search

Stichting-MINIX-Research-Foundation / minix

Official MINIX sources - Automatically replicated from gerrit.minix3.org
Other
2.9k stars 945 forks source link

Security Vulnerability - Action Required: some unpatched vulnerabilities are detected in your repo #353

Open Crispy-fried-chicken opened 5 months ago

Crispy-fried-chicken commented 5 months ago

Hi, I've notice that someone warned that there is some vulnerabilities exist in this repo, and we have scanned your repo by our self-developed tool which mainly uses static analysis methods, and has a high detection accuracy in our dataset. We have also received positive feedback from other projects before. Here are some details as follows:

  1. nextitem and netclear functions from libexec/telnetd/utility.c, which shares the similarity with CVE-2020-10188 and the patch is https://github.com/freebsd/freebsd-src/commit/5760cb266e0ab04c221c2acdb4b6c4c141130ecd
  2. xprt_set_caller function from tests/fs/nfs/nfsservice/rpcbind/rpcb_svc_com.c , which shares the similarity with CVE-2015-7236 and the patch is https://github.com/freebsd/freebsd-src/commit/066c492a77015b0e8236d3d2cdfc733024e2e6c3
  3. lookup_bytestring and linkaddr_string functions from external/bsd/tcpdump/dist/addrtoname.c, which shares the similarity with CVE-2017-12894 and the patch is https://github.com/the-tcpdump-group/tcpdump/commit/730fc35968c5433b9e2a829779057f4f9495dc51
  4. atm_if_print and juniper_mlfr_print function from external/bsd/tcpdump/dist/print-juniper.c, which shares the similarity with CVE-2017-12897 and the patch is https://github.com/the-tcpdump-group/tcpdump/commit/1dcd10aceabbc03bf571ea32b892c522cbe923de
  5. parserep function from external/bsd/tcpdump/dist/print-nfs.c, which shares the similarity with CVE-2017-12898 and the patch is https://github.com/the-tcpdump-group/tcpdump/commit/19d25dd8781620cd41bf178a5e2e27fc1cf242d0
  6. juniper_parse_header function from external/bsd/tcpdump/dist/print-juniper.c, which shares the similarity with CVE-2017-12993 https://github.com/the-tcpdump-group/tcpdump/commit/b534e304568585707c4a92422aeca25cf908ff02
  7. beep_print from external/bsd/tcpdump/dist/print-beep.c, which shares the similarity with CVE-2017-13010 and the patch is https://github.com/the-tcpdump-group/tcpdump/commit/877b66b398518d9501513e0860c9f3a8acc70892
  8. arp_print functions from external/bsd/tcpdump/dist/print-arp.c, which shares the similarity with CVE-2017-13013 and the patch is https://github.com/the-tcpdump-group/tcpdump/commit/13ab8d18617d616c7d343530f8a842e7143fb5cc
  9. ip_printroute and ip_optprint from external/bsd/tcpdump/dist/print-ip.c, which shares the similarity with CVE-2017-13022 and the patch is https://github.com/the-tcpdump-group/tcpdump/commit/eee0b04bcfdae319c242b0b8fc3d07029ee65b8c
  10. pimv1_join_prune_print, cisco_autorp_print, pim_print, pimv2_addr_print and pimv2_print functions from external/bsd/tcpdump/dist/print-pim.c, which shares the similarity with CVE-2017-13030 and the patch is https://github.com/the-tcpdump-group/tcpdump/commit/5dc1860d8267b1e0cb78c9ffa2a40bea2fdb3ddc
  11. ip_printts and ip_optprint functions from external/bsd/tcpdump/dist/print-ip.c, which shares the similarity with CVE-2017-13037 and the patch is https://github.com/the-tcpdump-group/tcpdump/commit/2c2cfbd2b771ac888bc5c4a6d922f749d3822538
  12. mp_capable_print, mp_join_print, mp_dss_print and mp_dss_len functions from external/bsd/tcpdump/dist/print-mptcp.c , which shares the similarity with CVE-2017-13040 and the patch is https://github.com/the-tcpdump-group/tcpdump/commit/4c3aee4bb0294c232d56b6d34e9eeb74f630fe8c
  13. arp_print functions from external/bsd/tcpdump/dist/print-arp.c, which shares the similarity with CVE-2016-7923 and the patch is https://github.com/the-tcpdump-group/tcpdump/commit/64f6392084ec0768b8afc04612eac0a458bc5e0d
  14. udp_print function from external/bsd/tcpdump/dist/print-udp.c, which shares the similarity with CVE-2016-7934 and the patch is https://github.com/the-tcpdump-group/tcpdump/commit/cb922d07cce6574874b954555ebad4338748087b
  15. gre_print_0, gre_sre_print, gre_sre_ip_print, gre_sre_asn_print and gre_print_1 from external/bsd/tcpdump/dist/print-gre.c, which shares the similarity with CVE-2016-7939 and the patch is https://github.com/the-tcpdump-group/tcpdump/commit/237efcf593ee369519e9dfdc9166702219dabfec
