aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoreik <eik@FreeBSD.org>2004-06-13 06:43:44 +0800
committereik <eik@FreeBSD.org>2004-06-13 06:43:44 +0800
commit1441202676dc8d14aff5c58bd9a3cd635d772894 (patch)
tree4818cf2688bb47f079d519021512402d2e5506df
parent8d06ca2cb831e86d34dabdbc752ebcc914383f66 (diff)
downloadfreebsd-ports-gnome-1441202676dc8d14aff5c58bd9a3cd635d772894.tar.gz
freebsd-ports-gnome-1441202676dc8d14aff5c58bd9a3cd635d772894.tar.zst
freebsd-ports-gnome-1441202676dc8d14aff5c58bd9a3cd635d772894.zip
portaudit-db generates a portaudit database from a current
ports tree. It also features a file `database/portaudit.txt' where UUIDs for vulnerabilities can be allocated quickly before they are moved to the VuXML database. Call `packaudit' after upgrading your ports tree.
-rw-r--r--CVSROOT/modules1
-rw-r--r--ports-mgmt/portaudit-db/Makefile41
-rw-r--r--ports-mgmt/portaudit-db/database/portaudit.txt7
-rw-r--r--ports-mgmt/portaudit-db/database/portaudit.xlist4
-rw-r--r--ports-mgmt/portaudit-db/database/portaudit.xml69
-rw-r--r--ports-mgmt/portaudit-db/files/packaudit.conf9
-rw-r--r--ports-mgmt/portaudit-db/files/packaudit.sh112
-rw-r--r--ports-mgmt/portaudit-db/files/vuxml2html.xslt287
-rw-r--r--ports-mgmt/portaudit-db/files/vuxml2portaudit.xslt92
-rw-r--r--ports-mgmt/portaudit-db/pkg-descr16
-rw-r--r--ports-mgmt/portaudit-db/pkg-plist7
-rw-r--r--security/Makefile1
-rw-r--r--security/portaudit-db/Makefile41
-rw-r--r--security/portaudit-db/database/portaudit.txt7
-rw-r--r--security/portaudit-db/database/portaudit.xlist4
-rw-r--r--security/portaudit-db/database/portaudit.xml69
-rw-r--r--security/portaudit-db/files/packaudit.conf9
-rw-r--r--security/portaudit-db/files/packaudit.sh112
-rw-r--r--security/portaudit-db/files/vuxml2html.xslt287
-rw-r--r--security/portaudit-db/files/vuxml2portaudit.xslt92
-rw-r--r--security/portaudit-db/pkg-descr16
-rw-r--r--security/portaudit-db/pkg-plist7
22 files changed, 1290 insertions, 0 deletions
diff --git a/CVSROOT/modules b/CVSROOT/modules
index 531ceec7f322..34ce781968f5 100644
--- a/CVSROOT/modules
+++ b/CVSROOT/modules
@@ -7748,6 +7748,7 @@ port-authoring-tools ports/sysutils/port-authoring-tools
port-maintenance-tools ports/sysutils/port-maintenance-tools
portaudio ports/audio/portaudio
portaudit ports/security/portaudit
+portaudit-db ports/security/portaudit-db
portcheckout ports/devel/portcheckout
portdowngrade ports/sysutils/portdowngrade
porteasy ports/misc/porteasy
diff --git a/ports-mgmt/portaudit-db/Makefile b/ports-mgmt/portaudit-db/Makefile
new file mode 100644
index 000000000000..2a48688047d5
--- /dev/null
+++ b/ports-mgmt/portaudit-db/Makefile
@@ -0,0 +1,41 @@
+# New ports collection makefile for: portaudit-db
+# Date created: 12 Jun 2004
+# Whom: Oliver Eikemeier
+#
+# $FreeBSD$
+#
+
+PORTNAME= portaudit-db
+PORTVERSION= 0.1
+CATEGORIES= security
+DISTFILES=
+
+MAINTAINER= eik@FreeBSD.org
+COMMENT= Creates a portaudit database from a current ports tree
+
+RUN_DEPENDS= xsltproc:${PORTSDIR}/textproc/libxslt
+
+DATABASEDIR?= ${AUDITFILE:H}
+
+PLIST_SUB+= DATABASEDIR="${DATABASEDIR}"
+
+SED_SCRIPT= -e 's,%%PREFIX%%,${PREFIX},g' \
+ -e "s|%%DATADIR%%|${DATADIR}|g" \
+ -e "s|%%LOCALBASE%%|${LOCALBASE}|g" \
+ -e "s|%%PORTSDIR%%|${PORTSDIR}|g" \
+ -e "s|%%PORTVERSION%%|${PORTVERSION}|g" \
+ -e "s|%%DATABASEDIR%%|${DATABASEDIR}|g"
+
+do-build:
+ @for f in packaudit.sh packaudit.conf; do \
+ ${SED} ${SED_SCRIPT} "${FILESDIR}/$$f" > "${WRKDIR}/$$f"; \
+ done
+
+do-install:
+ @${INSTALL_SCRIPT} ${WRKDIR}/packaudit.sh ${PREFIX}/bin/packaudit
+ @${INSTALL_DATA} ${WRKDIR}/packaudit.conf ${PREFIX}/etc/packaudit.conf.sample
+ @${MKDIR} ${DATADIR}
+ @${INSTALL_DATA} ${FILESDIR}/vuxml2html.xslt ${FILESDIR}/vuxml2portaudit.xslt ${DATADIR}
+ @${MKDIR} ${DATABASEDIR}
+
+.include <bsd.port.mk>
diff --git a/ports-mgmt/portaudit-db/database/portaudit.txt b/ports-mgmt/portaudit-db/database/portaudit.txt
new file mode 100644
index 000000000000..7d3a72b5aff2
--- /dev/null
+++ b/ports-mgmt/portaudit-db/database/portaudit.txt
@@ -0,0 +1,7 @@
+# portaudit text based database
+# $FreeBSD$
+smtpproxy<=1.1.3|http://0xbadc0ded.org/advisories/0402.txt|remotely exploitable format string vulnerability|1abf65f9-bc9d-11d8-916c-000347dd607f
+apache<1.3.31_1|http://www.apacheweek.com/features/security-13|mod_proxy buffer overflow (CAN-2004-0492)|5bcd500c-bc9d-11d8-916c-000347dd607f
+apache+mod_ssl<1.3.31+2.8.18_3|http://www.apacheweek.com/features/security-13|mod_proxy buffer overflow (CAN-2004-0492)|5bcd500c-bc9d-11d8-916c-000347dd607f
+apache<2.0.49_1|http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0488|mod_ssl stack-based buffer overflow|662cd99e-bc9d-11d8-916c-000347dd607f
+apache+mod_ssl*<1.3.31+2.8.18_4|http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0488|mod_ssl stack-based buffer overflow|662cd99e-bc9d-11d8-916c-000347dd607f
diff --git a/ports-mgmt/portaudit-db/database/portaudit.xlist b/ports-mgmt/portaudit-db/database/portaudit.xlist
new file mode 100644
index 000000000000..48700b58868a
--- /dev/null
+++ b/ports-mgmt/portaudit-db/database/portaudit.xlist
@@ -0,0 +1,4 @@
+# portaudit exclude list
+# $FreeBSD$
+3362f2c1-8344-11d8-a41f-0020ed76ef5a
+5e7f58c3-b3f8-4258-aeb8-795e5e940ff8
diff --git a/ports-mgmt/portaudit-db/database/portaudit.xml b/ports-mgmt/portaudit-db/database/portaudit.xml
new file mode 100644
index 000000000000..ae616f4cbf7e
--- /dev/null
+++ b/ports-mgmt/portaudit-db/database/portaudit.xml
@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+This file is in the public domain.
