can portaudit report a fixed date/version?

Simon L. Nielsen simon at FreeBSD.org
Mon Oct 25 02:07:14 PDT 2004 

On 2004.10.19 20:32:13 -0400, Dan Langille wrote:
> On Tue, 19 Oct 2004, Jacques A. Vidrine wrote:
> 
> > > It would save many admins quite a bit of time.
> >
> > How so?  (serious question)
> 
> I don't have time just now to answer the other questions but I can answer
> this one.
> 
> Portaudit tells me that port xyz is vulnerable.  But there there is no
> fix.  How do I know when there is a fix?  Only by checking FreshPorts, cvs
> logs, the ports tree, trying to install the port, portupgrade, etc.  I
> could do this daily for days without a fix.
> 
> Instead, if portaudit reported that port xyz is vulernable and that there
> is a fix (if there actually is a fix), then all I need to do is monitor my
> daily security email that automagically includes the output of portaudit.
> I can then instantly know that it's time to run portupgrade on port xyz.

Since I really didn't think this should be that hard to do I made
simple proof-of-concept patch to implement this.  It is currently an
ugly hack, but it works (well, in most cases it should anyway).  It
requires an updated INDEX-5 to be on the system.

I don't have the time to make a proper patch at the moment, but I will
perhaps next week... I mainly post the current patch here for
inspiration if somebody else would like to play with this further.

-- 
Simon L. Nielsen
FreeBSD Documentation Team
-------------- next part --------------
Index: files/portaudit-cmd.sh
===================================================================
RCS file: /home/ncvs/ports/security/portaudit/files/portaudit-cmd.sh,v
retrieving revision 1.11
diff -u -d -r1.11 portaudit-cmd.sh
--- files/portaudit-cmd.sh	3 Sep 2004 20:30:54 -0000	1.11
+++ files/portaudit-cmd.sh	25 Oct 2004 08:57:32 -0000
@@ -31,6 +31,13 @@
 # $FreeBSD: ports/security/portaudit/files/portaudit-cmd.sh,v 1.11 2004/09/03 20:30:54 eik Exp $
 #
 
+# WARNING: This is a hacked proof-of-concept version by
+# Simon L. Nielsen <simon at FreeBSD.org>.
+#
+# DO NOT USE THIS UNLESS YOU KNOW WHAT YOU ARE DOING!
+
+INDEX="/usr/ports/INDEX-5"
+
 portaudit_confs()
 {
 	: ${portaudit_dir="%%DATABASEDIR%%"}
@@ -125,6 +132,11 @@
 	return 0
 }
 
+# The actual check for the current version from INDEX should be
+# something like this... :
+# 
+# curvercmd="egrep \'^[^|]+\|/usr/ports/" origin "\|\'" "/usr/ports/INDEX-5"
+
 audit_installed()
 {
 	local rc=0
@@ -148,6 +160,21 @@
 			cmd="'"$pkg_info"' -E \"" $1 "\""
 			while((cmd | getline pkg) > 0) {
 				vul++
+				origincmd="'"$pkg_info"' -oq " pkg
+				if (origincmd | getline origin) {
+					curvercmd="egrep /usr/ports/" origin " '"$INDEX"'"
+					if (curvercmd | getline curverline) {
+						split(curverline, a, "|")
+						curver=a[1]
+						if (! system("portaudit -q " curver)) {
+							print "Fixed version " curver " found."
+						} else {
+							print "Fixed version not found."
+						}
+					}
+					close(curvercmd)
+				}
+				close(origincmd)
 				print_affected(pkg, "")
 			}
 			close(cmd)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-vuxml/attachments/20041025/7bbb2da2/attachment.bin

More information about the freebsd-vuxml mailing list