security issues in Ports and VuXML

Oliver Eikemeier eikemeier at fillmore-labs.com
Thu Feb 12 17:36:32 PST 2004 

Ion-Mihai Tetcu wrote:

> On Thu, 12 Feb 2004 08:45:22 -0600
> "Jacques A. Vidrine" <nectar at FreeBSD.org> wrote:
> 
>>Hello Porters!
>>
>>If you know of security issues for ports that you maintain,
>>please make an effort to include those issues in the VuXML file
>>(ports/security/vuxml/vuln.xml).  You can either use existing entries
>>as examples, or if you are completely lost you can just email
>>security-team at FreeBSD.org with your information.
> 
> What is the relation between this and ports/security/portaudit which has
> been recently added to the ports infrastructure ?

Both port deal with known security vulnerabilities in the FreeBSD system:
VuXML is a generic database format for the whole system including the base
system, portaudit a framework to check if a FreeBSD port is listed in a
vulnerability database, including a more stringent version number definition,
a database distribution system and checking during install time.

As far as I understand the focus of portaudit and VuXML, they are complementing
projects.

In the current state portaudit uses a simple flat file database since I needed
something to start with and wanted a format that is common to port committers
(similar to MOVED), but the system is more or less database format agnostic.
Because the distribution file is a simple tar file it is easy to distribute the
VuXML database along with the flat file database, or even add signatures.

If we decide that the VuXML format is better suited for the job than a flat
file database it is easy to integrate it into portaudit in the long run, I
have to look into security/vuxml to see what is the best way to synchronize
the databases.

It is great to see security-team@ support for port security auditing, and I like
to involve more people in the project. Currently portaudit is in a development and
learning phase, and issues I'm working on are:

- a better distribution system, e.g. a script that finds the nearest mirror of
  the database and fetches the file from there, not from a random location,
  integrating PR 62655.

- a checksum system the checks if a new database is available by just fetching a
  md5 sum or a date and not the whole database, like the way clamav does it.

- a push mechanism that informs systems (by email?) that an updated database is
  available instead of waiting for the next scheduled check.

- integration of the system into pkg_add of sysutils/pkg_install-devel

- an evaluation if it makes sense to integrate expat based tools in the periodic
  and bsd.port.mk check, or if it is better to convert to VuXML database for
  distribution.

- a flat file -> VuXML converter. That should be easy.

- a VuXML -> flat file converter, to see how it fits into the structure. One thing
  that can be problematic here is the copyright notice, because it makes most XML
  tools hard to use.

I appreciate every contribution or feedback that helps us to bring portaudit and
VuXML to an 1.0 status. That includes keeping ports/security/portaudit/database/auditfile.txt
and ports/security/vuxml/vuln.xml up to date, since this is the only way we can
test and improve the system to bring it closer to a release status.

-Oliver

More information about the freebsd-ports mailing list