From owner-freebsd-bugs@FreeBSD.ORG Sat Mar 31 18:50:04 2007 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1D89D16A401 for ; Sat, 31 Mar 2007 18:50:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 004A313C469 for ; Sat, 31 Mar 2007 18:50:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l2VIo3pW044822 for ; Sat, 31 Mar 2007 18:50:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l2VIo3cj044821; Sat, 31 Mar 2007 18:50:03 GMT (envelope-from gnats) Resent-Date: Sat, 31 Mar 2007 18:50:03 GMT Resent-Message-Id: <200703311850.l2VIo3cj044821@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Hussain Ali Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 311F016A401 for ; Sat, 31 Mar 2007 18:45:25 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [69.147.83.33]) by mx1.freebsd.org (Postfix) with ESMTP id 1678F13C487 for ; Sat, 31 Mar 2007 18:45:25 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l2VIjOZp069148 for ; Sat, 31 Mar 2007 18:45:24 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id l2VIeMu3067425; Sat, 31 Mar 2007 18:40:22 GMT (envelope-from nobody) Message-Id: <200703311840.l2VIeMu3067425@www.freebsd.org> Date: Sat, 31 Mar 2007 18:40:22 GMT From: Hussain Ali To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.0 Cc: Subject: misc/111066: Portaudit does not skip ports fixed listed in portaudit.conf only FreeBSD-* are ignored X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Mar 2007 18:50:04 -0000 >Number: 111066 >Category: misc >Synopsis: Portaudit does not skip ports fixed listed in portaudit.conf only FreeBSD-* are ignored >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat Mar 31 18:50:03 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Hussain Ali >Release: FreeBSD4 - 7 (various versions) >Organization: Datapipe >Environment: FreeBSD 4.11-RELEASE-p16 FreeBSD 4.11-RELEASE-p16 #3: Fri Nov 3 03:10:58 EST 2006 root@:/usr/obj/usr/src/sys/EASYADMIN-SMP i386 FreeBSD 6.0-RELEASE-p4 FreeBSD 6.0-RELEASE-p4 #3: Fri Feb 17 18:23:59 EST 2006 :/usr/obj/usr/src/sys/GENERIC i386 >Description: Upon using the portaudit utility, it does not skip ports if we have applied a local patch to the port and listed it under portaudit_fixed. All I could previously dig up on this was: http://lists.freebsd.org/pipermail/freebsd-stable/2005-June/016403.html >How-To-Repeat: Roll back your ports tree or use some installed vulnerable package. Add the VUID to port_fixed in portaudit.conf. Run portaudit, the port is still there. Example: $ grep portaudit_fixed /usr/local/etc/portaudit.conf portaudit_fixed="d2102505-f03d-11d8-81b0-000347a4fa7di 76562594-1f19-11db-b7d4-0008743bf21a" $ portaudit -a | grep -A1 -B2 76562594-1f19-11db-b7d4-0008743bf21a Affected package: ruby-1.8.4_4,1 Type of problem: ruby - multiple vulnerabilities. Reference: >Fix: I am submitting a patch for the change request. I have added the -S (pkgSkip) flag to add this functionality. Sample run : $ grep portaudit_fixed /usr/local/etc/portaudit.conf portaudit_fixed="d2102505-f03d-11d8-81b0-000347a4fa7d 76562594-1f19-11db-b7d4-0008743bf21a" $ portaudit -a | grep -A1 -B2 76562594-1f19-11db-b7d4-0008743bf21a Affected package: ruby-1.8.4_4,1 Type of problem: ruby - multiple vulnerabilities. Reference: $ portaudit -aS | grep -A1 -B2 76562594-1f19-11db-b7d4-0008743bf21a | wc -l 0 Patch attached with submission follows: diff -r work/portaudit-cmd.sh work.new/portaudit-cmd.sh 137c137 < BEGIN { vul=0; fixedre="'"$fixedre"'" } --- > BEGIN { vul=0; fixedre="'"$fixedre"'";opt_pkgSkip="'"$opt_pkgSkip"'" } 148a149,151 > if ( opt_pkgSkip == "true" ) { > if (fixedre && $2 ~ fixedre) next > } 349a353 > opt_pkgSkip=false 355c359 < while getopts aCdf:Fqr:vVX: opt; do --- > while getopts aCdf:Fqr:vSVX: opt; do 370a375,376 > S) > opt_pkgSkip=true;; 378c384 < echo "Usage: $0 -aCdFVvq [-X days] [-r pattern] [-f file] [pkg-name ...]" --- > echo "Usage: $0 -aCdFVvqS [-X days] [-r pattern] [-f file] [pkg-name ...]" 455a462,466 > fi > > if $opt_pkgSkip; then > echo "portaudit: skipping ALL vulnerablities listed in portaudit.conf" > opt_audit=true diff -r work/portaudit.1 work.new/portaudit.1 89a90,92 > .It Fl S > Additionaly skip package vulnerabilities listed in portaudit.conf. The > default is to only skip FreeBSD vulnerabilites if defined. diff -r work/portaudit.conf work.new/portaudit.conf 18,19c18,21 < # this vulnerability has been fixed in your FreeBSD version < #portaudit_fixed="d2102505-f03d-11d8-81b0-000347a4fa7d" --- > # this vulnerability has been fixed in your FreeBSD or port version (space, tab deliminated) > #portaudit_fixed="d2102505-f03d-11d8-81b0-000347a4fa7d 594eb447-e398-11d9-a8bd-000cf18bbe54" > > >Release-Note: >Audit-Trail: >Unformatted: