Jan 112020
 

Today I found this annoying situation on FreeBSD 12.1 in a FreeBSD 12.0 jail (neither of which are directly relevant to the problem at hand).

[dan@serpico:~] $ sudo pkg audit -F
vulnxml file up-to-date
pkg: vulnxml parsing error: no element found
pkg: cannot process vulnxml

After a bit if thinking, I figured the vulnxml file was corrupt.

I guessed it might be in /var/db/pkg:

[dan@serpico:/var/db/pkg] $ ls -l
total 5226
-rw-r--r--  1 root  wheel      246 Sep 25  2014 FreeBSD.meta
drwxr-xr-x  2 root  wheel        3 May 12  2014 gettext-0.18.3.1_1
drwxr-xr-x  2 root  wheel        3 May 12  2014 libiconv-1.14_3
-rw-r--r--  1 root  wheel      246 Jan  9 17:33 local.meta
-rw-r--r--  1 root  wheel  3533824 Jan 11 03:47 local.sqlite
drwxr-xr-x  2 root  wheel        3 May 28  2014 nginx-1.6.0,2
drwxr-xr-x  2 root  wheel        3 Mar 12  2014 nrpe-2.15
drwxr-xr-x  2 root  wheel        3 May 28  2014 pcre-8.34_1
drwxr-xr-x  2 root  wheel        3 Mar 12  2014 perl5-5.16.3_7
drwxr-xr-x  2 root  wheel        3 May 12  2014 pkg-1.2.7_2
drwxr-xr-x  2 root  wheel        3 May 12  2014 python27-2.7.6_4
-rw-r--r--  1 root  wheel   142336 Sep 25  2014 repo-FreeBSD.sqlite
-rw-r--r--  1 root  wheel  2785280 Jan  9 17:33 repo-local.sqlite
-r--r--r--  1 root  wheel  4390912 Jan 11 19:13 vuln.xml

I renamed it:

[dan@serpico:/var/db/pkg] $ sudo mv vuln.xml vuln.xml.FAULTY

I tried again:

[dan@serpico:/var/db/pkg] $ sudo pkg audit -F
[serpico.int.unixathome.org] Fetching vuln.xml.bz2: 100%  827 KiB 846.4kB/s    00:01    
0 problem(s) in 0 installed package(s) found.

All good.

Let’s compare:

[dan@serpico:/var/db/pkg] $ ls -l vuln.xml*
-r--r--r--  1 root  wheel  5982429 Jan 11 19:30 vuln.xml
-r--r--r--  1 root  wheel  4390912 Jan 11 19:13 vuln.xml.FAULTY
[dan@serpico:/var/db/pkg] $ 

Yes, that’s quite a bit of difference. Let’s look at the end of the file:

[dan@serpico:/var/db/pkg] $ tail vuln.xml.FAULTY
	    would then allow the attacker to execute arbitrary code with
	    the privileges of the Vinagre user.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <bid>32682</bid>
      <cvename>CVE-2008-5660</cvename>
      <url>http://www.coresecurity.com/content/vinagre-format-string</url>
      <url>[dan@serpico:/var/db/pkg] $ 

It looks like the file was truncated.

Hope this helps.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive