diff options
| author | Simon L. B. Nielsen <simon@FreeBSD.org> | 2012-03-11 21:30:49 +0000 |
|---|---|---|
| committer | Simon L. B. Nielsen <simon@FreeBSD.org> | 2012-03-11 21:30:49 +0000 |
| commit | 4d22b6af09c6cea8d538b8b33c28abff0f325de9 (patch) | |
| tree | 2e22d91a5857b0108d555c98c3ffad6c9faa8928 /Mk | |
| parent | 7c588a6b6d8e32e26f2bc40b6d1fa1863998243e (diff) | |
| download | ports-4d22b6af09c6cea8d538b8b33c28abff0f325de9.tar.gz ports-4d22b6af09c6cea8d538b8b33c28abff0f325de9.zip | |
Make bsd.port.mk not parse port audit's auditfile directly to
check for vulnerabilities, but call portaudit instead.
This fixes a remote command execution vulnerability for users who have
portaudit installed.
While changing the code anyway, remove the annoying and very verbose
"Vulnerability check disabled, database not found" warning.
Security: Remote code execution
Security: http://vuxml.FreeBSD.org/6d329b64-6bbb-11e1-9166-001e4f0fb9b1.html
Approved by: portmgr
Feature safe: yes (or at least approved)
With hat: so
Notes
Notes:
svn path=/head/; revision=293128
Diffstat (limited to 'Mk')
| -rw-r--r-- | Mk/bsd.port.mk | 19 |
1 files changed, 5 insertions, 14 deletions
diff --git a/Mk/bsd.port.mk b/Mk/bsd.port.mk index c6d55a8a3713..522a87876ef7 100644 --- a/Mk/bsd.port.mk +++ b/Mk/bsd.port.mk @@ -3408,21 +3408,14 @@ _EXTRACT_AUDITFILE= ${TAR} -jxOf "${AUDITFILE}" auditfile check-vulnerable: .if !defined(DISABLE_VULNERABILITIES) && !defined(PACKAGE_BUILDING) @if [ -f "${AUDITFILE}" ]; then \ - audit_created=`${_EXTRACT_AUDITFILE} | \ - ${SED} -nEe "1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$$/\1\2\3/p"`; \ - audit_expiry=`/bin/date -u -v-14d "+%Y%m%d"`; \ - if [ "$$audit_created" -lt "$$audit_expiry" ]; then \ - ${ECHO_MSG} "===> WARNING: Vulnerability database out of date, checking anyway"; \ - fi; \ if [ -n "${WITH_PKGNG}" ]; then \ vlist=`${PKG_BIN} audit "${PKGNAME}"`; \ + elif [ -x "${LOCALBASE}/sbin/portaudit" ]; then \ + vlist=`${LOCALBASE}/sbin/portaudit -X 14 "${PKGNAME}" \ + 2>&1 | grep -vE '^[0-9]+ problem\(s\) found.' \ + || true`; \ else \ - vlist=`${_EXTRACT_AUDITFILE} | ${GREP} "${PORTNAME}" | \ - ${AWK} -F\| ' /^[^#]/ { \ - if (!system("${PKG_VERSION} -T \"${PKGNAME}\" \"" $$1 "\"")) \ - print "=> " $$3 ".\n Reference: " $$2 \ - } \ - '`; \ + ${ECHO_MSG} "===> portaudit database exist, but portaudit not found!"; \ fi; \ if [ -n "$$vlist" ]; then \ ${ECHO_MSG} "===> ${PKGNAME} has known vulnerabilities:"; \ @@ -3430,8 +3423,6 @@ check-vulnerable: ${ECHO_MSG} "=> Please update your ports tree and try again."; \ exit 1; \ fi; \ - else \ - ${ECHO_MSG} "===> Vulnerability check disabled, database not found"; \ fi .endif |