From dan at langille.org  Tue Oct  5 17:03:02 2004
From: dan at langille.org (Dan Langille)
Date: Tue Oct  5 17:03:04 2004
Subject: cvs commit: ports/security/vuxml vuln.xml
In-Reply-To: <200410051454.i95EsRRt051566@repoman.freebsd.org>
References: <200410051454.i95EsRRt051566@repoman.freebsd.org>
Message-ID: <20041005200205.C93568@xeon.unixathome.org>

On Tue, 5 Oct 2004, Jacques Vidrine wrote:

> nectar      2004-10-05 14:54:27 UTC
>
>   FreeBSD ports repository
>
>   Modified files:
>     security/vuxml       vuln.xml
>   Log:
>   Note that older packages of bmon were dangerously installed set-user-ID.

Are these commits automagically appearing in beta.freshports.org now?
They should be.  I don't have time to verify just now.

-- 
Dan Langille - http://www.langille.org/
BSDCan - The Technical BSD Conference: http://www.bsdcan.org/
From nectar at FreeBSD.org  Fri Oct  8 09:54:26 2004
From: nectar at FreeBSD.org (Jacques A. Vidrine)
Date: Fri Oct  8 09:54:27 2004
Subject: cvs commit: ports/security/vuxml vuln.xml
In-Reply-To: <20041005200205.C93568@xeon.unixathome.org>
References: <200410051454.i95EsRRt051566@repoman.freebsd.org>
	<20041005200205.C93568@xeon.unixathome.org>
Message-ID: <20041008165401.GJ79893@madman.celabo.org>

On Tue, Oct 05, 2004 at 08:02:51PM -0400, Dan Langille wrote:
> On Tue, 5 Oct 2004, Jacques Vidrine wrote:
> 
> > nectar      2004-10-05 14:54:27 UTC
> >
> >   FreeBSD ports repository
> >
> >   Modified files:
> >     security/vuxml       vuln.xml
> >   Log:
> >   Note that older packages of bmon were dangerously installed set-user-ID.
> 
> Are these commits automagically appearing in beta.freshports.org now?
> They should be.  I don't have time to verify just now.

Hi Dan!

It seems not ... http://www.freshports.org/net/bmon/ does not have any
of the skull icons.

Cheers,
-- 
Jacques A Vidrine / NTT/Verio
nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org
From dan at langille.org  Fri Oct  8 16:13:55 2004
From: dan at langille.org (Dan Langille)
Date: Fri Oct  8 16:13:57 2004
Subject: cvs commit: ports/security/vuxml vuln.xml
In-Reply-To: <20041008165401.GJ79893@madman.celabo.org>
References: <200410051454.i95EsRRt051566@repoman.freebsd.org>
	<20041008165401.GJ79893@madman.celabo.org>
Message-ID: <20041008191322.P1418@xeon.unixathome.org>

On Fri, 8 Oct 2004, Jacques A. Vidrine wrote:

> On Tue, Oct 05, 2004 at 08:02:51PM -0400, Dan Langille wrote:
> > On Tue, 5 Oct 2004, Jacques Vidrine wrote:
> >
> > > nectar      2004-10-05 14:54:27 UTC
> > >
> > >   FreeBSD ports repository
> > >
> > >   Modified files:
> > >     security/vuxml       vuln.xml
> > >   Log:
> > >   Note that older packages of bmon were dangerously installed set-user-ID.
> >
> > Are these commits automagically appearing in beta.freshports.org now?
> > They should be.  I don't have time to verify just now.
>
> Hi Dan!
>
> It seems not ... http://www.freshports.org/net/bmon/ does not have any
> of the skull icons.

Good!

But http://beta.freshports.org/net/bmon/ does!

-- 
Dan Langille - http://www.langille.org/
BSDCan - The Technical BSD Conference: http://www.bsdcan.org/
From dan at langille.org  Sun Oct 17 17:13:10 2004
From: dan at langille.org (Dan Langille)
Date: Sun Oct 17 17:13:11 2004
Subject: can portaudit report a fixed date/version?
Message-ID: <20041017201037.V55729@xeon.unixathome.org>

Hi folks:

I have portaudit installed.  Each morning I get notified if there are any
vulnerabilities that I should know about.  That's good.

I think portaudit should also tell me if it knows there is a fix available
in the tree.  That would immediately tell me that I can cvsup and get the
problem fixed.

Comments?

-- 
Dan Langille - http://www.langille.org/
BSDCan - The Technical BSD Conference: http://www.bsdcan.org/
From nectar at FreeBSD.org  Tue Oct 19 08:00:18 2004
From: nectar at FreeBSD.org (Jacques A. Vidrine)
Date: Tue Oct 19 08:00:43 2004
Subject: can portaudit report a fixed date/version?
In-Reply-To: <20041017201037.V55729@xeon.unixathome.org>
References: <20041017201037.V55729@xeon.unixathome.org>
Message-ID: <20041019145952.GA22119@madman.celabo.org>

On Sun, Oct 17, 2004 at 08:13:02PM -0400, Dan Langille wrote:
> Hi folks:
> 
> I have portaudit installed.  Each morning I get notified if there are any
> vulnerabilities that I should know about.  That's good.
> 
> I think portaudit should also tell me if it knows there is a fix available
> in the tree.  That would immediately tell me that I can cvsup and get the
> problem fixed.
> 
> Comments?

