Portaudit Question

[Fatman]

Hello,

I have a question regarding portaudit. I just updated my porttree using portsnap and executed the portaudit command.

It presented me with a list of packages that are vulnerable.

Affected package: php5-5.2.11_1
Type of problem: php -- multiple vulnerabilities.
Reference: <http://portaudit.FreeBSD.org/39a25a63-eb5c-11de-b650-00215c6a37bb.html>

Affected package: libtool-1.5.26
Type of problem: libtool -- Library Search Path Privilege Escalation Issue.
Reference: <http://portaudit.FreeBSD.org/77c14729-dc5e-11de-92ae-02e0184b8d35.html>

I ran portmaster -dB /usr/ports/lang/php5 but complains about the package being vulnerable.

===>  Cleaning for php5-5.2.11_1

===>  php5-5.2.11_1 has known vulnerabilities:
=> php -- multiple vulnerabilities.
   Reference: <http://portaudit.FreeBSD.org/39a25a63-eb5c-11de-b650-00215c6a37bb.html>
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/lang/php5.
*** Error code 1

Stop in /usr/ports/lang/php5.

===>>> make failed for lang/php5
===>>> Aborting update

===>>> There are messages from installed ports to display,
       but first take a moment to review the error messages
       above.  Then press Enter when ready to proceed.

===>>> pkg-message for apache-2.2.14_5
To run apache www server from startup, add apache22_enable="YES"
in your /etc/rc.conf. Extra options can be found in startup script.

Your hostname must be resolvable using at least 1 mechanism in
/etc/nsswitch typically DNS or /etc/hosts or apache might
have issues starting depending on the modules you are using.

===>>> Done displaying pkg-message files
===>>> The following actions were performed:
        Upgrade of libxml2-2.7.6 to libxml2-2.7.6_1
        Upgrade of libtool-2.2.6a to libtool-2.2.6b
        Upgrade of pcre-7.9 to pcre-8.00
        Upgrade of expat-2.0.1 to expat-2.0.1_1
        Upgrade of apache-2.2.13 to apache-2.2.14_5

Should I proceed by uninstalling the port and then try reinstalling it?

Thanks,

 

[dennylin93]

You can use -DDISABLE_SECURITY_CHECK to bypass the security check.

 

[Fatman]

Thanks,

Does this mean that the PHP5 port is still vulnerable and needs to be patched manually? I was under the impression that I just needed to update my port-tree and use portmaster to update the package manually.

 

[DutchDaemon]

I don't think a manual patch is available, or it would already have been applied and released to the version in the ports tree. You'll have to wait for it.

 

[Alt]

You can patch it manually using 'make extract' command on needed port. But better to update with portsnap =)

 

[Fatman]

Thanks Guys.

 

[Fatman]

Sorry guys but I have a couple more questions if you don't mind.

I've been trying to figure out how to deal with the following vulnerability found by portaudit:

Affected package: libtool-1.5.26
Type of problem: libtool -- Library Search Path Privilege Escalation Issue.
Reference: <http://portaudit.FreeBSD.org/77c14729-dc5e-11de-92ae-02e0184b8d35.html>

I quick check shows that I have two versions of this package installed:

test# pkg_info | grep libtool
libtool-1.5.26      Generic shared library support script
libtool-2.2.6b      Generic shared library support script

When I check the port-tree, i don't see it:

test# ls /usr/ports/devel/ | grep libtool
libtool22

I do however see it when executing a search and noticed it has been moved:

Port: devel/libtool15
Moved: devel/libtool22
Date: 2009-08-02
Reason: Update to libtool22

So my first question is how do I find out what packages installed rely on devel/libtool15? I'd like to remove it with pkg_delete however I'm afraid i'll break something.

Thanks,

 

[DutchDaemon]

Take a look at /usr/ports/UPDATING, date 20090802.

 

[vivek]

Almost all problem are documented in /usr/ports/UPDATING and /usr/src/UPDATING. Did you install portaudit port and cron job is running to get updates?

 

[Fatman]

Thanks again for the quick response. Dutchdeamon's reply fixed the issue.

 Portmaster:
  -----------

  portmaster -o devel/libtool22 devel/libtool15
  portmaster -o devel/libltdl22 devel/libltdl15

  After that, you will need to rebuild all ports that depend on libltdl.
  Since all dependent ports' PORTREVISIONs have been bumped, you can run
  portupgrade or portmaster with '-a' to complete the upgrade.

I followed the instructions in /usr/ports/UPDATING however I was kind of afraid and reluctant to run portmaster -a at the end.

All in all, it seems to have resolved it:

test# pkg_info | grep libtool
libtool-2.2.6b      Generic shared library support script

test# portaudit -Fda
auditfile.tbz                                 100% of   59 kB   59 kBps
New database installed.
Database created: Tue Dec 29 18:50:00 EST 2009
Affected package: php5-5.2.11_1
Type of problem: php -- multiple vulnerabilities.
Reference: <http://portaudit.FreeBSD.org/39a25a63-eb5c-11de-b650-00215c6a37bb.html>

1 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.

Thanks again for the help!

Fatman

 

[dennylin93]

PHP 5.2.12 is now in ports.