aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authoreik <eik@FreeBSD.org>2004-04-01 06:52:01 +0800
committereik <eik@FreeBSD.org>2004-04-01 06:52:01 +0800
commit738a30d88b41b61f1a48fb63bcf0f5e06b83d310 (patch)
treea814e65da88813817666c4a486a8d00ad82f7d45 /security
parent7965fb7b67d0135237d020fe5d52e0cefd99312e (diff)
downloadfreebsd-ports-gnome-738a30d88b41b61f1a48fb63bcf0f5e06b83d310.tar.gz
freebsd-ports-gnome-738a30d88b41b61f1a48fb63bcf0f5e06b83d310.tar.zst
freebsd-ports-gnome-738a30d88b41b61f1a48fb63bcf0f5e06b83d310.zip
update to 0.3.1:
- use passive ftp by default, don't retry on failure [1] - add a -C flag, portlint style - don't keep databases that are tool old [2] Requested by: hubs [1] Noticed by: Nicolas Rachinsky <nicolas@rachinsky.de> [2]
Diffstat (limited to 'security')
-rw-r--r--security/portaudit/Makefile4
-rw-r--r--security/portaudit/files/portaudit-cmd.sh65
-rw-r--r--security/portaudit/files/portaudit.19
-rw-r--r--security/portaudit/files/portaudit.conf6
-rw-r--r--security/portaudit/files/portaudit.functions51
5 files changed, 117 insertions, 18 deletions
diff --git a/security/portaudit/Makefile b/security/portaudit/Makefile
index c574bff71052..6cd41e3658d6 100644
--- a/security/portaudit/Makefile
+++ b/security/portaudit/Makefile
@@ -6,7 +6,7 @@
#
PORTNAME= portaudit
-PORTVERSION= 0.3
+PORTVERSION= 0.3.1
CATEGORIES= security
DISTFILES=
@@ -28,7 +28,7 @@ SED_SCRIPT= -e 's,%%PREFIX%%,${PREFIX},g' \
-e 's,%%DATABASEDIR%%,${DATABASEDIR},g'
PKG_INFO_BASE?= /usr/sbin/pkg_info
-BASEPKGVER!= ${PKG_INFO_BASE} -qP 2>/dev/null
+BASEPKGVER!= ${PKG_INFO_BASE} -qP 2>/dev/null || ${TRUE}
.if ${BASEPKGVER} < 20040125
RUN_DEPENDS= ${LOCALBASE}/sbin/pkg_info:${PORTSDIR}/sysutils/pkg_install-devel
diff --git a/security/portaudit/files/portaudit-cmd.sh b/security/portaudit/files/portaudit-cmd.sh
index 7b48e0be3888..2df9a0fc4533 100644
--- a/security/portaudit/files/portaudit-cmd.sh
+++ b/security/portaudit/files/portaudit-cmd.sh
@@ -1,4 +1,4 @@
-#!/bin/sh -ef
+#!/bin/sh -e
#
# Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
#
@@ -35,6 +35,9 @@
portaudit_confs
opt_audit=false
+opt_auditcwd=false
+opt_audittree=false
+opt_verbose=false
opt_version=false
opt_dbversion=false
opt_fetch=false
@@ -44,25 +47,31 @@ if [ $# -eq 0 ] ; then
opt_audit=true
fi
-while getopts aVdFq opt; do
+while getopts aACvVdFq opt; do
case "$opt" in
a)
opt_audit=true;;
+ A)
+ opt_audittree=true;;
+ C)
+ opt_auditcwd=true;;
d)
opt_dbversion=true;;
F)
opt_fetch=true;;
q)
opt_quiet=true;;
+ v)
+ opt_verbose=true;;
V)
opt_version=true;;
?)