The VuXML format contains only which packages are affected, and not
an direct indicator whether or not a fix has been applied.  This is
by design.  Including that information would be redundant.  From
VuXML, you know what package versions are affected.  From the Ports
Collection, you know what package versions are available.

A tool such as portaudit could compute whether a fix is available or
not for you.  It might be a nice feature.

Cheers,
-- 
Jacques A Vidrine / NTT/Verio
nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org
From dan at langille.org  Tue Oct 19 13:41:02 2004
From: dan at langille.org (Dan Langille)
Date: Tue Oct 19 13:41:04 2004
Subject: can portaudit report a fixed date/version?
In-Reply-To: <20041019145952.GA22119@madman.celabo.org>
References: <20041017201037.V55729@xeon.unixathome.org>
 <20041019145952.GA22119@madman.celabo.org>
Message-ID: <20041019163753.U74644@xeon.unixathome.org>

On Tue, 19 Oct 2004, Jacques A. Vidrine wrote:

> On Sun, Oct 17, 2004 at 08:13:02PM -0400, Dan Langille wrote:
> > Hi folks:
> >
> > I have portaudit installed.  Each morning I get notified if there are any
> > vulnerabilities that I should know about.  That's good.
> >
> > I think portaudit should also tell me if it knows there is a fix available
> > in the tree.  That would immediately tell me that I can cvsup and get the
> > problem fixed.
> >
> > Comments?
>
> The VuXML format contains only which packages are affected, and not
> an direct indicator whether or not a fix has been applied.  This is
> by design.  Including that information would be redundant.  From
> VuXML, you know what package versions are affected.  From the Ports
> Collection, you know what package versions are available.

My thoughts were that an additional field could easily be added that
indicated whether or not a fix had been applied to the Ports Collection.
This would enabled portaudit to report immediately.

> A tool such as portaudit could compute whether a fix is available or
> not for you.  It might be a nice feature.

It would be a useful feature.  It would save many admins quite a bit of
time.

-- 
Dan Langille - http://www.langille.org/
BSDCan - The Technical BSD Conference: http://www.bsdcan.org/
From nectar at FreeBSD.org  Tue Oct 19 14:33:55 2004
From: nectar at FreeBSD.org (Jacques A. Vidrine)
Date: Tue Oct 19 14:34:56 2004
Subject: can portaudit report a fixed date/version?
In-Reply-To: <20041019163753.U74644@xeon.unixathome.org>
References: <20041017201037.V55729@xeon.unixathome.org>
	<20041019145952.GA22119@madman.celabo.org>
	<20041019163753.U74644@xeon.unixathome.org>
Message-ID: <20041019213329.GB45466@madman.celabo.org>

On Tue, Oct 19, 2004 at 04:41:01PM -0400, Dan Langille wrote:
> My thoughts were that an additional field could easily be added

It could be easily added, but I'm not sure that it would be easily
maintained.  Today, we can fairly accurately predict what currently
non-existent versions of the port will be fixed when we fill out
<affects>.  That means that in the vast majority of cases, when the
port has been fixed, no one needs to do anything special: the new
version automatically shows up as not affected.  If we make this
explicit instead, then it is extra work.  Additionally, there is the
evil of duplicating data, which I mostly want to avoid.

But, why not throw out a strawman example of what you mean so that we
can get more discussion going about it?

> that indicated whether or not a fix had been applied to the Ports
> Collection.  This would enabled portaudit to report immediately.
>
> > A tool such as portaudit could compute whether a fix is available or
> > not for you.  It might be a nice feature.
> 
> It would be a useful feature.

Maybe the portaudit author will add it.  It is mostly trivial.  I can,
however, think of at least one edge case where it is *not* trivial---
e.g. the `fix' involves a change in the package name.

> It would save many admins quite a bit of time.

How so?  (serious question)

Cheers,
-- 
Jacques A Vidrine / NTT/Verio
nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org
From dan at langille.org  Tue Oct 19 17:32:15 2004
From: dan at langille.org (Dan Langille)
Date: Tue Oct 19 17:32:45 2004
Subject: can portaudit report a fixed date/version?
In-Reply-To: <20041019213329.GB45466@madman.celabo.org>
References: <20041017201037.V55729@xeon.unixathome.org>
	<20041019163753.U74644@xeon.unixathome.org>
	<20041019213329.GB45466@madman.celabo.org>
Message-ID: <20041019202849.Q99899@xeon.unixathome.org>

On Tue, 19 Oct 2004, Jacques A. Vidrine wrote:

> > It would save many admins quite a bit of time.
>
> How so?  (serious question)

I don't have time just now to answer the other questions but I can answer
this one.

Portaudit tells me that port xyz is vulnerable.  But there there is no
fix.  How do I know when there is a fix?  Only by checking FreshPorts, cvs
logs, the ports tree, trying to install the port, portupgrade, etc.  I
could do this daily for days without a fix.

Instead, if portaudit reported that port xyz is vulernable and that there
is a fix (if there actually is a fix), then all I need to do is monitor my
daily security email that automagically includes the output of portaudit.
I can then instantly know that it's time to run portupgrade on port xyz.

-- 
Dan Langille - http://www.langille.org/
BSDCan - The Technical BSD Conference: http://www.bsdcan.org/
From simon at FreeBSD.org  Mon Oct 25 02:07:14 2004
From: simon at FreeBSD.org (Simon L. Nielsen)
Date: Mon Oct 25 02:07:17 2004
Subject: can portaudit report a fixed date/version?
In-Reply-To: <20041019202849.Q99899@xeon.unixathome.org>
References: <20041017201037.V55729@xeon.unixathome.org>
	<20041019163753.U74644@xeon.unixathome.org>
	<20041019213329.GB45466@madman.celabo.org>
	<20041019202849.Q99899@xeon.unixathome.org>
Message-ID: <20041025090710.GA767@zaphod.nitro.dk>

On 2004.10.19 20:32:13 -0400, Dan Langille wrote:
> On Tue, 19 Oct 2004, Jacques A. Vidrine wrote:
> 
> > > It would save many admins quite a bit of time.
> >
> > How so?  (serious question)
> 
> I don't have time just now to answer the other questions but I can answer
> this one.
> 
> Portaudit tells me that port xyz is vulnerable.  But there there is no
> fix.  How do I know when there is a fix?  Only by checking FreshPorts, cvs
> logs, the ports tree, trying to install the port, portupgrade, etc.  I
> could do this daily for days without a fix.
> 
> Instead, if portaudit reported that port xyz is vulernable and that there
> is a fix (if there actually is a fix), then all I need to do is monitor my
> daily security email that automagically includes the output of portaudit.
> I can then instantly know that it's time to run portupgrade on port xyz.

Since I really didn't think this should be that hard to do I made
simple proof-of-concept patch to implement this.  It is currently an
ugly hack, but it works (well, in most cases it should anyway).  It
requires an updated INDEX-5 to be on the system.

I don't have the time to make a proper patch at the moment, but I will
perhaps next week... I mainly post the current patch here for
inspiration if somebody else would like to play with this further.

-- 
Simon L. Nielsen
FreeBSD Documentation Team
-------------- next part --------------
Index: files/portaudit-cmd.sh
===================================================================
RCS file: /home/ncvs/ports/security/portaudit/files/portaudit-cmd.sh,v
retrieving revision 1.11
diff -u -d -r1.11 portaudit-cmd.sh
--- files/portaudit-cmd.sh	3 Sep 2004 20:30:54 -0000	1.11
+++ files/portaudit-cmd.sh	25 Oct 2004 08:57:32 -0000
@@ -31,6 +31,13 @@
 # $FreeBSD: ports/security/portaudit/files/portaudit-cmd.sh,v 1.11 2004/09/03 20:30:54 eik Exp $
 #
 
+# WARNING: This is a hacked proof-of-concept version by
+# Simon L. Nielsen <simon@FreeBSD.org>.
+#
+# DO NOT USE THIS UNLESS YOU KNOW WHAT YOU ARE DOING!
+
+INDEX="/usr/ports/INDEX-5"
+
 portaudit_confs()
 {
 	: ${portaudit_dir="%%DATABASEDIR%%"}
@@ -125,6 +132,11 @@
 	return 0
 }
 
+# The actual check for the current version from INDEX should be
+# something like this... :
+# 
+# curvercmd="egrep \'^[^|]+\|/usr/ports/" origin "\|\'" "/usr/ports/INDEX-5"
+
 audit_installed()
 {
 	local rc=0
@@ -148,6 +160,21 @@
 			cmd="'"$pkg_info"' -E \"" $1 "\""
 			while((cmd | getline pkg) > 0) {
 				vul++
+				origincmd="'"$pkg_info"' -oq " pkg
+				if (origincmd | getline origin) {
+					curvercmd="egrep /usr/ports/" origin " '"$INDEX"'"
+					if (curvercmd | getline curverline) {
+						split(curverline, a, "|")
+						curver=a[1]
+						if (! system("portaudit -q " curver)) {
+							print "Fixed version " curver " found."
+						} else {
+							print "Fixed version not found."
+						}
+					}
+					close(curvercmd)
+				}
+				close(origincmd)
 				print_affected(pkg, "")
 			}
 			close(cmd)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-vuxml/attachments/20041025/7bbb2da2/attachment.bin