From owner-freebsd-vuxml@FreeBSD.ORG Mon Oct 25 09:07:14 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 363A216A4CE; Mon, 25 Oct 2004 09:07:14 +0000 (GMT) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25C8443D39; Mon, 25 Oct 2004 09:07:13 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 5551E119B7; Mon, 25 Oct 2004 11:07:11 +0200 (CEST) Date: Mon, 25 Oct 2004 11:07:11 +0200 From: "Simon L. Nielsen" To: Dan Langille Message-ID: <20041025090710.GA767@zaphod.nitro.dk> References: <20041017201037.V55729@xeon.unixathome.org> <20041019163753.U74644@xeon.unixathome.org> <20041019213329.GB45466@madman.celabo.org> <20041019202849.Q99899@xeon.unixathome.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LpQ9ahxlCli8rRTG" Content-Disposition: inline In-Reply-To: <20041019202849.Q99899@xeon.unixathome.org> User-Agent: Mutt/1.5.6i cc: "Jacques A. Vidrine" cc: freebsd-vuxml@freebsd.org Subject: Re: can portaudit report a fixed date/version? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Oct 2004 09:07:14 -0000 --LpQ9ahxlCli8rRTG Content-Type: multipart/mixed; boundary="2oS5YaxWCcQjTEyO" Content-Disposition: inline --2oS5YaxWCcQjTEyO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2004.10.19 20:32:13 -0400, Dan Langille wrote: > On Tue, 19 Oct 2004, Jacques A. Vidrine wrote: >=20 > > > It would save many admins quite a bit of time. > > > > How so? (serious question) >=20 > I don't have time just now to answer the other questions but I can answer > this one. >=20 > Portaudit tells me that port xyz is vulnerable. But there there is no > fix. How do I know when there is a fix? Only by checking FreshPorts, cvs > logs, the ports tree, trying to install the port, portupgrade, etc. I > could do this daily for days without a fix. >=20 > Instead, if portaudit reported that port xyz is vulernable and that there > is a fix (if there actually is a fix), then all I need to do is monitor my > daily security email that automagically includes the output of portaudit. > I can then instantly know that it's time to run portupgrade on port xyz. Since I really didn't think this should be that hard to do I made simple proof-of-concept patch to implement this. It is currently an ugly hack, but it works (well, in most cases it should anyway). It requires an updated INDEX-5 to be on the system. I don't have the time to make a proper patch at the moment, but I will perhaps next week... I mainly post the current patch here for inspiration if somebody else would like to play with this further. --=20 Simon L. Nielsen FreeBSD Documentation Team --2oS5YaxWCcQjTEyO Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="portaudit-HACK-fix-avail.patch" Content-Transfer-Encoding: quoted-printable Index: files/portaudit-cmd.sh =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/ports/security/portaudit/files/portaudit-cmd.sh,v retrieving revision 1.11 diff -u -d -r1.11 portaudit-cmd.sh --- files/portaudit-cmd.sh 3 Sep 2004 20:30:54 -0000 1.11 +++ files/portaudit-cmd.sh 25 Oct 2004 08:57:32 -0000 @@ -31,6 +31,13 @@ # $FreeBSD: ports/security/portaudit/files/portaudit-cmd.sh,v 1.11 2004/09= /03 20:30:54 eik Exp $ # =20 +# WARNING: This is a hacked proof-of-concept version by +# Simon L. Nielsen . +# +# DO NOT USE THIS UNLESS YOU KNOW WHAT YOU ARE DOING! + +INDEX=3D"/usr/ports/INDEX-5" + portaudit_confs() { : ${portaudit_dir=3D"%%DATABASEDIR%%"} @@ -125,6 +132,11 @@ return 0 } =20 +# The actual check for the current version from INDEX should be +# something like this... : +#=20 +# curvercmd=3D"egrep \'^[^|]+\|/usr/ports/" origin "\|\'" "/usr/ports/INDE= X-5" + audit_installed() { local rc=3D0 @@ -148,6 +160,21 @@ cmd=3D"'"$pkg_info"' -E \"" $1 "\"" while((cmd | getline pkg) > 0) { vul++ + origincmd=3D"'"$pkg_info"' -oq " pkg + if (origincmd | getline origin) { + curvercmd=3D"egrep /usr/ports/" origin " '"$INDEX"'" + if (curvercmd | getline curverline) { + split(curverline, a, "|") + curver=3Da[1] + if (! system("portaudit -q " curver)) { + print "Fixed version " curver " found." + } else { + print "Fixed version not found." + } + } + close(curvercmd) + } + close(origincmd) print_affected(pkg, "") } close(cmd) --2oS5YaxWCcQjTEyO-- --LpQ9ahxlCli8rRTG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBfMI+h9pcDSc1mlERAoB4AKCeM9qh/JAljIfBGpGgMwA6a3ha+gCgptom sdngxznNp8bIXIBNxhNq8Ro= =QuA9 -----END PGP SIGNATURE----- --LpQ9ahxlCli8rRTG--