diff options
| author | simon <simon@FreeBSD.org> | 2012-03-12 05:32:58 +0800 |
|---|---|---|
| committer | simon <simon@FreeBSD.org> | 2012-03-12 05:32:58 +0800 |
| commit | 5935a9cdfb2fdde7d80a1b71660c87b92900fd21 (patch) | |
| tree | 444dd66cee8c812ea7c239ecd5c9e9b17cdb1a8b /ports-mgmt | |
| parent | 72b22368e2aea23901b18d490cc992b4f08247bf (diff) | |
| download | freebsd-ports-gnome-5935a9cdfb2fdde7d80a1b71660c87b92900fd21.tar.gz freebsd-ports-gnome-5935a9cdfb2fdde7d80a1b71660c87b92900fd21.tar.zst freebsd-ports-gnome-5935a9cdfb2fdde7d80a1b71660c87b92900fd21.zip | |
Portaudit 0.6.0:
Fix remote code execution which can occur with a specially crafted
audit file. The attacker would need to get the portaudit(1) to
download the bad audit database, e.g. by performing a man in the
middle attack.
Add signature verification of the portaudit database. The public key
is for the database generated for portaudit.FreeBSD.org is included
in the distribution.
Submitted by: Michael Gmelin <freebsd@grem.de>
Reported by: Michael Gmelin <freebsd@grem.de>, Joerg Scheinert
Security: Remote code execution
Security: http://vuxml.FreeBSD.org/6d329b64-6bbb-11e1-9166-001e4f0fb9b1.html
Feature safe: yes
With hat: so
Diffstat (limited to 'ports-mgmt')
| -rw-r--r-- | ports-mgmt/portaudit/Makefile | 3 | ||||
| -rw-r--r-- | ports-mgmt/portaudit/files/portaudit-cmd.sh | 77 | ||||
| -rw-r--r-- | ports-mgmt/portaudit/pkg-plist | 1 |
3 files changed, 71 insertions, 10 deletions
diff --git a/ports-mgmt/portaudit/Makefile b/ports-mgmt/portaudit/Makefile index 017c0b60cafe..7356f96b1062 100644 --- a/ports-mgmt/portaudit/Makefile +++ b/ports-mgmt/portaudit/Makefile @@ -6,7 +6,7 @@ # PORTNAME= portaudit -PORTVERSION= 0.5.17 +PORTVERSION= 0.6.0 CATEGORIES= ports-mgmt security DISTFILES= @@ -55,6 +55,7 @@ pre-install: do-install: @${INSTALL_SCRIPT} ${WRKDIR}/portaudit-cmd.sh ${PREFIX}/sbin/portaudit @${INSTALL_DATA} ${WRKDIR}/portaudit.conf ${PREFIX}/etc/portaudit.conf.sample + @${INSTALL_DATA} ${FILESDIR}/portaudit.pubkey ${PREFIX}/etc @${INSTALL_MAN} ${WRKDIR}/portaudit.1 ${MAN1PREFIX}/man/man1 @${MKDIR} ${PERIODICDIR}/security @${INSTALL_SCRIPT} ${WRKDIR}/portaudit.sh ${PERIODICDIR}/security/410.portaudit diff --git a/ports-mgmt/portaudit/files/portaudit-cmd.sh b/ports-mgmt/portaudit/files/portaudit-cmd.sh index 71d60ea7a94c..586b46319759 100644 --- a/ports-mgmt/portaudit/files/portaudit-cmd.sh +++ b/ports-mgmt/portaudit/files/portaudit-cmd.sh @@ -1,6 +1,7 @@ #!/bin/sh -efu # # Copyright (c) 2004 Oliver Eikemeier. All rights reserved. +# Copyright (c) 2012 Michael Gmelin <freebsd@grem.de> # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are @@ -48,33 +49,61 @@ portaudit_confs() : ${portaudit_fetch_cmd:="fetch -1mp"} : ${portaudit_sites:="http://portaudit.FreeBSD.org/"} + : ${portaudit_pubkey:="%%PREFIX%%/etc/portaudit.pubkey"} : ${portaudit_fixed=""} } -extract_auditfile() +extract_auditfile_raw() { %%BZIP2_CMD%% -dc -- "$portaudit_dir/$portaudit_filename" | \ tar -xOf - auditfile } +extract_auditfile() +{ + extract_auditfile_raw | egrep "^[a-zA-Z0-9*+,.<=>_{}-]+[|][a-zA-Z0-9 %:/._?-]+[|][^|]+$" +} + checksum_auditfile() { - chksum1=`extract_auditfile | + chksum1=`extract_auditfile_raw | sed -nE -e '$s/^#CHECKSUM: *MD5 *([0-9a-f]{32})$/\1/p'` - chksum2=`extract_auditfile | sed -e '$d' | md5` + chksum2=`extract_auditfile_raw | sed -e '$d' | md5` [ "$chksum1" = "$chksum2" ]; } +checksignature_auditfile() +{ + local TMPFILE=`mktemp -t portaudit` + + extract_auditfile_raw | egrep "^#SIGNATURE: " | sed "s/^#SIGNATURE: //g" \ + | openssl enc -d -a >$TMPFILE + signatureresult=`extract_auditfile_raw | egrep -v "^#SIGNATURE: " \ + | egrep -v "^#CHECKSUM: " \ + | openssl dgst -sha256 -verify ${portaudit_pubkey} -signature $TMPFILE` + if [ -n "$TMPFILE" ]; then + rm "$TMPFILE" + fi + [ "$signatureresult" = "Verified OK" ] +} + +validate_auditfile() +{ + hash1=`extract_auditfile_raw | egrep -v "^(#|\$)" | sha256` + hash2=`extract_auditfile | egrep -v "^(#|\$)" | sha256` + [ "$hash1" = "$hash2" ]; +} + getcreated_auditfile() { - extract_auditfile | + extract_auditfile_raw | sed -nE -e '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}) *([0-9]{2}):?([0-9]{2}):?([0-9]{2}).*$/\1-\2-\3 \4:\5:\6/p' } gettimestamp_auditfile() { - extract_auditfile | + extract_auditfile_raw | sed -nE -e '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p' } @@ -120,6 +149,15 @@ portaudit_prerequisites() elif ! checksum_auditfile; then echo "portaudit: Corrupt database." >&2 return 2 + elif [ ! -r "$portaudit_pubkey" ]; then + echo "portaudit: Public key $portaudit_pubkey not found." >&2 + return 2 + elif ! checksignature_auditfile; then + echo "portaudit: Database contains invalid signature." >&2 + return 2 + elif ! validate_auditfile; then + echo "portaudit: Invalid database." >&2 + return 2 elif ! checkexpiry_auditfile 14; then echo "portaudit: Database too old." >&2 return 2 @@ -316,6 +354,10 @@ fetch_auditfile() echo "portaudit: No database." >&2 elif ! checksum_auditfile; then echo "portaudit: Database corrupt." >&2 + elif ! checksignature_auditfile; then + echo "portaudit: Database contains invalid signature." >&2 + elif ! validate_auditfile; then + echo "portaudit: Invalid database." >&2 elif ! checkexpiry_auditfile 7; then echo "portaudit: Database too old." >&2 else @@ -424,12 +466,29 @@ if $opt_dbversion; then echo "portaudit: Database corrupt." >&2 exit 2 fi + if ! checksignature_auditfile; then + echo "portaudit: Database contains invalid signature." >&2 + exit 2 + fi + if ! validate_auditfile; then + echo "portaudit: Invalid database." >&2 + exit 2 + fi created=`getcreated_auditfile` echo "Database created: `date -j -f '%Y-%m-%d %H:%M:%S %Z' \"$created GMT\"`" fi prerequisites_checked=false + +SANITIZETYPE_AWK=' + function sanitize_type(type) { + retval = type; + gsub(/[^ a-zA-Z0-9%()#&.+\/\[\]:<>=@_-]/, " ", retval); + return retval; + } + ' + if $opt_quiet; then PRINTAFFECTED_AWK=' function print_affected(apkg, note) { @@ -437,11 +496,11 @@ if $opt_quiet; then } ' elif $opt_verbose; then - PRINTAFFECTED_AWK=' + PRINTAFFECTED_AWK="$SANITIZETYPE_AWK"' function print_affected(apkg, note) { split(apkg, thepkg) print "Affected package: " thepkg[1] " (matched by " $1 ")" - print "Type of problem: " $3 "." + print "Type of problem: " sanitize_type($3) "." split($2, ref, / /) for (r in ref) print "Reference: " ref[r] @@ -451,11 +510,11 @@ elif $opt_verbose; then } ' else - PRINTAFFECTED_AWK=' + PRINTAFFECTED_AWK="$SANITIZETYPE_AWK"' function print_affected(apkg, note) { split(apkg, thepkg) print "Affected package: " thepkg[1] - print "Type of problem: " $3 "." + print "Type of problem: " sanitize_type($3) "." split($2, ref, / /) for (r in ref) print "Reference: " ref[r] diff --git a/ports-mgmt/portaudit/pkg-plist b/ports-mgmt/portaudit/pkg-plist index 8edf7bb6dbc8..4f3a77f9d889 100644 --- a/ports-mgmt/portaudit/pkg-plist +++ b/ports-mgmt/portaudit/pkg-plist @@ -1,4 +1,5 @@ sbin/portaudit +etc/portaudit.pubkey etc/portaudit.conf.sample %%PERIODICDIR%%/security/410.portaudit @dirrmtry %%PERIODICDIR%%/security |