From owner-freebsd-ports@FreeBSD.ORG Fri Aug 16 12:31:03 2013 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 9E08F53A for ; Fri, 16 Aug 2013 12:31:03 +0000 (UTC) (envelope-from freebsd@grem.de) Received: from mail.grem.de (outcast.grem.de [213.239.217.27]) by mx1.freebsd.org (Postfix) with SMTP id 07A5823F6 for ; Fri, 16 Aug 2013 12:31:01 +0000 (UTC) Received: (qmail 15297 invoked by uid 89); 16 Aug 2013 12:24:19 -0000 Received: from unknown (HELO bsd64.grem.de) (mg@grem.de@194.97.158.66) by mail.grem.de with ESMTPA; 16 Aug 2013 12:24:19 -0000 Date: Fri, 16 Aug 2013 14:24:19 +0200 From: Michael Gmelin To: Michael Gmelin Subject: Re: [patch] various pkg audit issues Message-ID: <20130816142419.461c2b48@bsd64.grem.de> In-Reply-To: <20130729210122.5f7b8361@bsd64.grem.de> References: <20130729210122.5f7b8361@bsd64.grem.de> X-Mailer: Claws Mail 3.9.1 (GTK+ 2.24.18; amd64-portbld-freebsd9.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Baptiste Daroussin , freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Aug 2013 12:31:03 -0000 Any feedback / ideas on this? On Mon, 29 Jul 2013 21:01:22 +0200 Michael Gmelin wrote: > Hi, > > periodic/410.pkg-audit produces inconsistent output depending on if > the database has been fetched or not. Since the default db expiry is > two days this produces alternating output, e.g.: > > Day 1: > Checking for packages with security vulnerabilities: > subversion-1.7.10 > > Day 2: > Checking for packages with security vulnerabilities: > Database fetched: Sun Jul 28 03:02:06 UTC 2013 > subversion-1.7.10 is vulnerable: > subversion -- remotely triggerable "Assertion failed" DoS > vulnerability or read overflow. > > WWW: > http://portaudit.FreeBSD.org/2ae24334-f2e6-11e2-8346-001e8c75030d.html > > 1 problem(s) in your installed packages found. > > Day 3: > Checking for packages with security vulnerabilities: > subversion-1.7.10 > > And so on. > > The attached patch (also available at [1]) fixes this by running pkg > audit a second time in case a vulnerability has been found on the > first (fetching) run. > > This is merely a workaround, IMHO it would be best to provide a "fetch > only" option to pkg audit and do fetching and checking in two separate > invocations. > > The default of two days for daily_status_security_pkgaudit_expiry > seems not a good choice, I would suggest to change it to one day, so > that the periodic job always uses the latest version of the audit > database (you don't want to loose an extra day learning about that > remote exploitable vulnerability - anything > one day should be the > exception and not the rule at this point). > > I seems like pkg audit doesn't validate the signature of auditfile > after fetching it. I originally introduced this signature to > portaudit to mitigate a remote command execution vulnerability (see > [2]). The potential for remote code execution is lower compared to > ports-mgmt/portaudit, since auditfile is not processed by shell > scripts directly - even though its output might be processed by > users, not that uncommon. Regardless, checking the signature would be > reasonable to ensure that auditfile has not been tampered with, > especially since it's fetched using plain http and could get faked > quite easily (e.g. DNS spoofing or transparent proxying). > > It also seems like pkg audit doesn't check the CREATED header of > auditfile, therefore it won't complain in case an outdated auditfile > is used. This could be used in a malicious way or simply happen by > accident in setups where machines, which are not directly connected > to the internet, access a copy on the local network that might have > stopped receiving updates. > > By implementing both features, signature and creation timestamp > checking, pkg audit would ensure that always a recent and > authoritative vulnerability database is used. > > Michael > > [1]http://blog.grem.de/0001-Ensure-pkg-audit-periodic-output-consistency.patch > [2]http://vuxml.freebsd.org/freebsd/6d329b64-6bbb-11e1-9166-001e4f0fb9b1.html > -- Michael Gmelin