bmp bitmap files and I don't usually deal in that format.

I did run pkg delete to see what it would take with it:

root@onryo:/ # pkg delete openjpeg
Updating database digests format: 100%
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 12 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
    openjpeg-2.3.0_2
    poppler-0.57.0_1
    ghostscript9-agpl-base-9.24_1
    poppler-glib-0.57.0_1
    poppler-utils-0.57.0_1
    cups-filters-1.16.0_5
    epdfview-0.1.8_15
    gimp-app-2.8.22_1,1
    gutenprint-5.2.14
    py27-gimp-2.8.22_1
    gimp-gutenprint-5.2.14
    gimp-2.8.22,2

Number of packages to be removed: 12

The operation will free 141 MiB.

Proceed with deinstalling packages? [y/N]: n

I use graphics/gimp so much I'm really at a disadvantage if something happens where I have to resort to something else so I act accordingly and take into account what I'm doing to minimize possible exploits. Deinstalling the single port would probably still break GIMP.

 

[noodlefling]

If both current and update are vulnerable and especially if the update is less vulnerable than the current (which is the case from 2.3.0_1 to 2.3.0_2), and if the port is essential, then use the necessary command to override the check and update anyway.

This was my thought process as well.

Months later we're on openjpeg-2.3.0_3, but even that version is considered vulnerable. Those bugs must be fearsome.

 

[gessel]

According to VuXML, there's only one unpatched vuln remaining: CVE-2018-5727, which is being tracked at https://github.com/uclouvain/openjpeg/issues/1053.

 

[getopt]

According to VuXML, there's only one unpatched vuln remaining: CVE-2018-5727, which is being tracked at https://github.com/uclouvain/openjpeg/issues/1053.

And that is what I get:

# pkg audit -F openjpeg
Fetching vuln.xml.bz2: 100%  772 KiB 790.1kB/s    00:01    
openjpeg is vulnerable:
Affected versions:
< 2.1.1
openjpeg -- use-after-free vulnerability
WWW: https://vuxml.FreeBSD.org/freebsd/a233d51f-5d4c-11e5-9ad8-14dae9d210b8.html

openjpeg is vulnerable:
Affected versions:
<= 2.3.0_3
OpenJPEG -- multiple vulnerabilities
CVE: CVE-2018-6616
CVE: CVE-2018-5785
CVE: CVE-2018-5727
CVE: CVE-2017-17480
CVE: CVE-2017-17479
WWW: https://vuxml.FreeBSD.org/freebsd/11dc3890-0e64-11e8-99b0-d017c2987f9a.html

 

[SirDice]

It looks like you have a really old one installed. Even below version 2.1.1. The graphics/openjpeg port was updated to 2.1.1 about 3 years and 4 months ago. Did you perhaps pkg-lock(8) it?

 

[shkhln]

important project like OPENJPEG

It's JPEG 2000, not regular JPEG.

 

[xtaz]

VuXML: libsndfile -- multiple vulnerabilities is the other one that has appeared in my vuln list on a permanent basis. I think both this and the openjpeg one are related to having Firefox installed. It's irked me for a while because on my server it very rarely has any vulns reported, and if it does they get fixed within a few days. But I guess a graphical desktop is a different matter.

 

[SirDice]

Argh, I got thrown off by the -F option. It shows everything, even if it doesn't apply any more.

 

[gessel]

shkhln, JPEG2000/jp2 is definitely far less regularly used than JPEG, but it is useful and necessary for some applications. It shouldn't be considered irrelevant that there are vulnerabilities.

getopt, I think there may be some inconsistencies with the vuln database. The link returned by pkg audit -F openjpeg quotes:

Multiple vulnerabilities have been found in OpenJPEG, the opensource JPEG 2000 codec. Please consult the CVE list for further details.
CVE-2017-17479 and CVE-2017-17480 were fixed in r477112.
CVE-2018-5785 was fixed in r480624.
CVE-2018-6616 was fixed in r489415.
CVE-2018-5727 is not fixed yet.

CVE-2018-6616 and CVE-2018-5785 are specifically referenced as fixed in the commit history. PR 234473 has a little more detail, though it seems there's a little confusion over the status of r477112 or at least Andres' question at the top of the PR doesn't seem answered.

However, whether there are 5 vulns, 4 vulns, or 1, there's still an open vuln.

 

[shkhln]

JPEG2000/jp2 is definitely far less regularly used than JPEG, but it is useful and necessary for some applications.

It is required by PDF standard, but that's about it.

