Unable to ackowledge problem reported by portaudit

P

pbd

Hello again,

I am unable to acknowledge problem reported by portaudit. It reports the problem although I set his id in portaudit_fixed in portaudit.conf:

# portaudit -d
Database created: Tue Mar 10 02:40:03 CET 2009
# portaudit -av
Affected package: perl-5.8.8_1 (matched by perl>=5.8.0<5.8.9)
Type of problem: perl -- Directory Permissions Race Condition.
Reference: <http://www.FreeBSD.org/ports/portaudit/4a99d61c-f23a-11dd-9f55-0030843d3802.html>

1 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.
# fgrep fixed /usr/local/etc/portaudit.conf
portaudit_fixed="4a99d61c-f23a-11dd-9f55-0030843d3802"
# portaudit -V
portaudit version 0.5.10
Click to expand...

Any ideas? Thanks.
 
Yes, I keep my ports up to date, but let's say I decide, that a particular vulnerability is not important for me, because it can be exploited only by local users and they are all trusted. In addition, the reported vulnerability is in port, that provides some service critical for the machine. In this case, it is IMHO better not to upgrade than risk a possibility that something goes wrong during the upgrade. I am just trying to tell portaudit: "ignore this problem, I don't care about it".
 
Deciding not to upgrade a port will become impossible sooner or later. Especially with a 'core port' like Perl, more and more other ports will start to require perl 5.8.9_*, so more upgrades of other ports will fail eventually. While I do understand the wish to keep something 'fixed', the only real way to do that is to fix the entire system, i.e.: don't upgrade any other port.
 
This is all fine and dandy that you guys want him to upgrade, however that's not his problem.
He specified that he does not want portaudit to report on a specific problem and stated reasons for it. Policies differ from administrator to administrator and one can in fact create a patch for this vulnerability as a temporary measure, till perl 5.8.9 has been tested thoroughly with the production environment on a test machine.

The problem is that portaudit doesn't work as pbd expects. The portaudit_fixed configuration value only applies to vulnerabilities in ports that are specific to FreeBSD versions, which are only 4 at present:
% grep '^FreeBSD' auditfile
FreeBSD<491101|http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html|multiple vulnerabilities in the cvs server code
FreeBSD>=500000<502114|http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html|multiple vulnerabilities in the cvs server code
FreeBSD>=502120<503000|http://www.FreeBSD.org/ports/portaudit/1b98165f-fdd9-11d8-81b0-000347a4fa7d.html|zlib DoS vulnerability
FreeBSD>=600000<600001|http://www.FreeBSD.org/ports/portaudit/1b98165f-fdd9-11d8-81b0-000347a4fa7d.html|zlib DoS vulnerability

One would have to wrap portaudit's output if one does not want to be bothered about it.
More importantly, this can hold upgrades of software not affected at all by this vulnerability, because it only uses perl as build dependency. The ports system however, does not use portaudit directly, but extracts and uses the auditfile by itself. The fix/workaround for that is to put DISABLE_VULNERABILITIES=yes in /usr/ports/lang/perl5.8/Makefile.local or if you use portsnap (which may delete the Makefile.local), add the following to /etc/make.conf:
Code: 
.if !empty(.CURDIR:M/usr/ports/lang/perl5.8)
DISABLE_VULNERABILITIES=yes
.endif
 
  • Thanks
Reactions: pbd
You must log in or register to reply here.
Back
Top