From owner-freebsd-ports@FreeBSD.ORG Fri Aug 16 13:15:32 2013 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 3C2E1DF6 for ; Fri, 16 Aug 2013 13:15:32 +0000 (UTC) (envelope-from matthew@freebsd.org) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DBD042612 for ; Fri, 16 Aug 2013 13:15:31 +0000 (UTC) Received: from rufus.webfusion.com (mail.heartinternet.co.uk [79.170.40.31]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.7/8.14.7) with ESMTP id r7GDFQDD055166 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Fri, 16 Aug 2013 14:15:27 +0100 (BST) (envelope-from matthew@freebsd.org) DKIM-Filter: OpenDKIM Filter v2.8.3 smtp.infracaninophile.co.uk r7GDFQDD055166 Authentication-Results: smtp.infracaninophile.co.uk/r7GDFQDD055166; dkim=none reason="no signature"; dkim-adsp=none (unprotected policy) X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host mail.heartinternet.co.uk [79.170.40.31] claimed to be rufus.webfusion.com Message-ID: <520E25EE.9000403@freebsd.org> Date: Fri, 16 Aug 2013 14:15:26 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130809 Thunderbird/17.0.8 MIME-Version: 1.0 To: freebsd-ports@freebsd.org Subject: Re: [patch] various pkg audit issues References: <20130729210122.5f7b8361@bsd64.grem.de> <20130816142419.461c2b48@bsd64.grem.de> In-Reply-To: <20130816142419.461c2b48@bsd64.grem.de> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.8 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.7 required=5.0 tests=AWL,BAYES_00, RCVD_IN_DNSWL_NONE,SPF_SOFTFAIL autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Aug 2013 13:15:32 -0000 On 16/08/2013 13:24, Michael Gmelin wrote: > Any feedback / ideas on this? > > On Mon, 29 Jul 2013 21:01:22 +0200 > Michael Gmelin wrote: > >> Hi, >> >> periodic/410.pkg-audit produces inconsistent output depending on if >> the database has been fetched or not. Since the default db expiry is >> two days this produces alternating output, e.g.: >> >> Day 1: >> Checking for packages with security vulnerabilities: >> subversion-1.7.10 >> >> Day 2: >> Checking for packages with security vulnerabilities: >> Database fetched: Sun Jul 28 03:02:06 UTC 2013 >> subversion-1.7.10 is vulnerable: >> subversion -- remotely triggerable "Assertion failed" DoS >> vulnerability or read overflow. >> >> WWW: >> http://portaudit.FreeBSD.org/2ae24334-f2e6-11e2-8346-001e8c75030d.html >> >> 1 problem(s) in your installed packages found. >> >> Day 3: >> Checking for packages with security vulnerabilities: >> subversion-1.7.10 >> >> And so on. >> >> The attached patch (also available at [1]) fixes this by running pkg >> audit a second time in case a vulnerability has been found on the >> first (fetching) run. >> >> This is merely a workaround, IMHO it would be best to provide a "fetch >> only" option to pkg audit and do fetching and checking in two separate >> invocations. >> >> The default of two days for daily_status_security_pkgaudit_expiry >> seems not a good choice, I would suggest to change it to one day, so >> that the periodic job always uses the latest version of the audit >> database (you don't want to loose an extra day learning about that >> remote exploitable vulnerability - anything > one day should be the >> exception and not the rule at this point). >> >> I seems like pkg audit doesn't validate the signature of auditfile >> after fetching it. I originally introduced this signature to >> portaudit to mitigate a remote command execution vulnerability (see >> [2]). The potential for remote code execution is lower compared to >> ports-mgmt/portaudit, since auditfile is not processed by shell >> scripts directly - even though its output might be processed by >> users, not that uncommon. Regardless, checking the signature would be >> reasonable to ensure that auditfile has not been tampered with, >> especially since it's fetched using plain http and could get faked >> quite easily (e.g. DNS spoofing or transparent proxying). >> >> It also seems like pkg audit doesn't check the CREATED header of >> auditfile, therefore it won't complain in case an outdated auditfile >> is used. This could be used in a malicious way or simply happen by >> accident in setups where machines, which are not directly connected >> to the internet, access a copy on the local network that might have >> stopped receiving updates. >> >> By implementing both features, signature and creation timestamp >> checking, pkg audit would ensure that always a recent and >> authoritative vulnerability database is used. >> >> Michael >> >> [1]http://blog.grem.de/0001-Ensure-pkg-audit-periodic-output-consistency.patch >> [2]http://vuxml.freebsd.org/freebsd/6d329b64-6bbb-11e1-9166-001e4f0fb9b1.html Thanks for the patch. I'll have a look at this over the weekend. I agree that next day alert to any new vulnerabilities are desirable nowadays. And your comments about checking the CREATED header are valid too. Cheers, Matthew PS. While we are happy to receive feedback by any channel, opening an issue on GitHub is our preferred mechanism: we can't miss that, and it won't get accidentally forgotten.