FreeBSD - Known Vulnerabilities audit check on FreeBSD Ports

The FreeBSD Ports repository have a rich base of software. As of today, it has 21000 ++ ports. As we all know, all software have bugs. Some bugs leads to vulnerabilities. Vulnerabilities opens door to unwanted access, at least not to those have ill intentions.

Every now and then, FreeBSD sysadm tends to install or upgrade new ports. As such, we should be more aware of what bugs or vulnerabilities that comes with it. Even we may not be able to fix it, but at least we should be aware of it so that we can find alternatives to secure it.

For ports, there is a utility to check on what vulnerabilities have been reported on it. Here is how to install and update it frequently :

To install it, run :
cd /usr/ports/ports-mgmt/portaudit;make install clean

remember to run the command periodically so that it fetches the latest db of vulnerabilities ports. Insert the following into crontab :
/usr/local/sbin/portaudit -Fa

Should you run into trouble while installing some vital ports, this is how the error message looks like :

sample 01
(taken from the normal "make install clean" in ports directory)
===>  linux-pango-1.10.2_3 has known vulnerabilities:

=> pango -- integer overflow.

Reference: <http://portaudit.FreeBSD.org/4b172278-3f46-11de-becb-001cc0377035.html>

=> Please update your ports tree and try again.

*** Error code 1

Stop in /usr/ports/x11-toolkits/linux-pango.

*** Error code 1

Stop in /usr/ports/x11-toolkits/linux-gtk2.

*** Error code 1

sample 02

(taken from portmanager ports -l)

fetch php5-5.2.11_1

MGPMrUpdate 0.4.1_9 command: #8 of 14  cd /usr/ports/lang/php5 && make fetch


===>  php5-5.2.11_1 has known vulnerabilities:

=> php -- multiple vulnerabilities.

Reference: <http://portaudit.FreeBSD.org/39a25a63-eb5c-11de-b650-00215c6a37bb.html>

=> Please update your ports tree and try again.

*** Error code 1

Stop in /usr/ports/lang/php5.

The errors above might caused by an outdated ports repository. FreeBSD have an excellent history of patching vulnerable software. So, an outdated ports repository (means "old" software) will naturally have bugs in it.  Make sure to run "portsnap fetch update" to get the latest ports repository and retry the installation again.

If portaudit still stopping the installation, it means that there are some new vulnerabilities which have not been patched yet. Obviously, portaudit will not allow to proceed.

Some of you must be thinking, "screw the bugs, gimme the ports". Here is how to bypass portaudit checks and proceed to install the vulnerable ports (You've been warned) :

insert :
.if !empty(.CURDIR:M/portDirectory)
*** no space or tab in front of "DISABLE_VULNERABILITIES=yes"

into /etc/make.conf, where portDirectory is the full path to the ports directory with error message. This will make portaudit to bypass checking on this particular port. e.g.


20100306 :
Should portaudit still check the vulnerabilities after specifying the full path, use wild card for the parameter portDirectory (in the example shown above).
instead of

Ciao !!!

No comments: