Date: Wed, 28 Jan 2004 20:11:53 +0100 From: Oliver Eikemeier <eikemeier@fillmore-labs.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/62039: [PATCH] bsd.port.mk: don't install vulnerable ports Message-ID: <40180979.6000905@fillmore-labs.com> Resent-Message-ID: <200401281920.i0SJKHUI007296@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 62039 >Category: ports >Synopsis: [PATCH] bsd.port.mk: don't install vulnerable ports >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Jan 28 11:20:17 PST 2004 >Closed-Date: >Last-Modified: >Originator: Oliver Eikemeier >Release: FreeBSD 4.9-STABLE i386 >Organization: Fillmore Labs - http://www.fillmore-labs.com >Environment: System: FreeBSD nuuk.fillmore-labs.com 4.9-STABLE >Description: - Don't install ports listed in the portaudit vulnerability database - Choose ${LOCALBASE}/sbin/pkg_* when installed on systems > 4.6 >How-To-Repeat: Apply the patch below to bsd.port.mk cd /usr/ports/security/portaudit; make install /usr/local/etc/periodic/daily/330.fetchaudit cd /usr/ports/security/vulnerability-test-port make INSTALLATION_DATE=`date -u -v-14d "+%Y.%m.%d"` install ===> vulnerability-test-port-2004.01.14 has known vulnerabilities: >Fix: --- bsd.port.mk.orig Sun Jan 25 19:44:54 2004 +++ bsd.port.mk Wed Jan 28 19:45:47 2004 @@ -2011,24 +2011,25 @@ PKGORIGIN?= ${PKGCATEGORY}/${PORTDIRNAME} .endif -.if ${OSVERSION} < 460102 && ${PKGORIGIN} != "sysutils/pkg_install" -BUILD_DEPENDS+= ${LOCALBASE}/sbin/pkg_info:${PORTSDIR}/sysutils/pkg_install .if exists(${LOCALBASE}/sbin/pkg_info) PKG_CMD?= ${LOCALBASE}/sbin/pkg_create PKG_ADD?= ${LOCALBASE}/sbin/pkg_add PKG_DELETE?= ${LOCALBASE}/sbin/pkg_delete PKG_INFO?= ${LOCALBASE}/sbin/pkg_info +PKG_VERSION?= ${LOCALBASE}/sbin/pkg_version +.elif ${OSVERSION} < 460102 && ${PKGORIGIN} != "sysutils/pkg_install" +BUILD_DEPENDS+= ${LOCALBASE}/sbin/pkg_info:${PORTSDIR}/sysutils/pkg_install +PKG_CMD?= ${LOCALBASE}/sbin/pkg_create +PKG_ADD?= ${LOCALBASE}/sbin/pkg_add +PKG_DELETE?= ${LOCALBASE}/sbin/pkg_delete +PKG_INFO?= ${LOCALBASE}/sbin/pkg_info +PKG_VERSION?= ${LOCALBASE}/sbin/pkg_version .else PKG_CMD?= /usr/sbin/pkg_create PKG_ADD?= /usr/sbin/pkg_add PKG_DELETE?= /usr/sbin/pkg_delete PKG_INFO?= /usr/sbin/pkg_info -.endif -.else -PKG_CMD?= /usr/sbin/pkg_create -PKG_ADD?= /usr/sbin/pkg_add -PKG_DELETE?= /usr/sbin/pkg_delete -PKG_INFO?= /usr/sbin/pkg_info +PKG_VERSION?= /usr/sbin/pkg_version .endif # Does the pkg_create tool support conflict checking? @@ -2999,6 +3000,43 @@ .endif .endif +# Check if the port is listed in the vulnerability database + +.if ${PKGINSTALLVER} < 20040125 || ${OSVERSION} < 420001 || ${OSVERSION} >= 500000 && ${OSVERSION} < 500014 +DISABLE_VULNERABILITIES= yes +.endif + +AUDITFILE?= /var/db/portaudit/auditfile.tbz +_EXTRACT_AUDITFILE= ${TAR} -jxOf "${AUDITFILE}" auditfile + +check-vulnerable: +.if !defined(DISABLE_VULNERABILITIES) && !defined(PACKAGE_BUILDING) + @if [ -f "${AUDITFILE}" ]; then \ + audit_created=`${_EXTRACT_AUDITFILE} | \ + ${SED} -nEe "1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$$/\1\2\3/p"`; \ + audit_expiry=`date -u -v-14d "+%Y%m%d"`; \ + if [ "$$audit_created" -lt "$$audit_expiry" ]; then \ + ${ECHO_MSG} "===> WARNING: Vulnerability database out of date, checking anyway"; \ + fi; \ + vlist=`${_EXTRACT_AUDITFILE} | ${AWK} -F\| ' \ + /^[^#]/ { \ + if (!system("${PKG_VERSION} -T \"${PKGNAME}\" \"" $$1 "\"")) \ + print ">> " $$3 ".\n Reference: <" $$2 ">" \ + } \ + '`; \ + if [ -n "$$vlist" ]; then \ + ${ECHO_MSG} "===> ${PKGNAME} has known vulnerabilities:"; \ + ${ECHO_MSG} "$$vlist"; \ + ${ECHO_MSG} ">> Please update your ports tree and try again."; \ + exit 1; \ + fi; \ + else \ + ${ECHO_MSG} "===> Vulnerability check disabled, database not found"; \ + fi +.else + @${ECHO_MSG} "===> Vulnerability check disabled" +.endif + # Fetch .if !target(do-fetch) @@ -3668,7 +3706,7 @@ _SANITY_SEQ= pre-everything check-makefile check-categories \ check-makevars check-depends check-deprecated \ - buildanyway-message options-message + check-vulnerable buildanyway-message options-message _FETCH_DEP= check-sanity _FETCH_SEQ= fetch-depends pre-fetch pre-fetch-script \ do-fetch post-fetch post-fetch-script >Release-Note: >Audit-Trail: >Unformatted: >> Not vulnerable, just a test port (database: 2004-01-28). Reference: <http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/vulnerability-test-port/>; >> Please update your ports tree and try again. *** Error code 1 Stop in /usr/ports/security/vulnerability-test-port.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40180979.6000905>