From owner-freebsd-security@FreeBSD.ORG  Sat Jul  1 03:33:23 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 54C2716A555
	for <freebsd-security@freebsd.org>;
	Sat,  1 Jul 2006 03:33:23 +0000 (UTC)
	(envelope-from cperciva@freebsd.org)
Received: from pd3mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net
	[24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30F6044190
	for <freebsd-security@freebsd.org>;
	Sat,  1 Jul 2006 03:13:47 +0000 (GMT)
	(envelope-from cperciva@freebsd.org)
Received: from pd4mr7so.prod.shaw.ca (pd4mr7so-qfe3.prod.shaw.ca [10.0.141.84])
	by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15
	2004)) with ESMTP id <0J1P003XIFMYJ140@l-daemon> for
	freebsd-security@freebsd.org; Fri, 30 Jun 2006 21:13:46 -0600 (MDT)
Received: from pn2ml2so.prod.shaw.ca ([10.0.121.146])
	by pd4mr7so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01
	(built Mar
	15 2004)) with ESMTP id <0J1P007IKFMYARD0@pd4mr7so.prod.shaw.ca> for
	freebsd-security@freebsd.org; Fri, 30 Jun 2006 21:13:46 -0600 (MDT)
Received: from hexahedron.daemonology.net ([24.82.18.31])
	by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15
	2004)) with SMTP id <0J1P004G7FMX71O0@l-daemon> for
	freebsd-security@freebsd.org; Fri, 30 Jun 2006 21:13:46 -0600 (MDT)
Received: (qmail 929 invoked from network); Sat, 01 Jul 2006 03:13:44 +0000
Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1)
	by localhost with SMTP; Sat, 01 Jul 2006 03:13:44 +0000
Date: Fri, 30 Jun 2006 20:13:44 -0700
From: Colin Percival <cperciva@freebsd.org>
In-reply-to: <A4B2840BABACAB46A3100E0DCD4DEDDDC42349@IMCSRV3.MITRE.ORG>
To: "Dolan- Gavitt, Brendan F." <brendandg@mitre.org>
Message-id: <44A5E868.60508@freebsd.org>
MIME-version: 1.0
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 7bit
X-Enigmail-Version: 0.94.0.0
References: <A4B2840BABACAB46A3100E0DCD4DEDDDC42349@IMCSRV3.MITRE.ORG>
User-Agent: Thunderbird 1.5 (X11/20060416)
Cc: freebsd-security@freebsd.org
Subject: Re: Determining vulnerability to issues described by SAs
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Jul 2006 03:33:23 -0000

Dolan- Gavitt, Brendan F. wrote:
>   I've been trying for the past few days to come up with a method for
> checking a FreeBSD system to see if it is vulnerable to an issue
> described by a FreeBSD security advisory in some automated way [...]

Yes, this is a problem.

> 	[1] Checking the patchlevel as reported by uname -r.
> 	[2] Checking the RCS version tags in the source files listed as
> changed by the SA
> 	[3] Using ident on the binaries affected to extract the RCS
> tags of the source files used to compile them.
> 
> [1] Can fail if the user updates through binary patches of the sort
> offered by freebsd-update; as far as I can tell, these do not affect
> the output of uname unless they directly patch the kernel. Worse, the
> patchlevel reported may be up-to-date even if the userland is still
> vulnerable to an issue mentioned in an SA (eg if the user does a make
> buildkernel but not a make buildworld).

Yes.  Also, the instructions contained in advisories usually involve
rebuilding only the affected part(s) of FreeBSD -- we've considered
having a "kernel patch number" and "userland patch number" separately,
but even this wouldn't really work.

> [2] Can fail if the user does not build from source to update the
> system.

It would also fail if people update their src tree by applying the
patches distributed on http://security.freebsd.org/, since these patches
don't modify the $FreeBSD$ CVS tags.

> [3] Should work in all cases (aside from custom modifications to the
> sources, but there's really no way to handle this case), but I don't
> know of any way to automatically determine what binary to ident based
> on the list of source files given in a security advisory.

Most binaries do not include $FreeBSD$ tags corresponding to all of the
source files used to compile them, so this approach doesn't work very
well, even if the user is updating their source tree with a method which
propagates the $FreeBSD$ tags.  In addition, FreeBSD Update does not
include updated $FreeBSD$ tags, since the new values in those tags are
generated at commit time, well after the FreeBSD Update builds are run.

>   I'm fairly new to FreeBSD, so I may just be missing something
> here--is there a reliable way to determine if a system is patched
> according to a particular security advisory?

In short, no.  If you have any ideas, let me know. :-)

Colin Percival