+ $FreeBSD$
+-->
+<!DOCTYPE vuxml PUBLIC "-//vuxml.org//DTD VuXML 1.1//EN" "http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd">
+<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+
+ <vuln vid="42e330ab-82a4-11d8-868e-000347dd607f">
+ <topic>MPlayer remotely exploitable buffer overflow in the ASX parser</topic>
+ <affects>
+ <package>
+ <name>mplayer</name>
+ <name>mplayer-esound</name>
+ <name>mplayer-gtk</name>
+ <name>mplayer-gtk-esound</name>
+ <range><lt>0.92</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>A remotely exploitable buffer overflow vulnerability was found in
+ MPlayer. A malicious host can craft a harmful ASX header,
+ and trick MPlayer into executing arbitrary code upon parsing that header.</p>
+ </body>
+ </description>
+ <references>
+ <url>http://www.mplayerhq.hu/</url>
+ <url>http://www.securityfocus.com/archive/1/339330</url>
+ <url>http://www.securityfocus.com/archive/1/339193</url>
+ <cvename>CAN-2003-0835</cvename>
+ <bid>8702</bid>
+ </references>
+ <dates>
+ <discovery>2003-09-24</discovery>
+ <entry>2004-03-30</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="d8c46d74-8288-11d8-868e-000347dd607f">
+ <topic>MPlayer remotely exploitable buffer overflow in the HTTP parser</topic>
+ <affects>
+ <package>
+ <name>mplayer</name>
+ <name>mplayer-esound</name>
+ <name>mplayer-gtk</name>
+ <name>mplayer-gtk-esound</name>
+ <range><lt>0.92.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>A remotely exploitable buffer overflow vulnerability was found in
+ MPlayer. A malicious host can craft a harmful HTTP header (&quot;Location:&quot;),
+ and trick MPlayer into executing arbitrary code upon parsing that header.</p>
+ </body>
+ </description>
+ <references>
+ <url>http://www.mplayerhq.hu/</url>
+ <url>http://www.securityfocus.com/archive/1/359029</url>
+ <url>http://www.securityfocus.com/archive/1/359025</url>
+ </references>
+ <dates>
+ <discovery>2004-03-29</discovery>
+ <entry>2004-03-30</entry>
+ </dates>
+ </vuln>
+
+</vuxml>
diff --git a/ports-mgmt/portaudit-db/files/packaudit.conf b/ports-mgmt/portaudit-db/files/packaudit.conf
new file mode 100644
index 000000000000..6b952effc14f
--- /dev/null
+++ b/ports-mgmt/portaudit-db/files/packaudit.conf
@@ -0,0 +1,9 @@
+#
+# $FreeBSD$
+#
+# packaudit.conf sample file
+#
+
+# avoid network access
+export SGML_CATALOG_FILES="%%LOCALBASE%%/share/xml/catalog"
+XSLTPROC_EXTRA_ARGS="--catalogs --nonet"
diff --git a/ports-mgmt/portaudit-db/files/packaudit.sh b/ports-mgmt/portaudit-db/files/packaudit.sh
new file mode 100644
index 000000000000..ff8ebd767625
--- /dev/null
+++ b/ports-mgmt/portaudit-db/files/packaudit.sh
@@ -0,0 +1,112 @@
+#!/bin/sh -e
+#
+# Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+# 1. Redistributions of source code must retain the above copyright notice
+# this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the author nor the names of its contributors may be
+# used to endorse or promote products derived from this software without
+# specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+AWK=/usr/bin/awk
+BASENAME=/usr/bin/basename
+CAT=/bin/cat
+DATE=/bin/date
+ENV=/usr/bin/env
+MD5=/sbin/md5
+MKTEMP=/usr/bin/mktemp
+RM=/bin/rm
+SED=/usr/bin/sed
+TAR=/usr/bin/tar
+XSLTPROC=%%LOCALBASE%%/bin/xsltproc
+
+PORTSDIR="${PORTSDIR:-%%PORTSDIR%%}"
+VUXMLDIR="${VUXMLDIR:-$PORTSDIR/security/vuxml}"
+PORTAUDITDBDIR="${PORTAUDITDBDIR:-$PORTSDIR/security/portaudit-db}"
+
+DATABASEDIR="${DATABASEDIR:-%%DATABASEDIR%%}"
+
+STYLESHEET="%%DATADIR%%/vuxml2portaudit.xslt"
+
+PUBLIC_HTML="${PUBLIC_HTML:-$HOME/public_html/portaudit}"
+HTMLSHEET="%%DATADIR%%/vuxml2html.xslt"
+BASEURL="http://people.freebsd.org/~eik/portaudit/"
+
+[ -r "%%PREFIX%%/etc/packaudit.conf" ] && . "%%PREFIX%%/etc/packaudit.conf"
+
+VULVER=`$SED -En -e '/^.*\\$FreeBSD\: [^$ ]+,v ([0-9]+(\.[0-9]+)+) [^$]+\\$.*$/{s//\1/p;q;}' "$VUXMLDIR/vuln.xml"`
+VULURL="http://cvsweb.freebsd.org/ports/security/vuxml/vuln.xml?rev=$VULVER"
+
+if [ -d "$PUBLIC_HTML" ]; then
+ VULNMD5=`$CAT "$VUXMLDIR/vuln.xml" "$PORTAUDITDBDIR/database/portaudit.xml" | $MD5`
+ if [ -f "$PUBLIC_HTML/portaudit.md5" ]; then
+ VULNMD5_OLD=`$CAT "$PUBLIC_HTML/portaudit.md5"`
+ fi
+ if [ "$VULNMD5" != "$VULNMD5_OLD" ]; then
+ echo -n "$VULNMD5" > "$PUBLIC_HTML/portaudit.md5"
+ $XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam vulurl "$VULURL" --stringparam extradoc "$PORTAUDITDBDIR/database/portaudit.xml" \
+ -o "$PUBLIC_HTML/" "$HTMLSHEET" "$VUXMLDIR/vuln.xml"
+ fi
+fi
+
+TMPNAME=`$BASENAME "$0"`
+TMPDIR=`$MKTEMP -d -t "$TMPNAME.$$"` || exit 1
+
+TESTPORT="vulnerability-test-port>=2000<`$DATE -u +%Y.%m.%d`"
+TESTURL="http://cvsweb.freebsd.org/ports/security/vulnerability-test-port/"
+TESTREASON="Not vulnerable, just a test port (database: `$DATE -u +%Y-%m-%d`)"
+
+XLIST_FILE="$PORTAUDITDBDIR/database/portaudit.xlist"
+
+cd "$TMPDIR" || exit 1
+{
+ $DATE -u "+#CREATED: %Y-%m-%d %H:%M:%S"
+ echo "# Created by packaudit %%PORTVERSION%%"
+ echo "$TESTPORT|$TESTURL|$TESTREASON"
+ echo "# Please refer to the original document for copyright information:"
+ echo "# $VULURL"
+ $XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam baseurl "$BASEURL" "$STYLESHEET" "$VUXMLDIR/vuln.xml"
+ echo "# This part is in the public domain"
+ $XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam baseurl "$BASEURL" "$STYLESHEET" "$PORTAUDITDBDIR/database/portaudit.xml"
+ $CAT "$PORTAUDITDBDIR/database/portaudit.txt"
+} | $AWK -F\| -v XLIST_FILE="$XLIST_FILE" '
+ BEGIN {
+ while((getline < XLIST_FILE) > 0)
+ if(!/^(#|$)/)
+ ignore[$1]=1
+ }
+ /^(#|$)/ {
+ print
+ next
+ }
+ {
+ if (!ignore[$4])
+ print $1 "|" $2 "|" $3
+ }' > auditfile
+echo "#CHECKSUM: MD5 `$MD5 < auditfile`" >> auditfile
+$TAR -jcf "$DATABASEDIR/auditfile.tbz" auditfile
+cd
+$RM -Rf "$TMPDIR"
diff --git a/ports-mgmt/portaudit-db/files/vuxml2html.xslt b/ports-mgmt/portaudit-db/files/vuxml2html.xslt
new file mode 100644
index 000000000000..75a5e4cfc48b
--- /dev/null
+++ b/ports-mgmt/portaudit-db/files/vuxml2html.xslt
@@ -0,0 +1,287 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+ $FreeBSD$
+
+Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+3. Neither the name of the author nor the names of its contributors may be
+ used to endorse or promote products derived from this software without
+ specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+VuXML to HTML converter.
+
+Usage:
+ xsltproc -o html/ vuxml2html.xslt vuxml.xml
+
+-->
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:vuxml="http://www.vuxml.org/apps/vuxml-1" xmlns="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xhtml vuxml" version="1.0">
+ <xsl:output method="xml"/>
+ <xsl:strip-space elements="vuxml:affects vuxml:package vuxml:name vuxml:range" />
+<!-- whole vuxml file -->
+ <xsl:template match="vuxml:vuxml">
+<!-- index page, xhtml strict -->
+ <xsl:document href="index.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+ <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <title>portaudit: Vulnerability list</title>
+ <xsl:call-template name="css"/>
+ </head>
+ <body>
+ <div>
+ <xsl:call-template name="bar"/>
+ </div>
+ <h1>Vulnerabilities</h1>
+ <table>
+ <xsl:for-each select="vuxml:vuln | document($extradoc)/vuxml:vuxml/vuxml:vuln">
+ <xsl:sort select="(vuxml:dates/vuxml:modified | vuxml:dates/vuxml:entry)[1]" order="descending"/>
+ <tr>
+ <td>
+ <xsl:value-of select="(vuxml:dates/vuxml:modified | vuxml:dates/vuxml:entry)[1]"/>
+ </td>
+ <td>
+ <a href="{translate(@vid, 'ABCDEF', 'abcdef')}.html">
+ <xsl:value-of select="vuxml:topic"/>
+ </a>
+ </td>
+ </tr>
+ </xsl:for-each>
+ </table>
+ <p>
+ <a href="index-pkg.html">[Sorted by package name]</a>
+ </p>
+ <xsl:call-template name="foo"/>
+ </body>
+ </html>
+ </xsl:document>
+<!-- index page by packages, xhtml strict -->
+ <xsl:document href="index-pkg.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+ <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <title>portaudit: Vulnerability list by packages</title>
+ <xsl:call-template name="css"/>
+ </head>
+ <body>
+ <div>
+ <xsl:call-template name="bar"/>
+ </div>
+ <h1>Vulnerabilities</h1>
+ <table>
+ <xsl:for-each select="//vuxml:affects/vuxml:package/vuxml:name | document($extradoc)//vuxml:affects/vuxml:package/vuxml:name">
+ <xsl:sort select="translate(., 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz')"/>
+ <xsl:sort select="(ancestor-or-self::vuxml:vuln/vuxml:dates/vuxml:modified | ancestor-or-self::vuxml:vuln/vuxml:dates/vuxml:entry)[1]" order="descending"/>
+ <tr>
+ <td>
+ <xsl:value-of select="."/>
+ </td>
+ <td>
+ <a href="{translate(ancestor-or-self::vuxml:vuln/@vid, 'ABCDEF', 'abcdef')}.html">
+ <xsl:value-of select="ancestor-or-self::vuxml:vuln/vuxml:topic"/>
+ </a>
+ </td>
+ </tr>
+ </xsl:for-each>
+ </table>
+ <p>
+ <a href="index.html">[Sorted by last modification]</a>
+ </p>
+ <xsl:call-template name="foo"/>
+ </body>
+ </html>
+ </xsl:document>
+<!-- individual pages, xhtml strict -->
+ <xsl:for-each select="vuxml:vuln | document($extradoc)/vuxml:vuxml/vuxml:vuln">
+ <xsl:document href="{translate(@vid, 'ABCDEF', 'abcdef')}.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+ <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <title>portaudit: <xsl:value-of select="vuxml:topic"/></title>
+ <xsl:call-template name="css"/>
+ </head>
+ <body>
+ <div>
+ <xsl:call-template name="bar"/>
+ </div>
+ <h1>
+ <xsl:value-of select="vuxml:topic"/>
+ </h1>
+ <h2>Description:</h2>
+ <xsl:copy-of select="vuxml:description/xhtml:body/*"/>
+ <h2>References:</h2>
+ <ul>
+ <xsl:apply-templates select="vuxml:references"/>
+ </ul>
+ <h2>Affects:</h2>
+ <ul>
+ <xsl:for-each select="vuxml:affects/vuxml:package">
+ <xsl:for-each select="vuxml:name">
+ <xsl:variable name="name" select="."/>
+ <xsl:for-each select="../vuxml:range">
+ <li>
+ <xsl:value-of select="$name"/>
+ <xsl:apply-templates/>
+ </li>
+ </xsl:for-each>
+ </xsl:for-each>
+ </xsl:for-each>
+ <xsl:for-each select="vuxml:affects/vuxml:system">
+ <xsl:for-each select="vuxml:name">
+ <xsl:variable name="name" select="."/>
+ <xsl:for-each select="../vuxml:range">
+ <li>
+ <xsl:value-of select="$name"/>
+ <xsl:apply-templates/>
+ </li>
+ </xsl:for-each>
+ </xsl:for-each>
+ </xsl:for-each>
+ </ul>
+ <xsl:call-template name="foo"/>
+ </body>
+ </html>
+ </xsl:document>
+ </xsl:for-each>
+<!-- end of vuxml file processing -->
+ </xsl:template>
+<!-- vulnerability references -->
+ <xsl:template match="vuxml:url">
+ <li>
+ <a href="{.}">
+ <xsl:value-of select="."/>
+ </a>
+ </li>
+ </xsl:template>
+ <xsl:template match="vuxml:cvename">
+ <li>CVE name <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name={text()}"><xsl:value-of select="text()"/></a></li>
+ </xsl:template>
+ <xsl:template match="vuxml:bid">
+ <li>BugTraq ID <a href="http://www.securityfocus.com/bid/{.}"><xsl:value-of select="."/></a></li>
+ </xsl:template>
+ <xsl:template match="vuxml:certsa">
+ <li>CERT security advisory <a href="http://www.cert.org/advisories/{.}.html"><xsl:value-of select="."/></a></li>
+ </xsl:template>
+ <xsl:template match="vuxml:certvu">
+ <li>CERT vulnerability note <a href="http://www.kb.cert.org/vuls/id/{.}"><xsl:value-of select="."/></a></li>
+ </xsl:template>
+ <xsl:template match="vuxml:freebsdsa">
+ <li>FreeBSD security advisory <a href="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-{.}.asc">FreeBSD-<xsl:value-of select="."/></a></li>
+ </xsl:template>
+<!-- comparison operators -->
+ <xsl:template match="vuxml:lt">
+ <xsl:text> &lt;</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+ <xsl:template match="vuxml:le">
+ <xsl:text> &lt;=</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+ <xsl:template match="vuxml:gt">
+ <xsl:text> &gt;</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+ <xsl:template match="vuxml:ge">
+ <xsl:text> &gt;=</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+ <xsl:template match="vuxml:eq">
+ <xsl:text> =</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+<!-- style sheet -->
+ <xsl:template name="css">
+ <link rel="shortcut icon" href="http://www.freebsd.org/favicon.ico" type="image/x-icon"/>
+ <style type="text/css">
+ <xsl:comment>
+ <xsl:text>
+ body {
+ background-color : #ffffff;
+ color : #000000;
+ }
+
+ a:link { color: #0000ff }
+ a:visited { color: #840084 }
+ a:active { color: #0000ff }
+
+ h1 { color: #990000 }
+
+ img { color: white; border:none }
+
+ table {
+ border: none;
+ margin-top: 10px;
+ margin-bottom: 10px;
+ }
+
+ th {
+ text-align: left;
+ padding: 3px;
+ border: none;
+ vertical-align: top;
+ }
+
+ td {
+ padding: 3px;
+ border: none;
+ vertical-align: top;
+ }
+
+ tr.odd {
+ background: #eeeeee;
+ color: inherit;
+ }
+ </xsl:text>
+ </xsl:comment>
+ </style>
+ </xsl:template>
+<!-- xhtml elements -->
+ <xsl:template name="bar">
+ <img src="http://www.freebsd.org/gifs/bar.gif" alt="Navigation Bar" height="33" width="565" usemap="#bar"/>
+ <map id="bar" name="bar">
+ <area shape="rect" coords="1,1,111,33" href="http://www.freebsd.org/" alt="Top"/>
+ <area shape="rect" coords="112,16,196,33" href="http://www.freebsd.org/ports/index.html" alt="Applications"/>
+ <area shape="rect" coords="197,16,256,33" href="http://www.freebsd.org/support.html" alt="Support"/>
+ <area shape="rect" coords="257,16,365,33" href="http://www.freebsd.org/docs.html" alt="Documentation"/>
+ <area shape="rect" coords="366,16,424,33" href="http://www.freebsd.org/commercial/commercial.html" alt="Vendors"/>
+ <area shape="rect" coords="425,16,475,33" href="http://www.freebsd.org/search/search.html" alt="Search"/>
+ <area shape="rect" coords="476,16,516,33" href="http://www.freebsd.org/search/index-site.html" alt="Index"/>
+ <area shape="rect" coords="517,16,565,33" href="http://www.freebsd.org/" alt="Top"/>
+ <area shape="rect" coords="0,0,565,33" href="http://www.freebsd.org/" alt="Top"/>
+ </map>
+ </xsl:template>
+ <xsl:template name="foo">
+ <hr/>
+ <p><strong>Disclaimer:</strong> The data contained on this page is derived for the VuXML document,
+ please refer to the <a href="{$vulurl}">the original document</a> for copyright information. The author of
+ portaudit makes no claim of authorship or ownership of any of the information contained herein.</p>
+ <p>
+ If you have found a vulnerability in a FreeBSD port not listed in the
+ database, please <a href="mailto:security-officer@FreeBSD.org">contact the
+ FreeBSD Security Officer</a>. Refer to
+ <a href="http://www.freebsd.org/security/#sec">"FreeBSD Security
+ Information"</a> for more information.
+ </p>
+ <hr/>
+ <address title="Oliver Eikemeier">
+ Oliver Eikemeier <a href="mailto:eik@FreeBSD.org?subject=portaudit">&lt;eik@FreeBSD.org&gt;</a>
+ </address>
+ </xsl:template>
+</xsl:stylesheet>
diff --git a/ports-mgmt/portaudit-db/files/vuxml2portaudit.xslt b/ports-mgmt/portaudit-db/files/vuxml2portaudit.xslt
new file mode 100644
index 000000000000..60beed5ec52e
--- /dev/null
+++ b/ports-mgmt/portaudit-db/files/vuxml2portaudit.xslt
@@ -0,0 +1,92 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+ $FreeBSD$
+
+Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+3. Neither the name of the author nor the names of its contributors may be
+ used to endorse or promote products derived from this software without
+ specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+VuXML to portaudit database converter.
+
+Usage:
+ xsltproc -o auditfile vuxml2portaudit.xslt vuxml.xml
+
+-->
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:vuxml="http://www.vuxml.org/apps/vuxml-1" version="1.0">
+ <xsl:output method="text"/>
+ <xsl:variable name="newline">
+ <xsl:text>&#010;</xsl:text>
+ </xsl:variable>
+<!-- xxx -->
+ <xsl:strip-space elements="vuxml:affects vuxml:package vuxml:name vuxml:range"/>
+ <xsl:template match="/">
+ <xsl:text># Converted by vuxml2portaudit
+</xsl:text>
+ <xsl:for-each select="vuxml:vuxml/vuxml:vuln">
+ <xsl:variable name="topic" select="normalize-space(vuxml:topic)"/>
+ <xsl:variable name="vid" select="translate(@vid, 'ABCDEF', 'abcdef')"/>
+ <xsl:for-each select="vuxml:affects/vuxml:package">
+ <xsl:for-each select="vuxml:name">
+ <xsl:variable name="name" select="."/>
+ <xsl:for-each select="../vuxml:range">
+ <xsl:value-of select="$name"/>
+ <xsl:apply-templates/>
+ <xsl:text>|</xsl:text>
+ <xsl:value-of select="$baseurl"/>
+ <xsl:value-of select="$vid"/>
+ <xsl:text>.html</xsl:text>
+ <xsl:text>|</xsl:text>
+ <xsl:value-of select="$topic"/>
+ <xsl:text>|</xsl:text>
+ <xsl:value-of select="$vid"/>
+ <xsl:value-of select="$newline"/>
+ </xsl:for-each>
+ </xsl:for-each>
+ </xsl:for-each>
+ </xsl:for-each>
+ </xsl:template>
+<!-- xxx -->
+ <xsl:template match="vuxml:lt">
+ <xsl:text>&lt;</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+ <xsl:template match="vuxml:le">
+ <xsl:text>&lt;=</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+ <xsl:template match="vuxml:gt">
+ <xsl:text>&gt;</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+ <xsl:template match="vuxml:ge">
+ <xsl:text>&gt;=</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+ <xsl:template match="vuxml:eq">
+ <xsl:text>=</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+</xsl:stylesheet>
diff --git a/ports-mgmt/portaudit-db/pkg-descr b/ports-mgmt/portaudit-db/pkg-descr
new file mode 100644
index 000000000000..85b315a9d87b
--- /dev/null
+++ b/ports-mgmt/portaudit-db/pkg-descr
@@ -0,0 +1,16 @@
+In contrast to security/portaudit, which is designed to be an
+install-and-forget solution, portaudit-db requires a current
+ports tree and generates a database that can be used locally
+or distributed over a network.
