Ports EOL vuxml entry

Tim Zingelman zingelman at fnal.gov
Wed Aug 24 04:12:00 UTC 2016 

On Tue, 23 Aug 2016, Roger Marquis wrote:

>> There should be a way to state that the sysadmin is aware of the
>> outdated port and prevent pkg audit from reporting it
>
> Agreed though I expect such a report would see little use.

I maintain a local patch to preserve this functionality which was in 
portaudit but not in pkg audit.  Perhaps not bullet proof, but simple 
enough to be sure it does what I want it to do.

Just drop the attached file into /usr/ports/ports-mgmt/pkg/files/ and put 
the VuXML ID's you want ignored into /usr/local/etc/portaudit.conf.
(easy enough to edit the patch if you prefer pkg.conf or other)

This allows the administrator to evaluate each vulnerability entry, 
decide if it affects a system or not, and document that decision.

There are issues with this solution when VuXML entries are edited after 
the fact to add new packages to the list, but it is better than nothing. 
(I'd argue that any such edits should require a new VuXML ID to be used.)

Hope this helps,

  - Tim
-------------- next part --------------
--- libpkg/pkg_audit.c.orig	2014-10-29 03:48:12.000000000 -0500
+++ libpkg/pkg_audit.c	2014-12-30 15:37:05.000000000 -0600
@@ -140,6 +140,8 @@
 	bool loaded;
 	void *map;
 	size_t len;
+	void *ignore;
+	size_t ignore_len;
 };
 
 
@@ -802,6 +804,10 @@
 			if (fnmatch(e->pkgname, pkg->name, 0) != 0)
 				continue;
 
+			/* ignore by id in /usr/local/etc/portaudit.conf */
+			if (audit->ignore_len && strnstr(audit->ignore,e->id,audit->ignore_len))
+				continue;
+
 			if (pkg->version == NULL) {
 				/*
 				 * Assume that all versions should be checked
@@ -872,6 +878,21 @@
 	audit->len = st.st_size;
 	audit->loaded = true;
 
+	audit->ignore = 0;
+	audit->ignore_len = 0;
+	if (stat("/usr/local/etc/portaudit.conf", &st) == -1)
+		return (EPKG_OK);
+	if ((fd = open("/usr/local/etc/portaudit.conf", O_RDONLY)) == -1)
+		return (EPKG_OK);
+	if ((mem = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED) {
+		close(fd);
+		return (EPKG_OK);
+	}
+	close(fd);
+
+	audit->ignore = mem;
+	audit->ignore_len = st.st_size;
+
 	return (EPKG_OK);
 }

More information about the freebsd-security mailing list