portaudit provides a list of published security vulnerabilities

of FreeBSD ports and tools to check if installed ports are listed.

Since this is a prerelease version, it is mostly usable for
committers that want to contribute to the project, and can currently
not be relied upon as an extensive security auditing tool.

3 files changed, 191 insertions, 0 deletions

diff --git a/security/portaudit/files/fetchaudit.sh b/security/portaudit/files/fetchaudit.sh
new file mode 100644
index 000000000000..d7137ca6875d
--- /dev/null
+++ b/security/portaudit/files/fetchaudit.sh
@@ -0,0 +1,81 @@
+#!/bin/sh
+
+#
+# $FreeBSD$
+#
+
+# defaults
+daily_status_portaudit_enable="YES"
+portaudit_dir="%%DATABASEDIR%%"
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+. %%DATADIR%%/portaudit.functions
+
+MASTER_SITE_LOCAL="
+	${MASTER_SITE_LOCAL}
+	ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+	ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+	ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+	ftp://ftp.ru.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+	ftp://ftp.jp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+	ftp://ftp.tw.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+	"
+
+MASTER_SITE_SUBDIR=eik
+
+DISTNAME=auditfile
+EXTRACT_SUFX=.tbz
+
+portaudit_file="${portaudit_dir}/${DISTNAME}${EXTRACT_SUFX}"
+
+# site sort order is not overly smart
+LOCATIONS=`echo "${MASTER_SITE_LOCAL}" | awk "
+		BEGIN { srand() }
+		/^[ \t]*\$/ { next }
+		{
+			gsub(/[ \t]/, \\"\\")
+			gsub(/%SUBDIR%/, \\"${MASTER_SITE_SUBDIR}\\")
+			print rand() \\"\t\\" \\$0 \\"${DISTNAME}${EXTRACT_SUFX}\\"
+		}
+	" | sort -n | cut -f 2`
+
+case "$daily_status_portaudit_enable" in
+	""|[Yy][Ee][Ss])
+		if [ ! -f "${portaudit_file}" ] || checkexpiry_auditfile 5; then
+			echo ""
+			echo "Updating audit database."
+			cd "${portaudit_dir}"
+			fetch -1am ${LOCATIONS}
+			if [ ! $? ]; then
+				echo "Couldn't fetch database."
+				rc=2
+			elif [ ! -f "${portaudit_file}" ] ; then
+				echo "no database."
+				rc=2
+			elif checksum_auditfile; then
+				echo "database corrupt."
+				rc=2
+			elif checkexpiry_auditfile 7; then
+				echo "database too old."
+				rc=2
+			else
+				echo "done"
+				rc=1
+			fi
+		else
+			rc=0
+		fi
+	;;
+	*)
+		rc=0
+	;;
+esac
+
+exit "${rc}"
diff --git a/security/portaudit/files/portaudit.functions b/security/portaudit/files/portaudit.functions
new file mode 100644
index 000000000000..29d09ba5fb26
--- /dev/null
+++ b/security/portaudit/files/portaudit.functions
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+extract_auditfile()
+{
+	tar -jxOf "${portaudit_file}" auditfile
+}
+
+checksum_auditfile()
+{
+	chksum1=`extract_auditfile |
+		sed -nEe '$s/^#CHECKSUM: *MD5 *([0-9a-f]{32})$/\1/p'`
+	chksum2=`extract_auditfile | sed -e '$d' | md5`
+	[ "${chksum1}" != "${chksum2}" ];
+}
+
+checkexpiry_auditfile()
+{
+	created=`extract_auditfile |
+		sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p'`
+	expiry=`date -u -v-$1d '+%Y%m%d'`
+	[ "${created}" -lt "${expiry}" ];
+}
+
diff --git a/security/portaudit/files/portaudit.sh b/security/portaudit/files/portaudit.sh
new file mode 100644
index 000000000000..e4cab249aa65
--- /dev/null
+++ b/security/portaudit/files/portaudit.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+
+#
+# $FreeBSD$
+#
+
+# defaults
+daily_status_portaudit_enable="YES"
+portaudit_dir="%%DATABASEDIR%%"
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+. %%DATADIR%%/portaudit.functions
+
+portaudit_file="${portaudit_dir}/auditfile.tbz"
+
+rc=0
+case "$daily_status_portaudit_enable" in
+	""|[Yy][Ee][Ss])
+		echo ""
+		echo "Checking for packages with security vulnerabilities:"
+		echo ""
+
+		if [ -z "${PKG_INFO}" ]; then
+			if [ -x /usr/local/sbin/pkg_info ]; then
+				PKG_INFO=/usr/local/sbin/pkg_info
+			else
+				PKG_INFO=/usr/sbin/pkg_info
+			fi
+		fi
+
+		if [ ! -x "${PKG_INFO}" ]; then
+			echo "${PKG_INFO} missing, please install port sysutils/pkg_install-devel"
+			exit 2
+		fi
+
+		PKG_INSTALL_VER=`${PKG_INFO} -qP 2>/dev/null`
+		if [ -z "${PKG_INSTALL_VER}" -o "${PKG_INSTALL_VER}" -lt 20040125 ]; then
+			echo "${PKG_INFO} is too old, please update port sysutils/pkg_install-devel"
+			exit 2
+		fi
+
+		if [ ! -f "${portaudit_file}" ]; then
+			echo "portaudit: database missing."
+			echo "           run fetchaudit to update."
+			exit 2
+		fi
+		if checksum_auditfile; then
+			echo "portaudit: corrupt database."
+			exit 2
+		fi
+		if checkexpiry_auditfile 14; then
+			echo "portaudit: database too old."
+			echo ""
+			rc=2
+		fi
+
+		extract_auditfile | awk -F\| "
+			BEGIN { vul=0 }
+			/^(#|\$)/ { next }
+			{
+				cmd=\"${PKG_INFO} -E \\\"\" \$1 \"\\\"\"
+				while((cmd | getline pkg) > 0) {
+					vul++
+					print \"Affected package: \" pkg \"\\n\" \
+						\"Type of problem: \" \$3 \".\\n\" \
+						\"Reference: <\" \$2 \">\\n\"
+				}
+				close(cmd)
+			}
+			END {
+				print vul \" problem(s) in your installed packages found.\"
+				if (vul > 0) exit(1)
+			}
+		" || rc=1
+		;;
+	*)
+		;;
+esac
+
+exit "$rc"