  16. stp_print_config_bpdu, stp_print_mstp_bpdu and stp_print_spb_bpdu from external/bsd/tcpdump/dist/print-stp.c, which shares the similarity with CVE-2016-7940 and the patch is https://github.com/the-tcpdump-group/tcpdump/commit/968776fbf5cd65c7ea2168912bd9f4379727eb11
  17. bootp_print and tftp_print functions from external/bsd/tcpdump/dist/print-bootp.c and external/bsd/tcpdump/dist/print-tftp.c respectively, which shares the similarity with CVE-2016-7983 and the patch is https://github.com/the-tcpdump-group/tcpdump/commit/7bf069c2517690262aacbddc437731af991b31a7
  18. atm_print from external/bsd/tcpdump/dist/print-atm.c, which shares the similarity with CVE-2017-5484 and the patch is https://github.com/the-tcpdump-group/tcpdump/commit/5d214e36eed3565fbdc0f9b527bbc33a6bb63972
  19. CMS_decrypt, pkcs7_decrypt_rinfo and PKCS7_dataDecode functions from crypto/external/bsd/openssl/dist/crypto/cms/cms_smime.c and crypto/external/bsd/openssl/dist/crypto/pkcs7/pk7_doit.c respectively, which shares the similarity with CVE-2019-1563 and the patch is https://github.com/openbsd/src/commit/0ae7bae487df98e77da13963066cff2e934b3561
  20. rsa_pss_decode function from crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ameth.c, which shares the similarity with CVE-2015-3194 and the patch is https://github.com/openbsd/src/commit/b97954594ed49e94c660cabd50519c08cb856eef
  21. asn1_template_noexp_d2i and ASN1_item_ex_d2i functions from crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c, which shares the similarity with CVE-2015-3195 and the patch is https://github.com/openbsd/src/commit/5280233330d90736333859831f435e1207b176bf
  22. _dopr, fmtstr, fmtint, fmtfp and doapr_outch function from external/bsd/openssl/dist/crypto/bio/b_print.c, which shares the similarity with CVE-2016-0799 and the patch is https://github.com/openssl/openssl/commit/9cb177301fdab492e4cfef376b28339afe3ef663
  23. BN_hex2bn and BN_dec2bn function from crypto/external/bsd/openssl/dist/crypto/bn/bn_print.c, which shares the similarity with CVE-2016-0797 and the patch is https://github.com/openssl/openssl/commit/99ba9fd02fd481eb971023a3a0a251a37eb87e4c
  24. stp_print_mstp_bpdu and stp_print function from external/bsd/tcpdump/dist/print-stp.c, which shares the similarity with CVE-2017-11108 and the patch is https://github.com/the-tcpdump-group/tcpdump/commit/d9e65de3d94698ec90dbca42962a30dd2f0680e1
  25. asn1_template_ex_d2i and asn1_template_noexp_d2i function from crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c, which shares the similarity with CVE-2018-0739 and the patch is https://github.com/openssl/openssl/commit/4cabbb9f485ba7d1edcfbbd2aa8610159f94543e
  26. aesni_cbc_hmac_sha1_cipher function from crypto/external/bsd/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha1.c, which shares the similarity with CVE-2016-2107 and the patch is https://github.com/openssl/openssl/commit/70428eada9bc4cf31424d723d1f992baffeb0dfb
  27. MakeFilename function from external/bsd/tcpdump/dist/tcpdump.c, which shares the similarity with CVE-2023-1801 and the patch is https://github.com/the-tcpdump-group/tcpdump/commit/03c037bbd75588beba3ee09f26d17783d21e30bc
  28. krb5_pac_parse function from crypto/external/bsd/heimdal/dist/lib/krb5/pac.c, which shares the similarity with CVE-2022-42898 and the patch is https://github.com/krb5/krb5/commit/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583 We have preliminarily verified the correctness of the above list through static analysis. Would you can help to check if these bugs are true? If they're true, please try to fix it, all of the vulnerabilities' root cause is that you use the old version of the freebsd, so maybe you should try to update this submodule. Thank you for your effort and patience!
petershh commented 5 months ago

Hello,

1) You can keep all related issues in a single issue rather than creating multiple issues; 2) Minix does not use any of FreeBSD code, and there are no submodules. Please fix your tool; 3) As I said in the issue you have mentioned: in-tree software is heavily outdated; pkgsrc version used by Minix is heavily outdated; Minix itself needs a lot of effort to become more secure and to allow software upgrades. As for now, Minix should be considered insecure for production usage. Fixing vulnerabilities you have outlined will change nothing.

If you want to contribute to Minix in a more meaningful way, please take a look at a list stux has put together: https://groups.google.com/g/minix3/c/nUG1NwxXXkg .