# Prevent pkg from installing vulnerable packages



## nforced (Jan 27, 2016)

On one machine I have switched from ports to packages because of slow hardware specs (very long port build times) and have observed that pkg installs/upgrade packages to new versions that are vulnerable resulting in couple of vulnerable packages. For example I now see
	
	



```
pkg audit -F
vulnxml file up-to-date
linux-c6-xorg-libs-7.4_3 is vulnerable:
libXfont -- BDF parsing issues
CVE: CVE-2015-1804
CVE: CVE-2015-1803
CVE: CVE-2015-1802
WWW: https://vuxml.FreeBSD.org/freebsd/f7d79fac-cd49-11e4-898f-bcaec565249c.html

curl-7.46.0_2 is vulnerable:
curl -- Credentials not checked
CVE: CVE-2016-0755
WWW: https://vuxml.FreeBSD.org/freebsd/8b27f1bc-c509-11e5-a95f-b499baebfeaf.html

2 problem(s) in the installed packages found.
```
If I were to install these two packages by using the ports tree the install/upgrade would fail and thus keep the "old" but non-vulnerable packages.
My question is: is it possible to prevent pkg from installing/upgrading packages that are know to be vulnerable?


----------



## hukadan (Jan 27, 2016)

Hi nforced,
What make you think that the "old" packages are not vulnerable. Unless I missed something, the vuxml links provided show that all versions of ftp/curl between *7.10.0* and *7.47.0* (not yet reached the port tree) and that all versions of *libXfont* below *1.5.1* are affected. Which means that the "old" packages are affected too.


----------



## nforced (Jan 27, 2016)

Hello hukadan,
maybe you are right, but does that mean pkg will not install a given package even it's not installed and know to be vulnerable or still upgrade if newer version is vulnerable but the currently installed one is not?


----------



## hukadan (Jan 27, 2016)

I do not expect pkg(8) to stop me from installing a vulnerable software (I just checked with ftp/curl and it does not). But, building from port does not prevent installation either. I had the impression reading your first post that you implied that these two methods behaved differently when dealing with vulnerable software.


----------



## ANOKNUSA (Jan 28, 2016)

If you've retained the old packages in /var/cache/pkg you can just downgrade them. I personally think it's a good idea to give a couple gigabytes to this (a habit I picked up while using Arch Linux).

I don't know of any way to prevent pkg(8) from installing packages with potential security problems, but I don't think there necessarily should be. As with the base system, what makes a package "vulnerable" is subjective. Vulnerabilities typically arise under particular circumstances stemming from particular use cases, and if the circumstances in which a vulnerability is opened don't occur on a system then there's no real reason to "avoid" it--there's really nothing to avoid in the first place.

At the moment there's a patch available to fix a security problem recently discovered in the Linux emulation layer. Should I update my system to fix this? Eventually, yes, but then I do not use and never have used Linux emulation, so my system isn't actually vulnerable. I have ftp/curl installed on both my systems too, and it has a listed vulnerability, but it seems it has to do with password authentication--another thing I've never relied on. It's a matter of assessing whether you might actually be affected, and acting accordingly.


----------



## wblock@ (Jan 28, 2016)

Ports certainly stops software with known vulnerabilities from being installed by using pkg-audit(8).


----------



## hukadan (Jan 28, 2016)

When I tried on my system, ftp/curl was installed with a warning but ports did not stop the installation.

```
/usr/ports/ftp/curl % sudo make install
===>  Installing for curl-7.46.0_2
===>  curl-7.46.0_2 depends on file: /usr/local/share/certs/ca-root-nss.crt - found
===>  Checking if curl already installed
===>  Registering installation for curl-7.46.0_2
Installing curl-7.46.0_2...
===> SECURITY REPORT:
  This port has installed the following files which may act as network
  servers and may therefore pose a remote security risk to the system.
/usr/local/lib/libcurl.so.4.4.0

  If there are vulnerabilities in these programs there may be a security
  risk to the system. FreeBSD makes no guarantee about the security of
  ports included in the Ports Collection. Please type 'make deinstall'
  to deinstall the port if this is a concern.

  For more information, and contact details about the security
  status of this software, see the following webpage:
http://curl.haxx.se/
hukadan@freebsd-home:/usr/ports/ftp/curl % pkg audit -F
vulnxml file up-to-date
curl-7.46.0_2 is vulnerable:
curl -- Credentials not checked
CVE: CVE-2016-0755
WWW: https://vuxml.FreeBSD.org/freebsd/8b27f1bc-c509-11e5-a95f-b499baebfeaf.html
```


----------



## nforced (Jan 28, 2016)

*wblock@* is right and that's what I am basically talking about

```
portmaster ftp/curl

===>>> Currently installed version: curl-7.46.0_2
===>>> Port directory: /usr/ports/ftp/curl
===>>> Gathering distinfo list for installed ports
===>>> Launching 'make checksum' for ftp/curl in background
===>>> Gathering dependency list for ftp/curl from ports
===>>> Initial dependency check complete for ftp/curl
===>>> Starting build for ftp/curl <<<===
===>>> All dependencies are up to date
===>  Cleaning for curl-7.46.0_2
===>  curl-7.46.0_2 has known vulnerabilities:
curl-7.46.0_2 is vulnerable:
curl -- Credentials not checked
CVE: CVE-2016-0755
WWW: https://vuxml.FreeBSD.org/freebsd/8b27f1bc-c509-11e5-a95f-b499baebfeaf.html

1 problem(s) in the installed packages found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update available.
=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/ftp/curl
*** Error code 1

Stop.
make: stopped in /usr/ports/ftp/curl

===>>> make build failed for ftp/curl
===>>> Aborting update

===>>> You can restart from the point of failure with this command line:
  portmaster <flags> ftp/curl
```


----------



## kpa (Jan 28, 2016)

hukadan said:


> When I tried on my system, ftp/curl was installed with a warning but ports did not stop the installation.
> 
> ```
> /usr/ports/ftp/curl % sudo make install
> ...



You need to learn to read the messages properly, they are very clearly written as warnings for potential not yet discovered security risks and not as indications of known problems.



> This port has installed the following files which may act as network servers and *may* therefore pose a remote security risk to the system.





> *IF *there are vulnerabilities in these programs there may be a security risk to the system.


----------



## wblock@ (Jan 28, 2016)

hukadan said:


> When I tried on my system, ftp/curl was installed with a warning but ports did not stop the installation.



Do you set DISABLE_VULNERABILITIES in /etc/make.conf?  That would defeat this valuable protection.


----------



## hukadan (Feb 6, 2016)

Thank you kpa for taking the time to highlight were my reading could have gone wrong. However, I read perfectly well (this time at least..). What I wanted to say is that despite the vulnerability in ftp/curl shown by pkg-audit(8) (see the second command I issued in my post) the package was installed. Since I trust your english more than mine, I guess my post was poorly worded and instead of '*a* warning' I should have written '*a general *warning'.

wblock@, the _problem_ came from the fact that my vulnerability database was not updated when I first issued `make install` . This is why the building and installation of the package did not abort on my first try. For the second try, the vulnerability database was up to date but since I just removed and reinstall (without rebuilding the package), the install did not abort on my second try.

My (wrong?) understanding is that possible vulnerabilties are checked during the build phase and not during the install phase. This assumption is based on the following test :

update of the vulnerability database followed by a building of the package, the building of the package aborts ;

building of the package followed by an update of the vulnerability database,  package installation does not abort.
 
nforced, thank you for your post. It pointed to an aspect of ports(7) I did not know about.


----------

