Date: Mon, 25 Oct 2004 11:07:11 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Dan Langille <dan@langille.org> Cc: freebsd-vuxml@freebsd.org Subject: Re: can portaudit report a fixed date/version? Message-ID: <20041025090710.GA767@zaphod.nitro.dk> In-Reply-To: <20041019202849.Q99899@xeon.unixathome.org> References: <20041017201037.V55729@xeon.unixathome.org> <20041019163753.U74644@xeon.unixathome.org> <20041019213329.GB45466@madman.celabo.org> <20041019202849.Q99899@xeon.unixathome.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--LpQ9ahxlCli8rRTG
Content-Type: multipart/mixed; boundary="2oS5YaxWCcQjTEyO"
Content-Disposition: inline
--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2004.10.19 20:32:13 -0400, Dan Langille wrote:
> On Tue, 19 Oct 2004, Jacques A. Vidrine wrote:
>=20
> > > It would save many admins quite a bit of time.
> >
> > How so? (serious question)
>=20
> I don't have time just now to answer the other questions but I can answer
> this one.
>=20
> Portaudit tells me that port xyz is vulnerable. But there there is no
> fix. How do I know when there is a fix? Only by checking FreshPorts, cvs
> logs, the ports tree, trying to install the port, portupgrade, etc. I
> could do this daily for days without a fix.
>=20
> Instead, if portaudit reported that port xyz is vulernable and that there
> is a fix (if there actually is a fix), then all I need to do is monitor my
> daily security email that automagically includes the output of portaudit.
> I can then instantly know that it's time to run portupgrade on port xyz.
Since I really didn't think this should be that hard to do I made
simple proof-of-concept patch to implement this. It is currently an
ugly hack, but it works (well, in most cases it should anyway). It
requires an updated INDEX-5 to be on the system.
I don't have the time to make a proper patch at the moment, but I will
perhaps next week... I mainly post the current patch here for
inspiration if somebody else would like to play with this further.
--=20
Simon L. Nielsen
FreeBSD Documentation Team
--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="portaudit-HACK-fix-avail.patch"
Content-Transfer-Encoding: quoted-printable
Index: files/portaudit-cmd.sh
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/ports/security/portaudit/files/portaudit-cmd.sh,v
retrieving revision 1.11
diff -u -d -r1.11 portaudit-cmd.sh
--- files/portaudit-cmd.sh 3 Sep 2004 20:30:54 -0000 1.11
+++ files/portaudit-cmd.sh 25 Oct 2004 08:57:32 -0000
@@ -31,6 +31,13 @@
# $FreeBSD: ports/security/portaudit/files/portaudit-cmd.sh,v 1.11 2004/09=
/03 20:30:54 eik Exp $
#
=20
+# WARNING: This is a hacked proof-of-concept version by
+# Simon L. Nielsen <simon@FreeBSD.org>.
+#
+# DO NOT USE THIS UNLESS YOU KNOW WHAT YOU ARE DOING!
+
+INDEX=3D"/usr/ports/INDEX-5"
+
portaudit_confs()
{
: ${portaudit_dir=3D"%%DATABASEDIR%%"}
@@ -125,6 +132,11 @@
return 0
}
=20
+# The actual check for the current version from INDEX should be
+# something like this... :
+#=20
+# curvercmd=3D"egrep \'^[^|]+\|/usr/ports/" origin "\|\'" "/usr/ports/INDE=
X-5"
+
audit_installed()
{
local rc=3D0
@@ -148,6 +160,21 @@
cmd=3D"'"$pkg_info"' -E \"" $1 "\""
while((cmd | getline pkg) > 0) {
vul++
+ origincmd=3D"'"$pkg_info"' -oq " pkg
+ if (origincmd | getline origin) {
+ curvercmd=3D"egrep /usr/ports/" origin " '"$INDEX"'"
+ if (curvercmd | getline curverline) {
+ split(curverline, a, "|")
+ curver=3Da[1]
+ if (! system("portaudit -q " curver)) {
+ print "Fixed version " curver " found."
+ } else {
+ print "Fixed version not found."
+ }
+ }
+ close(curvercmd)
+ }
+ close(origincmd)
print_affected(pkg, "")
}
close(cmd)
--2oS5YaxWCcQjTEyO--
--LpQ9ahxlCli8rRTG
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQFBfMI+h9pcDSc1mlERAoB4AKCeM9qh/JAljIfBGpGgMwA6a3ha+gCgptom
sdngxznNp8bIXIBNxhNq8Ro=
=QuA9
-----END PGP SIGNATURE-----
--LpQ9ahxlCli8rRTG--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041025090710.GA767>