ports/62039: [PATCH] bsd.port.mk: don't install vulnerable ports

Oliver Eikemeier eikemeier at fillmore-labs.com
Wed Jan 28 19:20:30 UTC 2004 

>Number:         62039
>Category:       ports
>Synopsis:       [PATCH] bsd.port.mk: don't install vulnerable ports
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 28 11:20:17 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Oliver Eikemeier
>Release:        FreeBSD 4.9-STABLE i386
>Organization:
Fillmore Labs - http://www.fillmore-labs.com
>Environment:
System: FreeBSD nuuk.fillmore-labs.com 4.9-STABLE

>Description:

- Don't install ports listed in the portaudit vulnerability database
- Choose ${LOCALBASE}/sbin/pkg_* when installed on systems > 4.6

>How-To-Repeat:

Apply the patch below to bsd.port.mk

cd /usr/ports/security/portaudit; make install
/usr/local/etc/periodic/daily/330.fetchaudit
cd /usr/ports/security/vulnerability-test-port
make INSTALLATION_DATE=`date -u -v-14d "+%Y.%m.%d"` install

===>  vulnerability-test-port-2004.01.14 has known vulnerabilities:
>Fix:

--- bsd.port.mk.orig	Sun Jan 25 19:44:54 2004
+++ bsd.port.mk	Wed Jan 28 19:45:47 2004
@@ -2011,24 +2011,25 @@
 PKGORIGIN?=		${PKGCATEGORY}/${PORTDIRNAME}
 .endif
 
-.if ${OSVERSION} < 460102 && ${PKGORIGIN} != "sysutils/pkg_install"
-BUILD_DEPENDS+=	${LOCALBASE}/sbin/pkg_info:${PORTSDIR}/sysutils/pkg_install
 .if exists(${LOCALBASE}/sbin/pkg_info)
 PKG_CMD?=		${LOCALBASE}/sbin/pkg_create
 PKG_ADD?=		${LOCALBASE}/sbin/pkg_add
 PKG_DELETE?=	${LOCALBASE}/sbin/pkg_delete
 PKG_INFO?=		${LOCALBASE}/sbin/pkg_info
+PKG_VERSION?=		${LOCALBASE}/sbin/pkg_version
+.elif ${OSVERSION} < 460102 && ${PKGORIGIN} != "sysutils/pkg_install"
+BUILD_DEPENDS+=	${LOCALBASE}/sbin/pkg_info:${PORTSDIR}/sysutils/pkg_install
+PKG_CMD?=		${LOCALBASE}/sbin/pkg_create
+PKG_ADD?=		${LOCALBASE}/sbin/pkg_add
+PKG_DELETE?=	${LOCALBASE}/sbin/pkg_delete
+PKG_INFO?=		${LOCALBASE}/sbin/pkg_info
+PKG_VERSION?=		${LOCALBASE}/sbin/pkg_version
 .else
 PKG_CMD?=		/usr/sbin/pkg_create
 PKG_ADD?=		/usr/sbin/pkg_add
 PKG_DELETE?=	/usr/sbin/pkg_delete
 PKG_INFO?=		/usr/sbin/pkg_info
-.endif
-.else
-PKG_CMD?=		/usr/sbin/pkg_create
-PKG_ADD?=		/usr/sbin/pkg_add
-PKG_DELETE?=	/usr/sbin/pkg_delete
-PKG_INFO?=		/usr/sbin/pkg_info
+PKG_VERSION?=		/usr/sbin/pkg_version
 .endif
 
 # Does the pkg_create tool support conflict checking?
@@ -2999,6 +3000,43 @@
 .endif
 .endif
 
+# Check if the port is listed in the vulnerability database
+
+.if ${PKGINSTALLVER} < 20040125 || ${OSVERSION} < 420001 || ${OSVERSION} >= 500000 && ${OSVERSION} < 500014
+DISABLE_VULNERABILITIES=	yes
+.endif
+
+AUDITFILE?=		/var/db/portaudit/auditfile.tbz
+_EXTRACT_AUDITFILE=	${TAR} -jxOf "${AUDITFILE}" auditfile
+
+check-vulnerable:
+.if !defined(DISABLE_VULNERABILITIES) && !defined(PACKAGE_BUILDING)
+	@if [ -f "${AUDITFILE}" ]; then \
+		audit_created=`${_EXTRACT_AUDITFILE} | \
+        		${SED} -nEe "1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$$/\1\2\3/p"`; \
+		audit_expiry=`date -u -v-14d "+%Y%m%d"`; \
+		if [ "$$audit_created" -lt "$$audit_expiry" ]; then \
+			${ECHO_MSG} "===>  WARNING: Vulnerability database out of date, checking anyway"; \
+		fi; \
+		vlist=`${_EXTRACT_AUDITFILE} | ${AWK} -F\| ' \
+			/^[^#]/ { \
+				if (!system("${PKG_VERSION} -T \"${PKGNAME}\" \"" $$1 "\"")) \
+					print ">> " $$3 ".\n   Reference: <" $$2 ">" \
+			} \
+		'`; \
+		if [ -n "$$vlist" ]; then \
+			${ECHO_MSG} "===>  ${PKGNAME} has known vulnerabilities:"; \
+			${ECHO_MSG} "$$vlist"; \
+			${ECHO_MSG} ">> Please update your ports tree and try again."; \
+			exit 1; \
+		fi; \
+	else \
+		${ECHO_MSG} "===>  Vulnerability check disabled, database not found"; \
+	fi
+.else
+	@${ECHO_MSG} "===>  Vulnerability check disabled"
+.endif
+
 # Fetch
 
 .if !target(do-fetch)
@@ -3668,7 +3706,7 @@
 
 _SANITY_SEQ=		pre-everything check-makefile check-categories \
 			check-makevars check-depends check-deprecated \
-			buildanyway-message options-message
+			check-vulnerable buildanyway-message options-message
 _FETCH_DEP=		check-sanity
 _FETCH_SEQ=		fetch-depends pre-fetch pre-fetch-script \
 				do-fetch post-fetch post-fetch-script


>Release-Note:
>Audit-Trail:
>Unformatted:
 >> Not vulnerable, just a test port (database: 2004-01-28).
    Reference: <http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/vulnerability-test-port/>
 >> Please update your ports tree and try again.
 *** Error code 1
 
 Stop in /usr/ports/security/vulnerability-test-port.

More information about the freebsd-ports-bugs mailing list