- echo "Usage: $0 -adFqV"
+ echo "Usage: $0 -aACvVdFq"
exit 2;;
esac
done
-shift $(($OPTIND - 1))
+shift $((${OPTIND}-1))
if $opt_version; then
echo "portaudit version %%PORTVERSION%%"
@@ -81,10 +90,56 @@ if $opt_dbversion; then
echo "portaudit: database corrupt."
exit 2
fi
- echo "database created: `getcreated_auditfile`"
+ created=`getcreated_auditfile`
+ echo "database created: `/bin/date -j -f '%Y-%m-%d %H:%M:%S %Z' \"${created} GMT\"`"
fi
if $opt_audit; then
portaudit_prerequisites
audit_installed || true
fi
+
+if $opt_auditcwd; then
+ portaudit_prerequisites
+ audit_cwd
+fi
+
+if $opt_audittree; then
+ echo "auditing ports tree for known vulnerabilities"
+ VULCNT=0
+
+ portaudit_prerequisites
+
+ cd "${PORTSDIR:=/usr/ports}"
+ CATEGORIES=`echo [a-z]*`
+
+ for category in ${CATEGORIES}; do
+ if [ ! -d "${PORTSDIR}/${category}" ]; then continue; fi
+ case "${category}" in
+ CVS) continue ;;
+ Mk) continue ;;
+ Templates) continue ;;
+ Tools) continue ;;
+ distfiles) continue ;;
+ packages) continue ;;
+ esac
+
+ $opt_quiet || echo "==> ${category}"
+
+ cd "${PORTSDIR}/${category}"
+ PORTS=`echo *`
+
+ for port in ${PORTS}; do
+ if [ ! -d "${PORTSDIR}/${category}/${port}" ]; then continue; fi
+ case "${port}" in
+ pkg) continue ;;
+ CVS) continue ;;
+ esac
+
+ cd "${PORTSDIR}/${category}/${port}"
+ audit_cwd;
+ done
+ done
+
+ echo "${VULCNT} ports with unmarked vulnerabilities."
+fi
diff --git a/security/portaudit/files/portaudit.1 b/security/portaudit/files/portaudit.1
index 4950ff868b2f..4e6dfde7d673 100644
--- a/security/portaudit/files/portaudit.1
+++ b/security/portaudit/files/portaudit.1
@@ -43,6 +43,8 @@
.
.Nm
.Op Fl a
+.Op Fl A
+.Op Fl C
.Op Fl V
.Op Fl d
.Op Fl F
@@ -74,6 +76,11 @@ The following options are supported:
.Bl -tag -width ".Fl X"
.It Fl a
Print a vulnerability report for all installed packages
+.It Fl A
+Print a vulnerability report for all ports in PORTSDIR (slow).
+.It Fl C
+Print a vulnerability report for the port in the current working directory.
+Mostly useful for committers.
.It Fl F
Fetch the current database from the
.Fx servers
@@ -118,7 +125,7 @@ Print a vulnerability report for all installed packages:
.Sh CAVEATS
.
The format of
-.Pa %%DATABASEDIR%%/auditfile.tbz
+.Pa %%PREFIX%%/etc/portaudit.conf
might change.
.
.
diff --git a/security/portaudit/files/portaudit.conf b/security/portaudit/files/portaudit.conf
index 612d86357bd7..5b2f5363cbcf 100644
--- a/security/portaudit/files/portaudit.conf
+++ b/security/portaudit/files/portaudit.conf
@@ -10,10 +10,10 @@
#FETCH_ENV="FTP_PROXY=http://ftp.proxy.sample/ HTTP_PROXY=http://http.proxy.sample:80/"
# default fetch command
-#FETCH_CMD="/usr/bin/fetch -1am"
+#FETCH_CMD="/usr/bin/fetch -1m"
-# uncoment to use passive ftp, see fetch(1)
-#FETCH_BEFORE_ARGS="-p"
+# use passive ftp transfers with extra verbose mode, see fetch(1)
+#FETCH_BEFORE_ARGS="-p -vvv"
#FETCH_AFTER_ARGS=
diff --git a/security/portaudit/files/portaudit.functions b/security/portaudit/files/portaudit.functions
index 93437a259130..9475bfeaf805 100644
--- a/security/portaudit/files/portaudit.functions
+++ b/security/portaudit/files/portaudit.functions
@@ -37,8 +37,8 @@ portaudit_confs()
portaudit_filename=${portaudit_filename:-"auditfile.tbz"}
FETCH_ENV=${FETCH_ENV:-}
- FETCH_CMD=${FETCH_CMD:-"/usr/bin/fetch -1am"}
- FETCH_BEFORE_ARGS=${FETCH_BEFORE_ARGS:-}
+ FETCH_CMD=${FETCH_CMD:-"/usr/bin/fetch -1m"}
+ FETCH_BEFORE_ARGS=${FETCH_BEFORE_ARGS:-"-p"}
FETCH_AFTER_ARGS=${FETCH_AFTER_ARGS:-}
MASTER_SITES=${MASTER_SITES:-"
@@ -82,12 +82,18 @@ checksum_auditfile()
getcreated_auditfile()
{
extract_auditfile |
+ /usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}) *([0-9]{2}):?([0-9]{2}):?([0-9]{2}).*$/\1-\2-\3 \4:\5:\6/p'
+}
+
+gettimestamp_auditfile()
+{
+ extract_auditfile |
/usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p'
}
checkexpiry_auditfile()
{
- created=`getcreated_auditfile`
+ created=`gettimestamp_auditfile`
expiry=`/bin/date -u -v-$1d '+%Y%m%d'`
[ "${created}" -ge "${expiry}" ];
}
@@ -95,13 +101,15 @@ checkexpiry_auditfile()
portaudit_prerequisites()
{
if [ -z "${PKG_INFO}" ]; then
- if [ -x %%LOCALBASE%%/sbin/pkg_info ]; then
- PKG_INFO=%%LOCALBASE%%/sbin/pkg_info
+ if [ -x "%%LOCALBASE%%/sbin/pkg_info" ]; then
+ PKG_INFO="%%LOCALBASE%%/sbin/pkg_info"
else
- PKG_INFO=/usr/sbin/pkg_info
+ PKG_INFO="/usr/sbin/pkg_info"
fi
fi
+ PKG_VERSION="${PKG_INFO%/*}/pkg_version"
+
if [ ! -x "${PKG_INFO}" ]; then
echo "${PKG_INFO} missing, please install port sysutils/pkg_install-devel"
return 1
@@ -155,6 +163,36 @@ audit_installed()
"
}
+audit_cwd()
+{
+ if [ ! -r "Makefile" ]; then
+ return 1
+ fi
+
+ PKGSTATE=`/usr/bin/make -VPKGNAME -VFORBIDDEN -VPKGORIGIN 2>/dev/null || true"`
+ PKGNAME=`echo "${PKGSTATE}" | /usr/bin/sed -ne '1p'`
+ FORBIDDEN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '2p'`
+ PKGORIGIN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '3p'`
+
+ VLIST=`extract_auditfile | /usr/bin/awk -F\| " \
+ /^[^#]/ { \
+ if (!system(\"${PKG_VERSION} -T '${PKGNAME}' '\" \\$1 \"'\")) \
+ print \"- <\" \\$2 \">\" \
+ } \
+ "`
+
+ if [ -n "${VLIST}" -a -z "${FORBIDDEN}" ]; then
+ echo
+ echo "Port ${PKGNAME} (${PKGORIGIN}) should be marked FORBIDDEN:"
+ echo "${VLIST}"
+ VULCNT=$((${VULCNT}+1))
+ elif $opt_verbose && [ -n "${VLIST}" ]; then
+ echo
+ echo "Good: port ${PKGNAME} (${PKGORIGIN}) is marked FORBIDDEN: ${FORBIDDEN}"
+ echo "${VLIST}"
+ fi
+}
+
fetch_locations()
{
# site sort order is not overly smart
@@ -204,7 +242,6 @@ fetch_auditfile()
echo "fetched database corrupt."
elif ! checkexpiry_auditfile 7; then
echo "fetched database too old."
- rc=0
else
echo "new database installed."
rc=0