misc/111066: Portaudit does not skip ports fixed listed in
portaudit.conf only FreeBSD-* are ignored
Hussain Ali
hali at datapipe.com
Sat Mar 31 18:50:04 UTC 2007
>Number: 111066
>Category: misc
>Synopsis: Portaudit does not skip ports fixed listed in portaudit.conf only FreeBSD-* are ignored
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sat Mar 31 18:50:03 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Hussain Ali
>Release: FreeBSD4 - 7 (various versions)
>Organization:
Datapipe
>Environment:
FreeBSD <removed> 4.11-RELEASE-p16 FreeBSD 4.11-RELEASE-p16 #3: Fri Nov 3 03:10:58 EST 2006 root@<removed>:/usr/obj/usr/src/sys/EASYADMIN-SMP i386
FreeBSD <removed> 6.0-RELEASE-p4 FreeBSD 6.0-RELEASE-p4 #3: Fri Feb 17 18:23:59 EST 2006 <removed>:/usr/obj/usr/src/sys/GENERIC i386
>Description:
Upon using the portaudit utility, it does not skip ports if we have applied a local patch to the port and listed it under portaudit_fixed.
All I could previously dig up on this was:
http://lists.freebsd.org/pipermail/freebsd-stable/2005-June/016403.html
>How-To-Repeat:
Roll back your ports tree or use some installed vulnerable package. Add the VUID to port_fixed in portaudit.conf. Run portaudit, the port is still there. Example:
$ grep portaudit_fixed /usr/local/etc/portaudit.conf
portaudit_fixed="d2102505-f03d-11d8-81b0-000347a4fa7di 76562594-1f19-11db-b7d4-0008743bf21a"
$ portaudit -a | grep -A1 -B2 76562594-1f19-11db-b7d4-0008743bf21a
Affected package: ruby-1.8.4_4,1
Type of problem: ruby - multiple vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/76562594-1f19-11db-b7d4-0008743bf21a.html>
>Fix:
I am submitting a patch for the change request. I have added the -S (pkgSkip) flag to add this functionality. Sample run :
$ grep portaudit_fixed /usr/local/etc/portaudit.conf
portaudit_fixed="d2102505-f03d-11d8-81b0-000347a4fa7d 76562594-1f19-11db-b7d4-0008743bf21a"
$ portaudit -a | grep -A1 -B2 76562594-1f19-11db-b7d4-0008743bf21a
Affected package: ruby-1.8.4_4,1
Type of problem: ruby - multiple vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/76562594-1f19-11db-b7d4-0008743bf21a.html>
$ portaudit -aS | grep -A1 -B2 76562594-1f19-11db-b7d4-0008743bf21a | wc -l
0
Patch attached with submission follows:
diff -r work/portaudit-cmd.sh work.new/portaudit-cmd.sh
137c137
< BEGIN { vul=0; fixedre="'"$fixedre"'" }
---
> BEGIN { vul=0; fixedre="'"$fixedre"'";opt_pkgSkip="'"$opt_pkgSkip"'" }
148a149,151
> if ( opt_pkgSkip == "true" ) {
> if (fixedre && $2 ~ fixedre) next
> }
349a353
> opt_pkgSkip=false
355c359
< while getopts aCdf:Fqr:vVX: opt; do
---
> while getopts aCdf:Fqr:vSVX: opt; do
370a375,376
> S)
> opt_pkgSkip=true;;
378c384
< echo "Usage: $0 -aCdFVvq [-X days] [-r pattern] [-f file] [pkg-name ...]"
---
> echo "Usage: $0 -aCdFVvqS [-X days] [-r pattern] [-f file] [pkg-name ...]"
455a462,466
> fi
>
> if $opt_pkgSkip; then
> echo "portaudit: skipping ALL vulnerablities listed in portaudit.conf"
> opt_audit=true
diff -r work/portaudit.1 work.new/portaudit.1
89a90,92
> .It Fl S
> Additionaly skip package vulnerabilities listed in portaudit.conf. The
> default is to only skip FreeBSD vulnerabilites if defined.
diff -r work/portaudit.conf work.new/portaudit.conf
18,19c18,21
< # this vulnerability has been fixed in your FreeBSD version
< #portaudit_fixed="d2102505-f03d-11d8-81b0-000347a4fa7d"
---
> # this vulnerability has been fixed in your FreeBSD or port version (space, tab deliminated)
> #portaudit_fixed="d2102505-f03d-11d8-81b0-000347a4fa7d 594eb447-e398-11d9-a8bd-000cf18bbe54"
>
>
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list