+
+Furthermore committers that want to add entries to the VuXML
+database may use this port to check their changes locally.
+It also features a file `database/portaudit.txt' where UUIDs
+for vulnerabilities can be allocated before they have been
+investigated thoroughly and moved to the VuXML database by
+the security officer team.
+
+Call `packaudit' after upgrading your ports tree.
+
+WWW: http://people.freebsd.org/~eik/portaudit/
+Oliver Eikemeier <eik@FreeBSD.org>
diff --git a/ports-mgmt/portaudit-db/pkg-plist b/ports-mgmt/portaudit-db/pkg-plist
new file mode 100644
index 000000000000..a5c18909f2d6
--- /dev/null
+++ b/ports-mgmt/portaudit-db/pkg-plist
@@ -0,0 +1,7 @@
+bin/packaudit
+etc/packaudit.conf.sample
+%%DATADIR%%/vuxml2html.xslt
+%%DATADIR%%/vuxml2portaudit.xslt
+@dirrm %%DATADIR%%
+@exec mkdir -p %%DATABASEDIR%%
+@unexec rmdir %%DATABASEDIR%% 2>/dev/null || true
diff --git a/security/Makefile b/security/Makefile
index 2a6f4ee92bc7..cd544830e813 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -320,6 +320,7 @@
SUBDIR += pktsuckers
SUBDIR += poc
SUBDIR += portaudit
+ SUBDIR += portaudit-db
SUBDIR += portscanner
SUBDIR += portsentry
SUBDIR += ppgen
diff --git a/security/portaudit-db/Makefile b/security/portaudit-db/Makefile
new file mode 100644
index 000000000000..2a48688047d5
--- /dev/null
+++ b/security/portaudit-db/Makefile
@@ -0,0 +1,41 @@
+# New ports collection makefile for: portaudit-db
+# Date created: 12 Jun 2004
+# Whom: Oliver Eikemeier
+#
+# $FreeBSD$
+#
+
+PORTNAME= portaudit-db
+PORTVERSION= 0.1
+CATEGORIES= security
+DISTFILES=
+
+MAINTAINER= eik@FreeBSD.org
+COMMENT= Creates a portaudit database from a current ports tree
+
+RUN_DEPENDS= xsltproc:${PORTSDIR}/textproc/libxslt
+
+DATABASEDIR?= ${AUDITFILE:H}
+
+PLIST_SUB+= DATABASEDIR="${DATABASEDIR}"
+
+SED_SCRIPT= -e 's,%%PREFIX%%,${PREFIX},g' \
+ -e "s|%%DATADIR%%|${DATADIR}|g" \
+ -e "s|%%LOCALBASE%%|${LOCALBASE}|g" \
+ -e "s|%%PORTSDIR%%|${PORTSDIR}|g" \
+ -e "s|%%PORTVERSION%%|${PORTVERSION}|g" \
+ -e "s|%%DATABASEDIR%%|${DATABASEDIR}|g"
+
+do-build:
+ @for f in packaudit.sh packaudit.conf; do \
+ ${SED} ${SED_SCRIPT} "${FILESDIR}/$$f" > "${WRKDIR}/$$f"; \
+ done
+
+do-install:
+ @${INSTALL_SCRIPT} ${WRKDIR}/packaudit.sh ${PREFIX}/bin/packaudit
+ @${INSTALL_DATA} ${WRKDIR}/packaudit.conf ${PREFIX}/etc/packaudit.conf.sample
+ @${MKDIR} ${DATADIR}
+ @${INSTALL_DATA} ${FILESDIR}/vuxml2html.xslt ${FILESDIR}/vuxml2portaudit.xslt ${DATADIR}
+ @${MKDIR} ${DATABASEDIR}
+
+.include <bsd.port.mk>
diff --git a/security/portaudit-db/database/portaudit.txt b/security/portaudit-db/database/portaudit.txt
new file mode 100644
index 000000000000..7d3a72b5aff2
--- /dev/null
+++ b/security/portaudit-db/database/portaudit.txt
@@ -0,0 +1,7 @@
+# portaudit text based database
+# $FreeBSD$
+smtpproxy<=1.1.3|http://0xbadc0ded.org/advisories/0402.txt|remotely exploitable format string vulnerability|1abf65f9-bc9d-11d8-916c-000347dd607f
+apache<1.3.31_1|http://www.apacheweek.com/features/security-13|mod_proxy buffer overflow (CAN-2004-0492)|5bcd500c-bc9d-11d8-916c-000347dd607f
+apache+mod_ssl<1.3.31+2.8.18_3|http://www.apacheweek.com/features/security-13|mod_proxy buffer overflow (CAN-2004-0492)|5bcd500c-bc9d-11d8-916c-000347dd607f
+apache<2.0.49_1|http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0488|mod_ssl stack-based buffer overflow|662cd99e-bc9d-11d8-916c-000347dd607f
+apache+mod_ssl*<1.3.31+2.8.18_4|http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0488|mod_ssl stack-based buffer overflow|662cd99e-bc9d-11d8-916c-000347dd607f
diff --git a/security/portaudit-db/database/portaudit.xlist b/security/portaudit-db/database/portaudit.xlist
new file mode 100644
index 000000000000..48700b58868a
--- /dev/null
+++ b/security/portaudit-db/database/portaudit.xlist
@@ -0,0 +1,4 @@
+# portaudit exclude list
+# $FreeBSD$
+3362f2c1-8344-11d8-a41f-0020ed76ef5a
+5e7f58c3-b3f8-4258-aeb8-795e5e940ff8
diff --git a/security/portaudit-db/database/portaudit.xml b/security/portaudit-db/database/portaudit.xml
new file mode 100644
index 000000000000..ae616f4cbf7e
--- /dev/null
+++ b/security/portaudit-db/database/portaudit.xml
@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+This file is in the public domain.
+ $FreeBSD$
+-->
+<!DOCTYPE vuxml PUBLIC "-//vuxml.org//DTD VuXML 1.1//EN" "http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd">
+<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+
+ <vuln vid="42e330ab-82a4-11d8-868e-000347dd607f">
+ <topic>MPlayer remotely exploitable buffer overflow in the ASX parser</topic>
+ <affects>
+ <package>
+ <name>mplayer</name>
+ <name>mplayer-esound</name>
+ <name>mplayer-gtk</name>
+ <name>mplayer-gtk-esound</name>
+ <range><lt>0.92</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>A remotely exploitable buffer overflow vulnerability was found in
+ MPlayer. A malicious host can craft a harmful ASX header,
+ and trick MPlayer into executing arbitrary code upon parsing that header.</p>
+ </body>
+ </description>
+ <references>
+ <url>http://www.mplayerhq.hu/</url>
+ <url>http://www.securityfocus.com/archive/1/339330</url>
+ <url>http://www.securityfocus.com/archive/1/339193</url>
+ <cvename>CAN-2003-0835</cvename>
+ <bid>8702</bid>
+ </references>
+ <dates>
+ <discovery>2003-09-24</discovery>
+ <entry>2004-03-30</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="d8c46d74-8288-11d8-868e-000347dd607f">
+ <topic>MPlayer remotely exploitable buffer overflow in the HTTP parser</topic>
+ <affects>
+ <package>
+ <name>mplayer</name>
+ <name>mplayer-esound</name>
+ <name>mplayer-gtk</name>
+ <name>mplayer-gtk-esound</name>
+ <range><lt>0.92.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>A remotely exploitable buffer overflow vulnerability was found in
+ MPlayer. A malicious host can craft a harmful HTTP header (&quot;Location:&quot;),
+ and trick MPlayer into executing arbitrary code upon parsing that header.</p>
+ </body>
+ </description>
+ <references>
+ <url>http://www.mplayerhq.hu/</url>
+ <url>http://www.securityfocus.com/archive/1/359029</url>
+ <url>http://www.securityfocus.com/archive/1/359025</url>
+ </references>
+ <dates>
+ <discovery>2004-03-29</discovery>
+ <entry>2004-03-30</entry>
+ </dates>
+ </vuln>
+
+</vuxml>
diff --git a/security/portaudit-db/files/packaudit.conf b/security/portaudit-db/files/packaudit.conf
new file mode 100644
index 000000000000..6b952effc14f
--- /dev/null
+++ b/security/portaudit-db/files/packaudit.conf
@@ -0,0 +1,9 @@
+#
+# $FreeBSD$
+#
+# packaudit.conf sample file
+#
+
+# avoid network access
+export SGML_CATALOG_FILES="%%LOCALBASE%%/share/xml/catalog"
+XSLTPROC_EXTRA_ARGS="--catalogs --nonet"
diff --git a/security/portaudit-db/files/packaudit.sh b/security/portaudit-db/files/packaudit.sh
new file mode 100644
index 000000000000..ff8ebd767625
--- /dev/null
+++ b/security/portaudit-db/files/packaudit.sh
@@ -0,0 +1,112 @@
+#!/bin/sh -e
+#
+# Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+# 1. Redistributions of source code must retain the above copyright notice
+# this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the author nor the names of its contributors may be
+# used to endorse or promote products derived from this software without
+# specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+AWK=/usr/bin/awk
+BASENAME=/usr/bin/basename
+CAT=/bin/cat
+DATE=/bin/date
+ENV=/usr/bin/env
+MD5=/sbin/md5
+MKTEMP=/usr/bin/mktemp
+RM=/bin/rm
+SED=/usr/bin/sed
+TAR=/usr/bin/tar
+XSLTPROC=%%LOCALBASE%%/bin/xsltproc
+
+PORTSDIR="${PORTSDIR:-%%PORTSDIR%%}"
+VUXMLDIR="${VUXMLDIR:-$PORTSDIR/security/vuxml}"
+PORTAUDITDBDIR="${PORTAUDITDBDIR:-$PORTSDIR/security/portaudit-db}"
+
+DATABASEDIR="${DATABASEDIR:-%%DATABASEDIR%%}"
+
+STYLESHEET="%%DATADIR%%/vuxml2portaudit.xslt"
+
+PUBLIC_HTML="${PUBLIC_HTML:-$HOME/public_html/portaudit}"
+HTMLSHEET="%%DATADIR%%/vuxml2html.xslt"
+BASEURL="http://people.freebsd.org/~eik/portaudit/"
+
+[ -r "%%PREFIX%%/etc/packaudit.conf" ] && . "%%PREFIX%%/etc/packaudit.conf"
+
+VULVER=`$SED -En -e '/^.*\\$FreeBSD\: [^$ ]+,v ([0-9]+(\.[0-9]+)+) [^$]+\\$.*$/{s//\1/p;q;}' "$VUXMLDIR/vuln.xml"`
+VULURL="http://cvsweb.freebsd.org/ports/security/vuxml/vuln.xml?rev=$VULVER"
+
+if [ -d "$PUBLIC_HTML" ]; then
+ VULNMD5=`$CAT "$VUXMLDIR/vuln.xml" "$PORTAUDITDBDIR/database/portaudit.xml" | $MD5`
+ if [ -f "$PUBLIC_HTML/portaudit.md5" ]; then
+ VULNMD5_OLD=`$CAT "$PUBLIC_HTML/portaudit.md5"`
+ fi
+ if [ "$VULNMD5" != "$VULNMD5_OLD" ]; then
+ echo -n "$VULNMD5" > "$PUBLIC_HTML/portaudit.md5"
+ $XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam vulurl "$VULURL" --stringparam extradoc "$PORTAUDITDBDIR/database/portaudit.xml" \
+ -o "$PUBLIC_HTML/" "$HTMLSHEET" "$VUXMLDIR/vuln.xml"
+ fi
+fi
+
+TMPNAME=`$BASENAME "$0"`
+TMPDIR=`$MKTEMP -d -t "$TMPNAME.$$"` || exit 1
+
+TESTPORT="vulnerability-test-port>=2000<`$DATE -u +%Y.%m.%d`"
+TESTURL="http://cvsweb.freebsd.org/ports/security/vulnerability-test-port/"
+TESTREASON="Not vulnerable, just a test port (database: `$DATE -u +%Y-%m-%d`)"
+
+XLIST_FILE="$PORTAUDITDBDIR/database/portaudit.xlist"
+
+cd "$TMPDIR" || exit 1
+{
+ $DATE -u "+#CREATED: %Y-%m-%d %H:%M:%S"
+ echo "# Created by packaudit %%PORTVERSION%%"
+ echo "$TESTPORT|$TESTURL|$TESTREASON"
+ echo "# Please refer to the original document for copyright information:"
+ echo "# $VULURL"
+ $XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam baseurl "$BASEURL" "$STYLESHEET" "$VUXMLDIR/vuln.xml"
+ echo "# This part is in the public domain"
+ $XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam baseurl "$BASEURL" "$STYLESHEET" "$PORTAUDITDBDIR/database/portaudit.xml"
+ $CAT "$PORTAUDITDBDIR/database/portaudit.txt"
+} | $AWK -F\| -v XLIST_FILE="$XLIST_FILE" '
+ BEGIN {
+ while((getline < XLIST_FILE) > 0)
+ if(!/^(#|$)/)
+ ignore[$1]=1
+ }
+ /^(#|$)/ {
+ print
+ next
+ }
+ {
+ if (!ignore[$4])
+ print $1 "|" $2 "|" $3
+ }' > auditfile
+echo "#CHECKSUM: MD5 `$MD5 < auditfile`" >> auditfile
+$TAR -jcf "$DATABASEDIR/auditfile.tbz" auditfile
+cd
+$RM -Rf "$TMPDIR"
diff --git a/security/portaudit-db/files/vuxml2html.xslt b/security/portaudit-db/files/vuxml2html.xslt
new file mode 100644
index 000000000000..75a5e4cfc48b
--- /dev/null
+++ b/security/portaudit-db/files/vuxml2html.xslt
@@ -0,0 +1,287 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+ $FreeBSD$
+
+Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+3. Neither the name of the author nor the names of its contributors may be
+ used to endorse or promote products derived from this software without
+ specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+VuXML to HTML converter.
+
+Usage:
+ xsltproc -o html/ vuxml2html.xslt vuxml.xml
+
+-->
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:vuxml="http://www.vuxml.org/apps/vuxml-1" xmlns="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xhtml vuxml" version="1.0">
+ <xsl:output method="xml"/>
+ <xsl:strip-space elements="vuxml:affects vuxml:package vuxml:name vuxml:range" />
+<!-- whole vuxml file -->
+ <xsl:template match="vuxml:vuxml">
+<!-- index page, xhtml strict -->
+ <xsl:document href="index.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+ <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <title>portaudit: Vulnerability list</title>
+ <xsl:call-template name="css"/>
+ </head>
+ <body>
+ <div>
+ <xsl:call-template name="bar"/>
+ </div>
+ <h1>Vulnerabilities</h1>
+ <table>
+ <xsl:for-each select="vuxml:vuln | document($extradoc)/vuxml:vuxml/vuxml:vuln">
+ <xsl:sort select="(vuxml:dates/vuxml:modified | vuxml:dates/vuxml:entry)[1]" order="descending"/>
+ <tr>
+ <td>
+ <xsl:value-of select="(vuxml:dates/vuxml:modified | vuxml:dates/vuxml:entry)[1]"/>
+ </td>
+ <td>
+ <a href="{translate(@vid, 'ABCDEF', 'abcdef')}.html">
+ <xsl:value-of select="vuxml:topic"/>
+ </a>
+ </td>
+ </tr>
+ </xsl:for-each>
+ </table>
+ <p>
+ <a href="index-pkg.html">[Sorted by package name]</a>
+ </p>
+ <xsl:call-template name="foo"/>
+ </body>
+ </html>
+ </xsl:document>
+<!-- index page by packages, xhtml strict -->
+ <xsl:document href="index-pkg.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+ <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <title>portaudit: Vulnerability list by packages</title>
+ <xsl:call-template name="css"/>
+ </head>
+ <body>
+ <div>
+ <xsl:call-template name="bar"/>
+ </div>
+ <h1>Vulnerabilities</h1>
+ <table>
+ <xsl:for-each select="//vuxml:affects/vuxml:package/vuxml:name | document($extradoc)//vuxml:affects/vuxml:package/vuxml:name">
+ <xsl:sort select="translate(., 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz')"/>
+ <xsl:sort select="(ancestor-or-self::vuxml:vuln/vuxml:dates/vuxml:modified | ancestor-or-self::vuxml:vuln/vuxml:dates/vuxml:entry)[1]" order="descending"/>
+ <tr>
+ <td>
+ <xsl:value-of select="."/>
+ </td>
+ <td>
+ <a href="{translate(ancestor-or-self::vuxml:vuln/@vid, 'ABCDEF', 'abcdef')}.html">
+ <xsl:value-of select="ancestor-or-self::vuxml:vuln/vuxml:topic"/>
+ </a>
+ </td>
+ </tr>
+ </xsl:for-each>
+ </table>
+ <p>
+ <a href="index.html">[Sorted by last modification]</a>
+ </p>
+ <xsl:call-template name="foo"/>
+ </body>
+ </html>
+ </xsl:document>
+<!-- individual pages, xhtml strict -->
+ <xsl:for-each select="vuxml:vuln | document($extradoc)/vuxml:vuxml/vuxml:vuln">
+ <xsl:document href="{translate(@vid, 'ABCDEF', 'abcdef')}.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+ <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <title>portaudit: <xsl:value-of select="vuxml:topic"/></title>
+ <xsl:call-template name="css"/>
+ </head>
+ <body>
+ <div>
+ <xsl:call-template name="bar"/>
+ </div>
+ <h1>
+ <xsl:value-of select="vuxml:topic"/>
+ </h1>
+ <h2>Description:</h2>
+ <xsl:copy-of select="vuxml:description/xhtml:body/*"/>
+ <h2>References:</h2>
+ <ul>
+ <xsl:apply-templates select="vuxml:references"/>
+ </ul>
+ <h2>Affects:</h2>
+ <ul>
+ <xsl:for-each select="vuxml:affects/vuxml:package">
+ <xsl:for-each select="vuxml:name">
+ <xsl:variable name="name" select="."/>
+ <xsl:for-each select="../vuxml:range">
+ <li>
+ <xsl:value-of select="$name"/>
+ <xsl:apply-templates/>
+ </li>
+ </xsl:for-each>
+ </xsl:for-each>
+ </xsl:for-each>
+ <xsl:for-each select="vuxml:affects/vuxml:system">
+ <xsl:for-each select="vuxml:name">
+ <xsl:variable name="name" select="."/>
+ <xsl:for-each select="../vuxml:range">
+ <li>
+ <xsl:value-of select="$name"/>
+ <xsl:apply-templates/>
+ </li>
+ </xsl:for-each>
+ </xsl:for-each>
+ </xsl:for-each>
+ </ul>
+ <xsl:call-template name="foo"/>
+ </body>
+ </html>
+ </xsl:document>
+ </xsl:for-each>
+<!-- end of vuxml file processing -->
+ </xsl:template>
+<!-- vulnerability references -->
+ <xsl:template match="vuxml:url">
+ <li>
+ <a href="{.}">
+ <xsl:value-of select="."/>
+ </a>
+ </li>
+ </xsl:template>
+ <xsl:template match="vuxml:cvename">
+ <li>CVE name <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name={text()}"><xsl:value-of select="text()"/></a></li>
+ </xsl:template>
+ <xsl:template match="vuxml:bid">
+ <li>BugTraq ID <a href="http://www.securityfocus.com/bid/{.}"><xsl:value-of select="."/></a></li>
+ </xsl:template>
+ <xsl:template match="vuxml:certsa">
+ <li>CERT security advisory <a href="http://www.cert.org/advisories/{.}.html"><xsl:value-of select="."/></a></li>
+ </xsl:template>
+ <xsl:template match="vuxml:certvu">
+ <li>CERT vulnerability note <a href="http://www.kb.cert.org/vuls/id/{.}"><xsl:value-of select="."/></a></li>
+ </xsl:template>
+ <xsl:template match="vuxml:freebsdsa">
+ <li>FreeBSD security advisory <a href="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-{.}.asc">FreeBSD-<xsl:value-of select="."/></a></li>
+ </xsl:template>
+<!-- comparison operators -->
+ <xsl:template match="vuxml:lt">
+ <xsl:text> &lt;</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+ <xsl:template match="vuxml:le">
+ <xsl:text> &lt;=</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+ <xsl:template match="vuxml:gt">
+ <xsl:text> &gt;</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+ <xsl:template match="vuxml:ge">
+ <xsl:text> &gt;=</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+ <xsl:template match="vuxml:eq">
+ <xsl:text> =</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+<!-- style sheet -->
+ <xsl:template name="css">
+ <link rel="shortcut icon" href="http://www.freebsd.org/favicon.ico" type="image/x-icon"/>
+ <style type="text/css">
+ <xsl:comment>
+ <xsl:text>
+ body {
+ background-color : #ffffff;
+ color : #000000;
+ }
+
+ a:link { color: #0000ff }
+ a:visited { color: #840084 }
+ a:active { color: #0000ff }
+
+ h1 { color: #990000 }
+
+ img { color: white; border:none }
+
+ table {
+ border: none;
+ margin-top: 10px;
+ margin-bottom: 10px;
+ }
+
+ th {
+ text-align: left;
+ padding: 3px;
+ border: none;
+ vertical-align: top;
+ }
+
+ td {
+ padding: 3px;
+ border: none;
+ vertical-align: top;
+ }
+
+ tr.odd {
+ background: #eeeeee;
+ color: inherit;
+ }
+ </xsl:text>
+ </xsl:comment>
+ </style>
+ </xsl:template>
+<!-- xhtml elements -->
+ <xsl:template name="bar">
+ <img src="http://www.freebsd.org/gifs/bar.gif" alt="Navigation Bar" height="33" width="565" usemap="#bar"/>
+ <map id="bar" name="bar">
+ <area shape="rect" coords="1,1,111,33" href="http://www.freebsd.org/" alt="Top"/>
+ <area shape="rect" coords="112,16,196,33" href="http://www.freebsd.org/ports/index.html" alt="Applications"/>
+ <area shape="rect" coords="197,16,256,33" href="http://www.freebsd.org/support.html" alt="Support"/>
+ <area shape="rect" coords="257,16,365,33" href="http://www.freebsd.org/docs.html" alt="Documentation"/>
+ <area shape="rect" coords="366,16,424,33" href="http://www.freebsd.org/commercial/commercial.html" alt="Vendors"/>
+ <area shape="rect" coords="425,16,475,33" href="http://www.freebsd.org/search/search.html" alt="Search"/>
+ <area shape="rect" coords="476,16,516,33" href="http://www.freebsd.org/search/index-site.html" alt="Index"/>
+ <area shape="rect" coords="517,16,565,33" href="http://www.freebsd.org/" alt="Top"/>
+ <area shape="rect" coords="0,0,565,33" href="http://www.freebsd.org/" alt="Top"/>
+ </map>
+ </xsl:template>
+ <xsl:template name="foo">
+ <hr/>
+ <p><strong>Disclaimer:</strong> The data contained on this page is derived for the VuXML document,
+ please refer to the <a href="{$vulurl}">the original document</a> for copyright information. The author of
+ portaudit makes no claim of authorship or ownership of any of the information contained herein.</p>
+ <p>
+ If you have found a vulnerability in a FreeBSD port not listed in the
+ database, please <a href="mailto:security-officer@FreeBSD.org">contact the
+ FreeBSD Security Officer</a>. Refer to
+ <a href="http://www.freebsd.org/security/#sec">"FreeBSD Security
+ Information"</a> for more information.
+ </p>
+ <hr/>
+ <address title="Oliver Eikemeier">
+ Oliver Eikemeier <a href="mailto:eik@FreeBSD.org?subject=portaudit">&lt;eik@FreeBSD.org&gt;</a>
+ </address>
+ </xsl:template>
+</xsl:stylesheet>
diff --git a/security/portaudit-db/files/vuxml2portaudit.xslt b/security/portaudit-db/files/vuxml2portaudit.xslt
new file mode 100644
index 000000000000..60beed5ec52e
--- /dev/null
+++ b/security/portaudit-db/files/vuxml2portaudit.xslt
@@ -0,0 +1,92 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+ $FreeBSD$
+
+Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+3. Neither the name of the author nor the names of its contributors may be
+ used to endorse or promote products derived from this software without
+ specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+VuXML to portaudit database converter.
+
+Usage:
+ xsltproc -o auditfile vuxml2portaudit.xslt vuxml.xml
+
+-->
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:vuxml="http://www.vuxml.org/apps/vuxml-1" version="1.0">
+ <xsl:output method="text"/>
+ <xsl:variable name="newline">
+ <xsl:text>&#010;</xsl:text>
+ </xsl:variable>
+<!-- xxx -->
+ <xsl:strip-space elements="vuxml:affects vuxml:package vuxml:name vuxml:range"/>
+ <xsl:template match="/">
+ <xsl:text># Converted by vuxml2portaudit
+</xsl:text>
+ <xsl:for-each select="vuxml:vuxml/vuxml:vuln">
+ <xsl:variable name="topic" select="normalize-space(vuxml:topic)"/>
+ <xsl:variable name="vid" select="translate(@vid, 'ABCDEF', 'abcdef')"/>
+ <xsl:for-each select="vuxml:affects/vuxml:package">
+ <xsl:for-each select="vuxml:name">
+ <xsl:variable name="name" select="."/>
+ <xsl:for-each select="../vuxml:range">
+ <xsl:value-of select="$name"/>
+ <xsl:apply-templates/>
+ <xsl:text>|</xsl:text>
+ <xsl:value-of select="$baseurl"/>
+ <xsl:value-of select="$vid"/>
+ <xsl:text>.html</xsl:text>
+ <xsl:text>|</xsl:text>
+ <xsl:value-of select="$topic"/>
+ <xsl:text>|</xsl:text>
+ <xsl:value-of select="$vid"/>
+ <xsl:value-of select="$newline"/>
+ </xsl:for-each>
+ </xsl:for-each>
+ </xsl:for-each>
+ </xsl:for-each>
+ </xsl:template>
+<!-- xxx -->
+ <xsl:template match="vuxml:lt">
+ <xsl:text>&lt;</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+ <xsl:template match="vuxml:le">
+ <xsl:text>&lt;=</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+ <xsl:template match="vuxml:gt">
+ <xsl:text>&gt;</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+ <xsl:template match="vuxml:ge">
+ <xsl:text>&gt;=</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+ <xsl:template match="vuxml:eq">
+ <xsl:text>=</xsl:text>
+ <xsl:value-of select="text()"/>
+ </xsl:template>
+</xsl:stylesheet>
diff --git a/security/portaudit-db/pkg-descr b/security/portaudit-db/pkg-descr
new file mode 100644
index 000000000000..85b315a9d87b
--- /dev/null
+++ b/security/portaudit-db/pkg-descr
@@ -0,0 +1,16 @@
+In contrast to security/portaudit, which is designed to be an
+install-and-forget solution, portaudit-db requires a current
+ports tree and generates a database that can be used locally
+or distributed over a network.
+
+Furthermore committers that want to add entries to the VuXML
+database may use this port to check their changes locally.
+It also features a file `database/portaudit.txt' where UUIDs
+for vulnerabilities can be allocated before they have been
+investigated thoroughly and moved to the VuXML database by
+the security officer team.
+
+Call `packaudit' after upgrading your ports tree.
+
+WWW: http://people.freebsd.org/~eik/portaudit/
+Oliver Eikemeier <eik@FreeBSD.org>
diff --git a/security/portaudit-db/pkg-plist b/security/portaudit-db/pkg-plist
new file mode 100644
index 000000000000..a5c18909f2d6
--- /dev/null
+++ b/security/portaudit-db/pkg-plist
@@ -0,0 +1,7 @@
+bin/packaudit
+etc/packaudit.conf.sample
+%%DATADIR%%/vuxml2html.xslt
+%%DATADIR%%/vuxml2portaudit.xslt
+@dirrm %%DATADIR%%
+@exec mkdir -p %%DATABASEDIR%%
+@unexec rmdir %%DATABASEDIR%% 2>/dev/null || true