Date: Sat, 31 Mar 2007 18:40:22 GMT From: Hussain Ali<hali@datapipe.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/111066: Portaudit does not skip ports fixed listed in portaudit.conf only FreeBSD-* are ignored Message-ID: <200703311840.l2VIeMu3067425@www.freebsd.org> Resent-Message-ID: <200703311850.l2VIo3cj044821@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 111066 >Category: misc >Synopsis: Portaudit does not skip ports fixed listed in portaudit.conf only FreeBSD-* are ignored >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat Mar 31 18:50:03 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Hussain Ali >Release: FreeBSD4 - 7 (various versions) >Organization: Datapipe >Environment: FreeBSD <removed> 4.11-RELEASE-p16 FreeBSD 4.11-RELEASE-p16 #3: Fri Nov 3 03:10:58 EST 2006 root@<removed>:/usr/obj/usr/src/sys/EASYADMIN-SMP i386 FreeBSD <removed> 6.0-RELEASE-p4 FreeBSD 6.0-RELEASE-p4 #3: Fri Feb 17 18:23:59 EST 2006 <removed>:/usr/obj/usr/src/sys/GENERIC i386 >Description: Upon using the portaudit utility, it does not skip ports if we have applied a local patch to the port and listed it under portaudit_fixed. All I could previously dig up on this was: http://lists.freebsd.org/pipermail/freebsd-stable/2005-June/016403.html >How-To-Repeat: Roll back your ports tree or use some installed vulnerable package. Add the VUID to port_fixed in portaudit.conf. Run portaudit, the port is still there. Example: $ grep portaudit_fixed /usr/local/etc/portaudit.conf portaudit_fixed="d2102505-f03d-11d8-81b0-000347a4fa7di 76562594-1f19-11db-b7d4-0008743bf21a" $ portaudit -a | grep -A1 -B2 76562594-1f19-11db-b7d4-0008743bf21a Affected package: ruby-1.8.4_4,1 Type of problem: ruby - multiple vulnerabilities. Reference: <http://www.FreeBSD.org/ports/portaudit/76562594-1f19-11db-b7d4-0008743bf21a.html> >Fix: I am submitting a patch for the change request. I have added the -S (pkgSkip) flag to add this functionality. Sample run : $ grep portaudit_fixed /usr/local/etc/portaudit.conf portaudit_fixed="d2102505-f03d-11d8-81b0-000347a4fa7d 76562594-1f19-11db-b7d4-0008743bf21a" $ portaudit -a | grep -A1 -B2 76562594-1f19-11db-b7d4-0008743bf21a Affected package: ruby-1.8.4_4,1 Type of problem: ruby - multiple vulnerabilities. Reference: <http://www.FreeBSD.org/ports/portaudit/76562594-1f19-11db-b7d4-0008743bf21a.html> $ portaudit -aS | grep -A1 -B2 76562594-1f19-11db-b7d4-0008743bf21a | wc -l 0 Patch attached with submission follows: diff -r work/portaudit-cmd.sh work.new/portaudit-cmd.sh 137c137 < BEGIN { vul=0; fixedre="'"$fixedre"'" } --- > BEGIN { vul=0; fixedre="'"$fixedre"'";opt_pkgSkip="'"$opt_pkgSkip"'" } 148a149,151 > if ( opt_pkgSkip == "true" ) { > if (fixedre && $2 ~ fixedre) next > } 349a353 > opt_pkgSkip=false 355c359 < while getopts aCdf:Fqr:vVX: opt; do --- > while getopts aCdf:Fqr:vSVX: opt; do 370a375,376 > S) > opt_pkgSkip=true;; 378c384 < echo "Usage: $0 -aCdFVvq [-X days] [-r pattern] [-f file] [pkg-name ...]" --- > echo "Usage: $0 -aCdFVvqS [-X days] [-r pattern] [-f file] [pkg-name ...]" 455a462,466 > fi > > if $opt_pkgSkip; then > echo "portaudit: skipping ALL vulnerablities listed in portaudit.conf" > opt_audit=true diff -r work/portaudit.1 work.new/portaudit.1 89a90,92 > .It Fl S > Additionaly skip package vulnerabilities listed in portaudit.conf. The > default is to only skip FreeBSD vulnerabilites if defined. diff -r work/portaudit.conf work.new/portaudit.conf 18,19c18,21 < # this vulnerability has been fixed in your FreeBSD version < #portaudit_fixed="d2102505-f03d-11d8-81b0-000347a4fa7d" --- > # this vulnerability has been fixed in your FreeBSD or port version (space, tab deliminated) > #portaudit_fixed="d2102505-f03d-11d8-81b0-000347a4fa7d 594eb447-e398-11d9-a8bd-000cf18bbe54" > > >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200703311840.l2VIeMu3067425>