From 20ae6867e19828fc1b5a00c36298dd42b66f1882 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Sun, 5 Oct 2008 18:56:13 +0400 Subject: [PATCH 2/4] Separate vulnerable ports search from the formatter routine I am planning to insert some other filters between the code that outputs the vulnerable port entries and the code that formats the messages about vulnerabilities that had been found. Such a split provides a big flexibility: one can insert more filters that will transform entries and one can substitute search routine for something else (I am planning to substitute it with the binary utility written in a compiled language). This was done only for the routine that checks the installed ports, because it is my primary target for now. May be later I will split other auditing functions in the same way. Signed-off-by: Eygene Ryabinkin --- ports-mgmt/portaudit/files/portaudit-cmd.sh | 101 +++++++++++++++++---------- 1 files changed, 63 insertions(+), 38 deletions(-) diff --git a/ports-mgmt/portaudit/files/portaudit-cmd.sh b/ports-mgmt/portaudit/files/portaudit-cmd.sh index b7f5dad..5fc0d1d 100755 --- a/ports-mgmt/portaudit/files/portaudit-cmd.sh +++ b/ports-mgmt/portaudit/files/portaudit-cmd.sh @@ -125,50 +125,75 @@ portaudit_prerequisites() return 0 } +# +# Helper for audit_installed that actually finds vulnerable packages. +# +# It processes the auditfile entries (that are read from the stdin) +# in the form "glob|refs|desc" and outputs entries in the form +# "pkgname|glob|refs|desc", where "pkgname" is the matched package name. +# +findvuln_installed() +{ + local fixedre=`echo -n $portaudit_fixed | tr -c '[:alnum:]- \t\n' 'x' | tr -s ' \t\n' '|'` + local installedre=`$pkg_info -aE | sed -e 's/-[^-]*$//g' | paste -s -d '|' -` + local osversion=`sysctl -n kern.osreldate` + + awk -F\| \ + -v fixedre="$fixedre" -v installedre="$installedre" \ + -v pkg_version="$pkg_version" -v pkg_info="$pkg_info" \ + -v osversion="$osversion" -v opt_restrict="$opt_restrict" \ + ' +/^(#|\$)/ { next } +opt_restrict && $2 !~ opt_restrict { next } +$1 ~ /^FreeBSD[<=>!]/ { + if (fixedre && $2 ~ fixedre) next + if (!system(pkg_version " -T \"FreeBSD-" osversion "\" \"" $1 "\"")) { + printf("FreeBSD-%s|%s\n", osversion, $0); + } + next +} +$1 ~ /^[^{}*?]*[<=>!]/ { + if ($1 !~ "^(" installedre ")[<=>!]") next; +} +{ + cmd=pkg_info " -E \"" $1 "\"" + while((cmd | getline pkg) > 0) { + printf("%s|%s\n", pkg, $0); + } + close(cmd) +} +' +} + audit_installed() { local rc=0 local osversion=`sysctl -n kern.osreldate` - fixedre=`echo -n $portaudit_fixed | tr -c '[:alnum:]- \t\n' 'x' | tr -s ' \t\n' '|'` - installedre=`$pkg_info -aE | sed -e 's/-[^-]*$//g' | paste -s -d '|' -` - - extract_auditfile | awk -F\| "$PRINTAFFECTED_AWK"' - BEGIN { vul=0; fixedre="'"$fixedre"'" } - /^(#|\$)/ { next } - $2 !~ /'"$opt_restrict"'/ { next } - $1 ~ /^FreeBSD[<=>!]/ { - if (fixedre && $2 ~ fixedre) next - if (!system("'"$pkg_version"' -T \"FreeBSD-'"$osversion"'\" \"" $1 "\"")) { - print_affected("FreeBSD-'"$osversion"'", - $1, $2, $3, \ - "To disable this check add the uuid to \`portaudit_fixed'"'"' in %%PREFIX%%/etc/portaudit.conf") - } - next - } - $1 ~ /^[^{}*?]*[<=>!]/ { - if ($1 !~ "^('"$installedre"')[<=>!]") next; - } - { - cmd="'"$pkg_info"' -E \"" $1 "\"" - while((cmd | getline pkg) > 0) { - vul++ - print_affected(pkg, $1, $2, $3, "") - } - close(cmd) - } - END { - if ("'$opt_quiet'" == "false") { - print vul " problem(s) in your installed packages found." - } - if (vul > 0) { - if ("'$opt_quiet'" == "false") { - print "\nYou are advised to update or deinstall" \ - " the affected package(s) immediately." - } - exit(1) - } + extract_auditfile | findvuln_installed | \ + awk -F\| "$PRINTAFFECTED_AWK"' +BEGIN { vul=0; } +$1 ~ /^FreeBSD-/ { + print_affected($1, $2, $3, $4, \ + "To disable this check add the uuid to \`portaudit_fixed'"'"' in %%PREFIX%%/etc/portaudit.conf") + next +} +{ + print_affected($1, $2, $3, $4, ""); + vul++; +} +END { + if ("'$opt_quiet'" == "false") { + print vul " problem(s) in your installed packages found." + } + if (vul > 0) { + if ("'$opt_quiet'" == "false") { + print "\nYou are advised to update or deinstall" \ + " the affected package(s) immediately." } + exit(1) + } +} ' || rc=$? return $rc -- 1.6.2.4