portaudit provides a list of published security vulnerabilities

of FreeBSD ports and tools to check if installed ports are listed.

Since this is a prerelease version, it is mostly usable for
committers that want to contribute to the project, and can currently
not be relied upon as an extensive security auditing tool.

7 files changed, 295 insertions, 0 deletions

diff --git a/ports-mgmt/portaudit/Makefile b/ports-mgmt/portaudit/Makefile
new file mode 100644
index 000000000000..ff09854b21e3
--- /dev/null
+++ b/ports-mgmt/portaudit/Makefile
@@ -0,0 +1,51 @@
+# New ports collection makefile for:	portaudit
+# Date created:				25 Jan 2004
+# Whom:					Oliver Eikemeier
+#
+# $FreeBSD$
+#
+
+PORTNAME=	portaudit
+PORTVERSION=	0.1
+CATEGORIES=	security
+DISTFILES=
+
+MAINTAINER=	eik@FreeBSD.org
+COMMENT=	Checks installed ports against a list of security vulnerabilities
+
+PERIODICDIR?=	${PREFIX}/etc/periodic
+DATABASEDIR?=	/var/db/portaudit
+
+PLIST_SUB+=	PERIODICDIR="${PERIODICDIR:S,^${PREFIX}/,,}" \
+		DATABASEDIR="${DATABASEDIR}"
+
+PKG_INFO_BASE?=	/usr/sbin/pkg_info
+BASEPKGVER!=	${PKG_INFO_BASE} -qP 2>/dev/null
+
+.if ${BASEPKGVER} < 20040125
+RUN_DEPENDS=	${LOCALBASE}/sbin/pkg_info:${PORTSDIR}/sysutils/pkg_install-devel
+.endif
+
+.include <bsd.port.pre.mk>
+
+.if ${OSVERSION} < 420001 || ${OSVERSION} >= 500000 && ${OSVERSION} < 500014
+IGNORE=		"You need tar with bzip support to run portaudit"
+.endif
+
+do-build:
+.for f in portaudit.sh fetchaudit.sh portaudit.functions
+	@${SED} -e "s|%%DATADIR%%|${DATADIR}|g" \
+		-e "s|%%DATABASEDIR%%|${DATABASEDIR}|g" \
+		${FILESDIR}/${f} > ${WRKDIR}/${f}
+.endfor
+
+do-install:
+	@${MKDIR} ${PERIODICDIR}/security
+	@${INSTALL_SCRIPT} ${WRKDIR}/portaudit.sh ${PERIODICDIR}/security/910.portaudit
+	@${MKDIR} ${PERIODICDIR}/daily
+	@${INSTALL_SCRIPT} ${WRKDIR}/fetchaudit.sh ${PERIODICDIR}/daily/330.fetchaudit
+	@${MKDIR} ${DATADIR}
+	@${INSTALL_DATA} ${WRKDIR}/portaudit.functions ${DATADIR}
+	@${MKDIR} ${DATABASEDIR}
+
+.include <bsd.port.post.mk>
diff --git a/ports-mgmt/portaudit/database/auditfile.txt b/ports-mgmt/portaudit/database/auditfile.txt
new file mode 100644
index 000000000000..89a325b2add4
--- /dev/null
+++ b/ports-mgmt/portaudit/database/auditfile.txt
@@ -0,0 +1,27 @@
+#
+# auditfile.txt - FreeBSD ports vulnerabilities database
+#
+# $FreeBSD$
+#
+# MAINTAINER=ports@FreeBSD.org
+#
+# Each entry consists of a single line containing the following three
+# fields in the order named, separated with the pipe (`|') character:
+#
+#     Package:    A pattern that matches the name of the vulnurable
+#                 package, see `man -M /usr/local/man pkg_info'.
+#     Reference:  An URL where an advisory can be found
+#     Reason:     The type of vulnurability found
+#
+# Keep this list sorted in the chronological order.  New entries must
+# be added at the end, old entries shouldn't be removed; this should
+# document *all* known package vulnerabilities. 
+#
+# This file does not have any designated maintainer, so feel free to
+# commit to it yourself.  However, it is generally a good idea to
+# notify the maintainer of the affected package(s)
+#
+
+gnupg<1.2.3_4|http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html|ElGamal signing keys compromised
+rsync<2.5.7|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962|Buffer overflow in server
+gaim<0.75_2|http://security.e-matters.de/advisories/012004.txt|12 vulnerabilities that allow remote compromise
diff --git a/ports-mgmt/portaudit/files/fetchaudit.sh b/ports-mgmt/portaudit/files/fetchaudit.sh
new file mode 100644
index 000000000000..d7137ca6875d
--- /dev/null
+++ b/ports-mgmt/portaudit/files/fetchaudit.sh
@@ -0,0 +1,81 @@
+#!/bin/sh
+
+#
+# $FreeBSD$
+#
+
+# defaults
+daily_status_portaudit_enable="YES"
+portaudit_dir="%%DATABASEDIR%%"
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+. %%DATADIR%%/portaudit.functions
+
+MASTER_SITE_LOCAL="
+	${MASTER_SITE_LOCAL}
+	ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+	ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+	ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+	ftp://ftp.ru.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+	ftp://ftp.jp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+	ftp://ftp.tw.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+	"
+
+MASTER_SITE_SUBDIR=eik
+
+DISTNAME=auditfile
+EXTRACT_SUFX=.tbz
+
+portaudit_file="${portaudit_dir}/${DISTNAME}${EXTRACT_SUFX}"
+
+# site sort order is not overly smart
+LOCATIONS=`echo "${MASTER_SITE_LOCAL}" | awk "
+		BEGIN { srand() }
+		/^[ \t]*\$/ { next }
+		{
+			gsub(/[ \t]/, \\"\\")
+			gsub(/%SUBDIR%/, \\"${MASTER_SITE_SUBDIR}\\")
+			print rand() \\"\t\\" \\$0 \\"${DISTNAME}${EXTRACT_SUFX}\\"
+		}
+	" | sort -n | cut -f 2`
+
+case "$daily_status_portaudit_enable" in
+	""|[Yy][Ee][Ss])
+		if [ ! -f "${portaudit_file}" ] || checkexpiry_auditfile 5; then
+			echo ""
+			echo "Updating audit database."
+			cd "${portaudit_dir}"
+			fetch -1am ${LOCATIONS}
+			if [ ! $? ]; then
+				echo "Couldn't fetch database."
+				rc=2
+			elif [ ! -f "${portaudit_file}" ] ; then
+				echo "no database."
+				rc=2
+			elif checksum_auditfile; then
+				echo "database corrupt."
+				rc=2
+			elif checkexpiry_auditfile 7; then
+				echo "database too old."
+				rc=2
+			else
+				echo "done"
+				rc=1
+			fi
+		else
+			rc=0
+		fi
+	;;
+	*)
+		rc=0
+	;;
+esac
+
+exit "${rc}"
diff --git a/ports-mgmt/portaudit/files/portaudit.functions b/ports-mgmt/portaudit/files/portaudit.functions
new file mode 100644
index 000000000000..29d09ba5fb26
--- /dev/null
+++ b/ports-mgmt/portaudit/files/portaudit.functions
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+extract_auditfile()
+{
+	tar -jxOf "${portaudit_file}" auditfile
+}
+
+checksum_auditfile()
+{
+	chksum1=`extract_auditfile |
+		sed -nEe '$s/^#CHECKSUM: *MD5 *([0-9a-f]{32})$/\1/p'`
+	chksum2=`extract_auditfile | sed -e '$d' | md5`
+	[ "${chksum1}" != "${chksum2}" ];
+}
+
+checkexpiry_auditfile()
+{
+	created=`extract_auditfile |
+		sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p'`
+	expiry=`date -u -v-$1d '+%Y%m%d'`
+	[ "${created}" -lt "${expiry}" ];
+}
+
diff --git a/ports-mgmt/portaudit/files/portaudit.sh b/ports-mgmt/portaudit/files/portaudit.sh
new file mode 100644
index 000000000000..e4cab249aa65
--- /dev/null
+++ b/ports-mgmt/portaudit/files/portaudit.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+
+#
+# $FreeBSD$
+#
+
+# defaults
+daily_status_portaudit_enable="YES"
+portaudit_dir="%%DATABASEDIR%%"
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+. %%DATADIR%%/portaudit.functions
+
+portaudit_file="${portaudit_dir}/auditfile.tbz"
+
+rc=0
+case "$daily_status_portaudit_enable" in
+	""|[Yy][Ee][Ss])
+		echo ""
+		echo "Checking for packages with security vulnerabilities:"
+		echo ""
+
+		if [ -z "${PKG_INFO}" ]; then
+			if [ -x /usr/local/sbin/pkg_info ]; then
+				PKG_INFO=/usr/local/sbin/pkg_info
+			else
+				PKG_INFO=/usr/sbin/pkg_info
+			fi
+		fi
+
+		if [ ! -x "${PKG_INFO}" ]; then
+			echo "${PKG_INFO} missing, please install port sysutils/pkg_install-devel"
+			exit 2
+		fi
+
+		PKG_INSTALL_VER=`${PKG_INFO} -qP 2>/dev/null`
+		if [ -z "${PKG_INSTALL_VER}" -o "${PKG_INSTALL_VER}" -lt 20040125 ]; then
+			echo "${PKG_INFO} is too old, please update port sysutils/pkg_install-devel"
+			exit 2
+		fi
+
+		if [ ! -f "${portaudit_file}" ]; then
+			echo "portaudit: database missing."
+			echo "           run fetchaudit to update."
+			exit 2
+		fi
+		if checksum_auditfile; then
+			echo "portaudit: corrupt database."
+			exit 2
+		fi
+		if checkexpiry_auditfile 14; then
+			echo "portaudit: database too old."
+			echo ""
+			rc=2
+		fi
+
+		extract_auditfile | awk -F\| "
+			BEGIN { vul=0 }
+			/^(#|\$)/ { next }
+			{
+				cmd=\"${PKG_INFO} -E \\\"\" \$1 \"\\\"\"
+				while((cmd | getline pkg) > 0) {
+					vul++
+					print \"Affected package: \" pkg \"\\n\" \
+						\"Type of problem: \" \$3 \".\\n\" \
+						\"Reference: <\" \$2 \">\\n\"
+				}
+				close(cmd)
+			}
+			END {
+				print vul \" problem(s) in your installed packages found.\"
+				if (vul > 0) exit(1)
+			}
+		" || rc=1
+		;;
+	*)
+		;;
+esac
+
+exit "$rc"
diff --git a/ports-mgmt/portaudit/pkg-descr b/ports-mgmt/portaudit/pkg-descr
new file mode 100644
index 000000000000..f42c45dc97fb
--- /dev/null
+++ b/ports-mgmt/portaudit/pkg-descr
@@ -0,0 +1,17 @@
+portaudit provides a list of published security vulnerabilities
+of FreeBSD ports and tools to check if installed ports are listed.
+
+After installation it will update the security database automatically
+and include its reports in the output of the daily security run.
+
+Since this is a prerelease version, it is mostly usable for
+committers that want to contribute to the project, and can currently
+not be relied upon as an extensive security auditing tool.
+
+Credits go to Roland Dowdeswell <elric@NetBSD.org> and Bill
+Sommerfeld <sommerfeld@NetBSD.org> for the idea and Alistair
+Crooks <agc@NetBSD.org>  for the initial implementation.
+
+WWW: http://sourceforge.net/projects/portaudit/
+
+Oliver Eikemeier <eik@FreeBSD.org>
diff --git a/ports-mgmt/portaudit/pkg-plist b/ports-mgmt/portaudit/pkg-plist
new file mode 100644
index 000000000000..f91562cb8cc8
--- /dev/null
+++ b/ports-mgmt/portaudit/pkg-plist
@@ -0,0 +1,9 @@
+%%PERIODICDIR%%/security/910.portaudit
+%%PERIODICDIR%%/daily/330.fetchaudit
+%%DATADIR%%/portaudit.functions
+@unexec rmdir %D/%%PERIODICDIR%%/security 2>/dev/null || true
+@unexec rmdir %D/%%PERIODICDIR%%/daily 2>/dev/null || true
+@unexec rmdir %D/%%PERIODICDIR%% 2>/dev/null || true
+@dirrm %%DATADIR%%
+@exec mkdir -p %%DATABASEDIR%%
+@unexec rmdir %%DATABASEDIR%% 2>/dev/null || true