From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Apr 16 03:20:00 2014 Return-Path: Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DA6B7E28 for ; Wed, 16 Apr 2014 03:20:00 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9DE851208 for ; Wed, 16 Apr 2014 03:20:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3G3K0jZ047679 for ; Wed, 16 Apr 2014 03:20:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3G3K0ko047677; Wed, 16 Apr 2014 03:20:00 GMT (envelope-from gnats) Resent-Date: Wed, 16 Apr 2014 03:20:00 GMT Resent-Message-Id: <201404160320.s3G3K0ko047677@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Dewayne Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B1394C88 for ; Wed, 16 Apr 2014 03:13:20 +0000 (UTC) Received: from cgiserv.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9E56811C9 for ; Wed, 16 Apr 2014 03:13:20 +0000 (UTC) Received: from cgiserv.freebsd.org ([127.0.1.6]) by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s3G3DKQX042658 for ; Wed, 16 Apr 2014 03:13:20 GMT (envelope-from nobody@cgiserv.freebsd.org) Received: (from nobody@localhost) by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s3G3DKEn042639; Wed, 16 Apr 2014 03:13:20 GMT (envelope-from nobody) Message-Id: <201404160313.s3G3DKEn042639@cgiserv.freebsd.org> Date: Wed, 16 Apr 2014 03:13:20 GMT From: Dewayne To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: ports/188679: security/cfengine hard-coded passwords in 3.5.3 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 03:20:00 -0000 >Number: 188679 >Category: ports >Synopsis: security/cfengine hard-coded passwords in 3.5.3 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Apr 16 03:20:00 UTC 2014 >Closed-Date: >Last-Modified: >Originator: Dewayne >Release: FreeBSD 9.2S >Organization: >Environment: >Description: I haven't had time to analyse whether or not this is a significant issue; nor do I wish to suggest some nefarious tracking mechanism. However in the interests of openness, I'd like to share a mechanism to replace hard-coded passwords that were found in the cfengine35 port. >How-To-Repeat: >Fix: Either insert the variables into the Makefile, for example CFE_PASSWD_PRIV='privsecret' CFE_PASSWD_PUB='\"pubsecret\"' or pass them via the command line. ------------ post-patch: # You will need to prepend each line with a tab @${REINPLACE_CMD} -e '/\*passphrase/s/Cfengine passphrase/${CFE_PASSWD_PRIV}/' \ -e '/\*passphrase/s/\"public\"/${CFE_PASSWD_PUB}/' \ ${WRKSRC}/cf-key/cf-key.c ${WRKSRC}/libpromises/crypto.c \ ${WRKSRC}/cf-key/cf-key-functions.c ------------ Ideally this should be an option, but that requires greater famility with the ports system. The source file location of the passwords has changed with some cfengine revisions, and no doubt will again. >Release-Note: >Audit-Trail: >Unformatted: