Date: Wed, 3 Dec 2003 03:40:23 -0800 (PST) From: Uwe Doering <gemini@geminix.org> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/59905: The echoping port is wrongly flagged (security alert) Message-ID: <200312031140.hB3BeNZj051956@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/59905; it has been noted by GNATS. From: Uwe Doering <gemini@geminix.org> To: Stephane Bortzmeyer <bortzmeyer@nic.fr> Cc: FreeBSD-gnats-submit@FreeBSD.org Subject: Re: ports/59905: The echoping port is wrongly flagged (security alert) Date: Wed, 03 Dec 2003 12:35:01 +0100 Stephane Bortzmeyer wrote: >>Description: > > When installling the echoping port, it says: > ===> SECURITY REPORT: This port has installed the following files > which may act as network servers and may therefore pose a remote > security risk to the system. > /usr/local/bin/echoping > If there are vulnerabilities in these programs there may be a > security risk to the system. FreeBSD makes no guarantee about the > security of ports included in the Ports Collection. Please type 'make > deinstall' to deinstall the port if this is a concern. > For more information, and contact details about the security > status of this software, see the following webpage: > http://echoping.sourceforge.net/ > > But echoping is *not* a network server and never was. I wonder where > does this strange alert comes from. IMHO, since echoping: > * is not and cannot be a network server, > * is never setuid or set gid, > it should not generate a security report. To be classified as network server it is sufficient if the program uses either accept() or recvfrom(). I haven't looked but since 'echoping' deals with UDP, too, the likely culprit is recvfrom(). So while flagging 'echoping' as network server is wrong it is also harmless, IMHO. For more details have a look at '/usr/ports/Mk/bsd.port.mk'. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200312031140.hB3BeNZj051956>