From owner-freebsd-vuxml@FreeBSD.ORG Tue Aug 17 19:36:04 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4509416A4CE; Tue, 17 Aug 2004 19:36:04 +0000 (GMT) Received: from pittgoth.com (14.zlnp1.xdsl.nauticom.net [209.195.149.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id C05A543D1D; Tue, 17 Aug 2004 19:36:03 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from localhost (acs-24-154-239-170.zoominternet.net [24.154.239.170]) (authenticated bits=0) by pittgoth.com (8.12.10/8.12.10) with ESMTP id i7HJYZ0l076547 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 17 Aug 2004 15:34:36 -0400 (EDT) (envelope-from trhodes@FreeBSD.org) Date: Tue, 17 Aug 2004 15:35:10 -0400 From: Tom Rhodes To: Oliver Eikemeier Message-Id: <20040817153510.6ccfbd8b@localhost> In-Reply-To: <1F055B5E-F084-11D8-924A-00039312D914@fillmore-labs.com> References: <20040817185332.2B91D1800A@sirius.firepipe.net> <1F055B5E-F084-11D8-924A-00039312D914@fillmore-labs.com> X-Mailer: Sylpheed-Claws 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-vuxml@FreeBSD.org cc: Tom Rhodes cc: Pete Fritchman cc: "Jacques A. Vidrine" Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 19:36:04 -0000 On Tue, 17 Aug 2004 21:32:05 +0200 Oliver Eikemeier wrote: > Pete Fritchman wrote: > > > Perhaps you could use CVS revision IDs (with 'ident'). For example, > > > > /usr/bin/passwd: > > $FreeBSD: src/usr.bin/passwd/passwd.c,v 1.16.2.1 2001/03/12 > > 10:48:08 assar Exp $ > > $FreeBSD: src/usr.sbin/pwd_mkdb/pw_scan.c,v 1.14.2.2 2004/02/22 > > 11:28:06 charnier Exp $ > > $FreeBSD: src/usr.sbin/vipw/pw_util.c,v 1.17.2.4 2002/09/04 > > 15:28:10 des Exp $ > > $FreeBSD: src/libexec/ypxfr/ypxfr_misc.c,v 1.9.2.2 2002/02/15 > > 00:46:54 des Exp $ > > $FreeBSD: src/include/rpcsvc/yp.x,v 1.12 1999/08/27 23:45:12 peter > > Exp $ > > $FreeBSD: src/include/rpcsvc/yppasswd.x,v 1.6 1999/08/27 23:45:12 > > peter Exp $ > > $FreeBSD: src/usr.sbin/rpc.yppasswdd/yppasswd_private.x,v 1.6 > > 1999/08/28 01:19:41 peter Exp $ > > $FreeBSD: src/usr.sbin/rpc.yppasswdd/yppasswd_private.x,v 1.6 > > 1999/08/28 01:19:41 peter Exp $ > > > > If a security bug was fixed in passwd.c 1.16.3.1, you could point out > > that > > I'm vulnerable. Most of the security advisories include the revision > > that > > things were fixed in, so this shouldn't be too hard. > > Jacques doens't seem to like this: "Aaaaaahh!". I don't really care > ident(1) is fine for me, and it seems like this is the only reliable > indication. OTOH you'll need a couple of references (file, list of > FreeBSD versions). Doable, so when no other ideas pop up we should do > this. Yea, I already mentioned this. We could also stat the UPDATING file for the entry? Perhaps some kind of string could be checked with grep or something. -- Tom Rhodes