Date: Fri, 30 Jun 2006 20:13:44 -0700 From: Colin Percival <cperciva@freebsd.org> To: "Dolan- Gavitt, Brendan F." <brendandg@mitre.org> Cc: freebsd-security@freebsd.org Subject: Re: Determining vulnerability to issues described by SAs Message-ID: <44A5E868.60508@freebsd.org> In-Reply-To: <A4B2840BABACAB46A3100E0DCD4DEDDDC42349@IMCSRV3.MITRE.ORG> References: <A4B2840BABACAB46A3100E0DCD4DEDDDC42349@IMCSRV3.MITRE.ORG>
next in thread | previous in thread | raw e-mail | index | archive | help
Dolan- Gavitt, Brendan F. wrote: > I've been trying for the past few days to come up with a method for > checking a FreeBSD system to see if it is vulnerable to an issue > described by a FreeBSD security advisory in some automated way [...] Yes, this is a problem. > [1] Checking the patchlevel as reported by uname -r. > [2] Checking the RCS version tags in the source files listed as > changed by the SA > [3] Using ident on the binaries affected to extract the RCS > tags of the source files used to compile them. > > [1] Can fail if the user updates through binary patches of the sort > offered by freebsd-update; as far as I can tell, these do not affect > the output of uname unless they directly patch the kernel. Worse, the > patchlevel reported may be up-to-date even if the userland is still > vulnerable to an issue mentioned in an SA (eg if the user does a make > buildkernel but not a make buildworld). Yes. Also, the instructions contained in advisories usually involve rebuilding only the affected part(s) of FreeBSD -- we've considered having a "kernel patch number" and "userland patch number" separately, but even this wouldn't really work. > [2] Can fail if the user does not build from source to update the > system. It would also fail if people update their src tree by applying the patches distributed on http://security.freebsd.org/, since these patches don't modify the $FreeBSD$ CVS tags. > [3] Should work in all cases (aside from custom modifications to the > sources, but there's really no way to handle this case), but I don't > know of any way to automatically determine what binary to ident based > on the list of source files given in a security advisory. Most binaries do not include $FreeBSD$ tags corresponding to all of the source files used to compile them, so this approach doesn't work very well, even if the user is updating their source tree with a method which propagates the $FreeBSD$ tags. In addition, FreeBSD Update does not include updated $FreeBSD$ tags, since the new values in those tags are generated at commit time, well after the FreeBSD Update builds are run. > I'm fairly new to FreeBSD, so I may just be missing something > here--is there a reliable way to determine if a system is patched > according to a particular security advisory? In short, no. If you have any ideas, let me know. :-) Colin Percival
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44A5E868.60508>