 

[shkhln]

As you found this inconsistencies, could you please file a PR for updating vuxml?

There are no inconsistencies: there were no official releases since 2.3.0 and the database doesn't track individual commits. Is it supposed to work with port revision numbers?

 

[getopt]

the database doesn't track individual commits.

If that is the case the use of the database is not good. The database should reflect CVEs fixed as this is the purpose of it. The FreeBSD security team should discuss that as false positives are not what we want from our tools.

 

[SirDice]

Is it supposed to work with port revision numbers?

No, but it should work with a port's patch revisions. 2.3.0 is vulnerable to 5 CVEs, 2.3.0_1 has 3, 2.3.0_2 has 2 and 2.3.0_3 only 1. Now it still shows all 5 for 2.3.0_3.

 

[shkhln]

Well that is bad news as PDF is used all the time intensively. Sad! Probably a useful vector?!?

Somewhat. PDF.js (Firefox built-in viewer) probably doesn't support that codec at all, so that one should be safe.

 

[shkhln]

Just check the reverse dependencies for openjpeg:

 % pkg info -r openjpeg
openjpeg-2.3.0_3:
    leptonica-1.76.0
    py27-pillow-5.2.0
    poppler-0.72.0
    gimp-app-2.10.8_1,1
    ImageMagick6-6.9.10.22,1
    mupdf-1.13.0_4,1
% pkg info -r poppler
poppler-0.72.0:
    poppler-qt4-0.57.0_1
    poppler-qt5-0.72.0
    poppler-glib-0.72.0
    poppler-utils-0.72.0
    libreoffice-6.0.7_4
    inkscape-0.92.3_7
% pkg info -r poppler-qt5
poppler-qt5-0.72.0:
    qpdfview-0.4.17.b1_4
    lumina-pdf-1.4.1_1
% pkg info -r poppler-glib
poppler-glib-0.72.0:
    poppler-utils-0.72.0
    gimp-app-2.10.8_1,1
    xfce4-tumbler-0.2.3_1
    inkscape-0.92.3_7
    epdfview-0.1.8_16

 

[gessel]

As you found this inconsistencies, could you please file a PR for updating vuxml?

I wrote Sunpoet, the maintainer, earlier. If that's insufficient, I'm happy to open a PR.

 

[shkhln]

Somewhat.

Oops, I completely forgot about distinguishing encoder vs decoder vulnerabilities. https://nvd.nist.gov/vuln/detail/CVE-2018-5785 looks like a vulnerability in OpenJPEG encoder which is totally meh for a regular desktop user.

 

[fernandel]

I have three:

 pkg audit
patch-2.7.6 is vulnerable:
patch -- multiple vulnerabilities
CVE: CVE-2018-1000156
CVE: CVE-2018-6952
CVE: CVE-2018-6951
WWW: https://vuxml.FreeBSD.org/freebsd/791841a3-d484-4878-8909-92ef9ce424f4.html

openjpeg-2.3.0_3 is vulnerable:
OpenJPEG -- multiple vulnerabilities
CVE: CVE-2018-6616
CVE: CVE-2018-5785
CVE: CVE-2018-5727
CVE: CVE-2017-17480
CVE: CVE-2017-17479
WWW: https://vuxml.FreeBSD.org/freebsd/11dc3890-0e64-11e8-99b0-d017c2987f9a.html

libsndfile-1.0.28_1 is vulnerable:
libsndfile -- out-of-bounds reads
CVE: CVE-2017-17457
CVE: CVE-2017-17456
CVE: CVE-2017-14246
CVE: CVE-2017-14245
WWW: https://vuxml.FreeBSD.org/freebsd/30704aba-1da4-11e8-b6aa-4ccc6adda413.html

3 problem(s) in the installed packages found.

 

[SirDice]

I wrote Sunpoet, the maintainer, earlier. If that's insufficient, I'm happy to open a PR.

You can send an email to ports-secteam@FreeBSD.org, they're the ones that manage the VuXML. They usually respond fairly quickly.

 

[gnath]

For me it boils down to stop using mupdf for time being

Now I use graphics/xpdf. For me openjpeg is required for pkg. libreoffice only.

 

[gessel]

SirDice, thanks for the correct address. I have sent a note.

 

[MathematicsStudent]

Same problem here. I tried to install graphics/darktable but mgmt/portmaster failed to because of an integer overflow vulnerability of graphics/openjpeg, version 2.3.0_3. I would really like to help if someone decided to fork openjpeg.