From bortzmeyer@nic.fr  Tue Dec  2 08:20:46 2003
Return-Path: <bortzmeyer@nic.fr>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CEEBA16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  2 Dec 2003 08:20:46 -0800 (PST)
Received: from maya20.nic.fr (maya20.nic.fr [192.134.4.152])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2269343F93
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  2 Dec 2003 08:20:43 -0800 (PST)
	(envelope-from bortzmeyer@nic.fr)
Received: from vespucci.nic.fr (postfix@vespucci.nic.fr [192.134.4.68])
	by maya20.nic.fr (8.12.4/8.12.4) with ESMTP id hB2GKfQW1081607;
	Tue, 2 Dec 2003 17:20:41 +0100 (CET)
Received: by vespucci.nic.fr (Postfix, from userid 1055)
	id 6EE1CFAA5; Tue,  2 Dec 2003 17:20:41 +0100 (CET)
Message-Id: <20031202162041.6EE1CFAA5@vespucci.nic.fr>
Date: Tue,  2 Dec 2003 17:20:41 +0100 (CET)
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Subject: The echoping port is wrongly flagged (security alert)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         59905
>Category:       ports
>Synopsis:       The echoping port is wrongly flagged (security alert)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 02 08:30:24 PST 2003
>Closed-Date:    Tue Dec 02 10:49:15 PST 2003
>Last-Modified:  Wed Dec  3 03:40:21 PST 2003
>Originator:     Stephane Bortzmeyer
>Release:        FreeBSD 5.1-RELEASE i386
>Organization:
AFNICN
>Environment:
System: FreeBSD fetiche.sources.org 5.1-RELEASE FreeBSD 5.1-RELEASE #0: Thu Jun 5 02:55:42 GMT 2003 root@wv1u.btc.adaptec.com:/usr/obj/usr/src/sys/GENERIC i386
>Description:
When installling the echoping port, it says:    
  ===> SECURITY REPORT: This port has installed the following files
which may act as network servers and may therefore pose a remote
security risk to the system.  
/usr/local/bin/echoping
      If there are vulnerabilities in these programs there may be a
security risk to the system. FreeBSD makes no guarantee about the
security of ports included in the Ports Collection. Please type 'make
deinstall' to deinstall the port if this is a concern.
      For more information, and contact details about the security
status of this software, see the following webpage:
 http://echoping.sourceforge.net/

   But echoping is *not* a network server and never was. I wonder where
does this strange alert comes from. IMHO, since echoping:
  * is not and cannot be a network server,
  * is never setuid or set gid,
  it should not generate a security report.
>How-To-Repeat:
>Fix:

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: adamw 
State-Changed-When: Tue Dec 2 10:47:05 PST 2003 
State-Changed-Why:  
Please look at the section starting at line 3313 in bsd.port.mk. 
echoping is flagged because it uses either accept() or recvfrom(). 
In echoping's case, it's because of recvfrom(). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=59905 

From: Uwe Doering <gemini@geminix.org>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: ports/59905: The echoping port is wrongly flagged (security alert)
Date: Wed, 03 Dec 2003 12:35:01 +0100

 Stephane Bortzmeyer wrote:
 >>Description:
 > 
 > When installling the echoping port, it says:    
 >   ===> SECURITY REPORT: This port has installed the following files
 > which may act as network servers and may therefore pose a remote
 > security risk to the system.  
 > /usr/local/bin/echoping
 >       If there are vulnerabilities in these programs there may be a
 > security risk to the system. FreeBSD makes no guarantee about the
 > security of ports included in the Ports Collection. Please type 'make
 > deinstall' to deinstall the port if this is a concern.
 >       For more information, and contact details about the security
 > status of this software, see the following webpage:
 >  http://echoping.sourceforge.net/
 > 
 >    But echoping is *not* a network server and never was. I wonder where
 > does this strange alert comes from. IMHO, since echoping:
 >   * is not and cannot be a network server,
 >   * is never setuid or set gid,
 >   it should not generate a security report.
 
 To be classified as network server it is sufficient if the program uses 
 either accept() or recvfrom().  I haven't looked but since 'echoping' 
 deals with UDP, too, the likely culprit is recvfrom().  So while 
 flagging 'echoping' as network server is wrong it is also harmless, 
 IMHO.  For more details have a look at '/usr/ports/Mk/bsd.port.mk'.
 
     Uwe
 -- 
 Uwe Doering         |  EscapeBox - Managed On-Demand UNIX Servers
 gemini@geminix.org  |  http://www.escapebox.net
 
>Unformatted:
