From nobody@FreeBSD.org  Thu May 31 00:47:42 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 45EAF106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 31 May 2012 00:47:42 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 17BBD8FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 31 May 2012 00:47:42 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q4V0lf8d095452
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 31 May 2012 00:47:41 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q4V0lfuT095451;
	Thu, 31 May 2012 00:47:41 GMT
	(envelope-from nobody)
Message-Id: <201205310047.q4V0lfuT095451@red.freebsd.org>
Date: Thu, 31 May 2012 00:47:41 GMT
From: MIchael Gmelin <freebsd@grem.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Mk/bsd.port.mk: [patch] portaudit reports vulnerability on database update
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         168479
>Category:       ports
>Synopsis:       Mk/bsd.port.mk: [patch] portaudit reports vulnerability on database update
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    portmgr
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 31 00:50:01 UTC 2012
>Closed-Date:    Sun Jan 05 00:38:19 UTC 2014
>Last-Modified:  Sun Jan  5 01:20:00 UTC 2014
>Originator:     MIchael Gmelin
>Release:        FreeBSD 9.0
>Organization:
Grem Equity GmbH
>Environment:
FreeBSD server 9.0-RELEASE-p1 FreeBSD 9.0-RELEASE-p1 #1: Fri May  4 22:07:36 UTC 2012     root@server:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
bsd.port.mk does a simple parsing of portaudit's output to determine if there is a vulnerability in a port. portaudit is called using "-X 14", which means that if the portaudit database is older than 14 days (which happens easily on workstations that are turned off at night or deliberately not using the daily portaudit job periodic script) portaudit produces output that is not expected and leads to wrongfully reporting the port as wrong.

"*portnameXYZ* has known vulnerabilities"

>How-To-Repeat:
Install a port on a machine that uses a more than 14 days old portaudit database.
>Fix:
In a perfect word it would be best to make sure that portaudit has well defined exit codes for all possible scenarios. Given the "fuzzy" nature of the scripts involved I wrote a small and simple patch that just reinvokes portaudit a second time in case a problem has been reported. So if a refetch (or another temporary problem) caused the error it will succeed on a second attempt, while a correctly detected vulnerability will be detected a second time as well.

Patch attached with submission follows:

--- /tmp/t      2012-03-12 10:32:45.367408079 +0000
+++ bsd.port.mk 2012-03-12 10:34:11.297406994 +0000
@@ -3414,6 +3414,11 @@
                        vlist=`${LOCALBASE}/sbin/portaudit -X 14 "${PKGNAME}" \
                                2>&1 | grep -vE '^[0-9]+ problem\(s\) found.' \
                                || true`; \
+                       if [ -n "$$vlist" ]; then \
+                               vlist=`${LOCALBASE}/sbin/portaudit -X 14 "${PKGNAME}" \
+                                       2>&1 | grep -vE '^[0-9]+ problem\(s\) found.' \
+                                       || true`; \
+                       fi; \
                else \
                        ${ECHO_MSG} "===>  portaudit database exist, but portaudit not found!"; \
                fi; \


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->portmgr 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Thu May 31 10:55:20 UTC 2012 
Responsible-Changed-Why:  
bsd.port.mk is portmgr territory (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=168479 
State-Changed-From-To: open->closed 
State-Changed-By: bapt 
State-Changed-When: Sun Jan 5 00:38:18 UTC 2014 
State-Changed-Why:  
Close per maintainer request 

http://www.freebsd.org/cgi/query-pr.cgi?pr=168479 

From: Michael Gmelin <freebsd@grem.de>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/168479: Mk/bsd.port.mk: [patch] portaudit reports
 vulnerability on database update
Date: Sun, 5 Jan 2014 01:48:48 +0100

 Since this has been closed "upon maintainer request", but without any
 comment/resolution from portmgr:
 
 Applying the patch would have been a matter of minutes, but nobody
 seems to have the time for it. The problem still exists, but will
 probably be irrelevant due to pkgng in a few years from now.
 
 -- 
 Michael Gmelin

From: Baptiste Daroussin <baptiste.daroussin@gmail.com>
To: bug-followup@freebsd.org, freebsd@grem.de
Cc:  
Subject: Re: ports/168479: Mk/bsd.port.mk: [patch] portaudit reports
 vulnerability on database update
Date: Sun, 5 Jan 2014 02:08:56 +0100

 --bcaec53d5281c1a20404ef2eca4b
 Content-Type: text/plain; charset=ISO-8859-1
 
 Sorry I misunderstood your mail, and I also did typo while closing I send
 per maintainer request instead of per submitter request.
 
 I'll apply the patch now that I do have review it :)
 
 Sorry about that.
 
 regards,
 Bapt
 
 --bcaec53d5281c1a20404ef2eca4b
 Content-Type: text/html; charset=ISO-8859-1
 
 <div dir="ltr"><div>Sorry I misunderstood your mail, and I also did typo while closing I send per maintainer request instead of per submitter request.<br><br></div>I&#39;ll apply the patch now that I do have review it :)<br>
 
 <br>Sorry about that.<br><br>regards,<br>Bapt<br></div>
 
 --bcaec53d5281c1a20404ef2eca4b--

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/168479: commit references a PR
Date: Sun,  5 Jan 2014 01:16:42 +0000 (UTC)

 Author: bapt
 Date: Sun Jan  5 01:16:34 2014
 New Revision: 338729
 URL: http://svnweb.freebsd.org/changeset/ports/338729
 
 Log:
   Reinvokes portaudit a second time in case a problem has been reported. So if a refetch (or another temporary problem) caused the error it will succeed on a second attempt, while a correctly detected vulnerability will be detected a second time.
   
   PR:		ports/168479
   Submitted by:	Michael Gmelin <freebsd@grem.de>
 
 Modified:
   head/Mk/bsd.port.mk
 
 Modified: head/Mk/bsd.port.mk
 ==============================================================================
 --- head/Mk/bsd.port.mk	Sun Jan  5 01:06:11 2014	(r338728)
 +++ head/Mk/bsd.port.mk	Sun Jan  5 01:16:34 2014	(r338729)
 @@ -3338,6 +3338,11 @@ check-vulnerable:
  			vlist=`${LOCALBASE}/sbin/portaudit -X 14 "${PKGNAME}" \
  				2>&1 | grep -vE '^[0-9]+ problem\(s\) found.' \
  				|| true`; \
 +			if [ -n "$$vlist" ]; then \
 +				vlist=`${LOCALBASE}/sbin/portaudit -X 14 "${PKGNAME}" \
 +					2>&1 | grep -vE '^[0-9]+ problem\(s\) found.' \
 +					|| true`; \
 +			fi ; \
  		else \
  			${ECHO_MSG} "===>  portaudit database exists, however, portaudit is not installed!"; \
  		fi; \
 _______________________________________________
 svn-ports-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-ports-all
 To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
 
>Unformatted:
