[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-bugs
Subject:    misc/111066: Portaudit does not skip ports fixed listed in
From:       Hussain Ali<hali () datapipe ! com>
Date:       2007-03-31 18:40:22
Message-ID: 200703311840.l2VIeMu3067425 () www ! freebsd ! org
[Download RAW message or body]


> Number:         111066
> Category:       misc
> Synopsis:       Portaudit does not skip ports fixed listed in portaudit.conf only \
>                 FreeBSD-* are ignored
> Confidential:   no
> Severity:       non-critical
> Priority:       medium
> Responsible:    freebsd-bugs
> State:          open
> Quarter:        
> Keywords:       
> Date-Required:
> Class:          change-request
> Submitter-Id:   current-users
> Arrival-Date:   Sat Mar 31 18:50:03 GMT 2007
> Closed-Date:
> Last-Modified:
> Originator:     Hussain Ali
> Release:        FreeBSD4 - 7 (various versions)
> Organization:
Datapipe
> Environment:
FreeBSD <removed> 4.11-RELEASE-p16 FreeBSD 4.11-RELEASE-p16 #3: Fri Nov  3 03:10:58 \
EST 2006     root@<removed>:/usr/obj/usr/src/sys/EASYADMIN-SMP  i386

FreeBSD <removed> 6.0-RELEASE-p4 FreeBSD 6.0-RELEASE-p4 #3: Fri Feb 17 18:23:59 EST \
2006     <removed>:/usr/obj/usr/src/sys/GENERIC  i386

> Description:
Upon using the portaudit utility, it does not skip ports if we have applied a local \
patch to the  port and listed it under portaudit_fixed.

All I could previously dig up on this was: 
http://lists.freebsd.org/pipermail/freebsd-stable/2005-June/016403.html
> How-To-Repeat:
Roll back your ports tree or use some installed vulnerable package. Add the VUID to \
port_fixed in portaudit.conf. Run portaudit, the port is still there. Example: 

$ grep portaudit_fixed /usr/local/etc/portaudit.conf
portaudit_fixed="d2102505-f03d-11d8-81b0-000347a4fa7di \
76562594-1f19-11db-b7d4-0008743bf21a"

$ portaudit -a | grep -A1 -B2 76562594-1f19-11db-b7d4-0008743bf21a
Affected package: ruby-1.8.4_4,1
Type of problem: ruby - multiple vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/76562594-1f19-11db-b7d4-0008743bf21a.html>



> Fix:
I am submitting a patch for the change request. I have added the -S (pkgSkip) flag to \
add this functionality. Sample run : 

$ grep portaudit_fixed /usr/local/etc/portaudit.conf
portaudit_fixed="d2102505-f03d-11d8-81b0-000347a4fa7d \
76562594-1f19-11db-b7d4-0008743bf21a"

$ portaudit -a | grep -A1 -B2 76562594-1f19-11db-b7d4-0008743bf21a
Affected package: ruby-1.8.4_4,1
Type of problem: ruby - multiple vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/76562594-1f19-11db-b7d4-0008743bf21a.html>


$ portaudit -aS | grep -A1 -B2 76562594-1f19-11db-b7d4-0008743bf21a | wc -l
       0



Patch attached with submission follows:

diff -r work/portaudit-cmd.sh work.new/portaudit-cmd.sh
137c137
< 		BEGIN { vul=0; fixedre="'"$fixedre"'" }
---
> 		BEGIN { vul=0; fixedre="'"$fixedre"'";opt_pkgSkip="'"$opt_pkgSkip"'" }
148a149,151
> 			if ( opt_pkgSkip  == "true" ) {
> 				if (fixedre && $2 ~ fixedre) next
> 			}
349a353
> opt_pkgSkip=false
355c359
< while getopts aCdf:Fqr:vVX: opt; do
---
> while getopts aCdf:Fqr:vSVX: opt; do
370a375,376
> 	S)
> 		opt_pkgSkip=true;;
378c384
< 		echo "Usage: $0 -aCdFVvq [-X days] [-r pattern] [-f file] [pkg-name ...]"
---
> 		echo "Usage: $0 -aCdFVvqS [-X days] [-r pattern] [-f file] [pkg-name ...]"
455a462,466
> fi
> 
> if $opt_pkgSkip; then 
> 	echo "portaudit: skipping ALL vulnerablities listed in portaudit.conf"
> 	opt_audit=true
diff -r work/portaudit.1 work.new/portaudit.1
89a90,92
> .It Fl S
> Additionaly skip package vulnerabilities listed in portaudit.conf. The 
> default is to only skip FreeBSD vulnerabilites if defined.
diff -r work/portaudit.conf work.new/portaudit.conf
18,19c18,21
< # this vulnerability has been fixed in your FreeBSD version
< #portaudit_fixed="d2102505-f03d-11d8-81b0-000347a4fa7d"
---
> # this vulnerability has been fixed in your FreeBSD or port version (space, tab \
> deliminated) #portaudit_fixed="d2102505-f03d-11d8-81b0-000347a4fa7d \
> 594eb447-e398-11d9-a8bd-000cf18bbe54" 
> 

> Release-Note:
> Audit-Trail:
> Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org"


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic