1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-03 01:23:49 +00:00

portaudit-db generates a portaudit database from a current

ports tree. It also features a file `database/portaudit.txt'
where UUIDs for vulnerabilities can be allocated quickly
before they are moved to the VuXML database.

Call `packaudit' after upgrading your ports tree.
This commit is contained in:
Oliver Eikemeier 2004-06-12 22:43:44 +00:00
parent b0551a5266
commit 53ec7442a9
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=111367
21 changed files with 1289 additions and 0 deletions

View File

@ -0,0 +1,41 @@
# New ports collection makefile for: portaudit-db
# Date created: 12 Jun 2004
# Whom: Oliver Eikemeier
#
# $FreeBSD$
#
PORTNAME= portaudit-db
PORTVERSION= 0.1
CATEGORIES= security
DISTFILES=
MAINTAINER= eik@FreeBSD.org
COMMENT= Creates a portaudit database from a current ports tree
RUN_DEPENDS= xsltproc:${PORTSDIR}/textproc/libxslt
DATABASEDIR?= ${AUDITFILE:H}
PLIST_SUB+= DATABASEDIR="${DATABASEDIR}"
SED_SCRIPT= -e 's,%%PREFIX%%,${PREFIX},g' \
-e "s|%%DATADIR%%|${DATADIR}|g" \
-e "s|%%LOCALBASE%%|${LOCALBASE}|g" \
-e "s|%%PORTSDIR%%|${PORTSDIR}|g" \
-e "s|%%PORTVERSION%%|${PORTVERSION}|g" \
-e "s|%%DATABASEDIR%%|${DATABASEDIR}|g"
do-build:
@for f in packaudit.sh packaudit.conf; do \
${SED} ${SED_SCRIPT} "${FILESDIR}/$$f" > "${WRKDIR}/$$f"; \
done
do-install:
@${INSTALL_SCRIPT} ${WRKDIR}/packaudit.sh ${PREFIX}/bin/packaudit
@${INSTALL_DATA} ${WRKDIR}/packaudit.conf ${PREFIX}/etc/packaudit.conf.sample
@${MKDIR} ${DATADIR}
@${INSTALL_DATA} ${FILESDIR}/vuxml2html.xslt ${FILESDIR}/vuxml2portaudit.xslt ${DATADIR}
@${MKDIR} ${DATABASEDIR}
.include <bsd.port.mk>

View File

@ -0,0 +1,7 @@
# portaudit text based database
# $FreeBSD$
smtpproxy<=1.1.3|http://0xbadc0ded.org/advisories/0402.txt|remotely exploitable format string vulnerability|1abf65f9-bc9d-11d8-916c-000347dd607f
apache<1.3.31_1|http://www.apacheweek.com/features/security-13|mod_proxy buffer overflow (CAN-2004-0492)|5bcd500c-bc9d-11d8-916c-000347dd607f
apache+mod_ssl<1.3.31+2.8.18_3|http://www.apacheweek.com/features/security-13|mod_proxy buffer overflow (CAN-2004-0492)|5bcd500c-bc9d-11d8-916c-000347dd607f
apache<2.0.49_1|http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0488|mod_ssl stack-based buffer overflow|662cd99e-bc9d-11d8-916c-000347dd607f
apache+mod_ssl*<1.3.31+2.8.18_4|http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0488|mod_ssl stack-based buffer overflow|662cd99e-bc9d-11d8-916c-000347dd607f

View File

@ -0,0 +1,4 @@
# portaudit exclude list
# $FreeBSD$
3362f2c1-8344-11d8-a41f-0020ed76ef5a
5e7f58c3-b3f8-4258-aeb8-795e5e940ff8

View File

@ -0,0 +1,69 @@
<?xml version="1.0" encoding="utf-8"?>
<!--
This file is in the public domain.
$FreeBSD$
-->
<!DOCTYPE vuxml PUBLIC "-//vuxml.org//DTD VuXML 1.1//EN" "http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd">
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="42e330ab-82a4-11d8-868e-000347dd607f">
<topic>MPlayer remotely exploitable buffer overflow in the ASX parser</topic>
<affects>
<package>
<name>mplayer</name>
<name>mplayer-esound</name>
<name>mplayer-gtk</name>
<name>mplayer-gtk-esound</name>
<range><lt>0.92</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header,
and trick MPlayer into executing arbitrary code upon parsing that header.</p>
</body>
</description>
<references>
<url>http://www.mplayerhq.hu/</url>
<url>http://www.securityfocus.com/archive/1/339330</url>
<url>http://www.securityfocus.com/archive/1/339193</url>
<cvename>CAN-2003-0835</cvename>
<bid>8702</bid>
</references>
<dates>
<discovery>2003-09-24</discovery>
<entry>2004-03-30</entry>
</dates>
</vuln>
<vuln vid="d8c46d74-8288-11d8-868e-000347dd607f">
<topic>MPlayer remotely exploitable buffer overflow in the HTTP parser</topic>
<affects>
<package>
<name>mplayer</name>
<name>mplayer-esound</name>
<name>mplayer-gtk</name>
<name>mplayer-gtk-esound</name>
<range><lt>0.92.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful HTTP header (&quot;Location:&quot;),
and trick MPlayer into executing arbitrary code upon parsing that header.</p>
</body>
</description>
<references>
<url>http://www.mplayerhq.hu/</url>
<url>http://www.securityfocus.com/archive/1/359029</url>
<url>http://www.securityfocus.com/archive/1/359025</url>
</references>
<dates>
<discovery>2004-03-29</discovery>
<entry>2004-03-30</entry>
</dates>
</vuln>
</vuxml>

View File

@ -0,0 +1,9 @@
#
# $FreeBSD$
#
# packaudit.conf sample file
#
# avoid network access
export SGML_CATALOG_FILES="%%LOCALBASE%%/share/xml/catalog"
XSLTPROC_EXTRA_ARGS="--catalogs --nonet"

View File

@ -0,0 +1,112 @@
#!/bin/sh -e
#
# Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# 1. Redistributions of source code must retain the above copyright notice
# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the author nor the names of its contributors may be
# used to endorse or promote products derived from this software without
# specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# $FreeBSD$
#
AWK=/usr/bin/awk
BASENAME=/usr/bin/basename
CAT=/bin/cat
DATE=/bin/date
ENV=/usr/bin/env
MD5=/sbin/md5
MKTEMP=/usr/bin/mktemp
RM=/bin/rm
SED=/usr/bin/sed
TAR=/usr/bin/tar
XSLTPROC=%%LOCALBASE%%/bin/xsltproc
PORTSDIR="${PORTSDIR:-%%PORTSDIR%%}"
VUXMLDIR="${VUXMLDIR:-$PORTSDIR/security/vuxml}"
PORTAUDITDBDIR="${PORTAUDITDBDIR:-$PORTSDIR/security/portaudit-db}"
DATABASEDIR="${DATABASEDIR:-%%DATABASEDIR%%}"
STYLESHEET="%%DATADIR%%/vuxml2portaudit.xslt"
PUBLIC_HTML="${PUBLIC_HTML:-$HOME/public_html/portaudit}"
HTMLSHEET="%%DATADIR%%/vuxml2html.xslt"
BASEURL="http://people.freebsd.org/~eik/portaudit/"
[ -r "%%PREFIX%%/etc/packaudit.conf" ] && . "%%PREFIX%%/etc/packaudit.conf"
VULVER=`$SED -En -e '/^.*\\$FreeBSD\: [^$ ]+,v ([0-9]+(\.[0-9]+)+) [^$]+\\$.*$/{s//\1/p;q;}' "$VUXMLDIR/vuln.xml"`
VULURL="http://cvsweb.freebsd.org/ports/security/vuxml/vuln.xml?rev=$VULVER"
if [ -d "$PUBLIC_HTML" ]; then
VULNMD5=`$CAT "$VUXMLDIR/vuln.xml" "$PORTAUDITDBDIR/database/portaudit.xml" | $MD5`
if [ -f "$PUBLIC_HTML/portaudit.md5" ]; then
VULNMD5_OLD=`$CAT "$PUBLIC_HTML/portaudit.md5"`
fi
if [ "$VULNMD5" != "$VULNMD5_OLD" ]; then
echo -n "$VULNMD5" > "$PUBLIC_HTML/portaudit.md5"
$XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam vulurl "$VULURL" --stringparam extradoc "$PORTAUDITDBDIR/database/portaudit.xml" \
-o "$PUBLIC_HTML/" "$HTMLSHEET" "$VUXMLDIR/vuln.xml"
fi
fi
TMPNAME=`$BASENAME "$0"`
TMPDIR=`$MKTEMP -d -t "$TMPNAME.$$"` || exit 1
TESTPORT="vulnerability-test-port>=2000<`$DATE -u +%Y.%m.%d`"
TESTURL="http://cvsweb.freebsd.org/ports/security/vulnerability-test-port/"
TESTREASON="Not vulnerable, just a test port (database: `$DATE -u +%Y-%m-%d`)"
XLIST_FILE="$PORTAUDITDBDIR/database/portaudit.xlist"
cd "$TMPDIR" || exit 1
{
$DATE -u "+#CREATED: %Y-%m-%d %H:%M:%S"
echo "# Created by packaudit %%PORTVERSION%%"
echo "$TESTPORT|$TESTURL|$TESTREASON"
echo "# Please refer to the original document for copyright information:"
echo "# $VULURL"
$XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam baseurl "$BASEURL" "$STYLESHEET" "$VUXMLDIR/vuln.xml"
echo "# This part is in the public domain"
$XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam baseurl "$BASEURL" "$STYLESHEET" "$PORTAUDITDBDIR/database/portaudit.xml"
$CAT "$PORTAUDITDBDIR/database/portaudit.txt"
} | $AWK -F\| -v XLIST_FILE="$XLIST_FILE" '
BEGIN {
while((getline < XLIST_FILE) > 0)
if(!/^(#|$)/)
ignore[$1]=1
}
/^(#|$)/ {
print
next
}
{
if (!ignore[$4])
print $1 "|" $2 "|" $3
}' > auditfile
echo "#CHECKSUM: MD5 `$MD5 < auditfile`" >> auditfile
$TAR -jcf "$DATABASEDIR/auditfile.tbz" auditfile
cd
$RM -Rf "$TMPDIR"

View File

@ -0,0 +1,287 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
$FreeBSD$
Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the author nor the names of its contributors may be
used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
VuXML to HTML converter.
Usage:
xsltproc -o html/ vuxml2html.xslt vuxml.xml
-->
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:vuxml="http://www.vuxml.org/apps/vuxml-1" xmlns="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xhtml vuxml" version="1.0">
<xsl:output method="xml"/>
<xsl:strip-space elements="vuxml:affects vuxml:package vuxml:name vuxml:range" />
<!-- whole vuxml file -->
<xsl:template match="vuxml:vuxml">
<!-- index page, xhtml strict -->
<xsl:document href="index.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>portaudit: Vulnerability list</title>
<xsl:call-template name="css"/>
</head>
<body>
<div>
<xsl:call-template name="bar"/>
</div>
<h1>Vulnerabilities</h1>
<table>
<xsl:for-each select="vuxml:vuln | document($extradoc)/vuxml:vuxml/vuxml:vuln">
<xsl:sort select="(vuxml:dates/vuxml:modified | vuxml:dates/vuxml:entry)[1]" order="descending"/>
<tr>
<td>
<xsl:value-of select="(vuxml:dates/vuxml:modified | vuxml:dates/vuxml:entry)[1]"/>
</td>
<td>
<a href="{translate(@vid, 'ABCDEF', 'abcdef')}.html">
<xsl:value-of select="vuxml:topic"/>
</a>
</td>
</tr>
</xsl:for-each>
</table>
<p>
<a href="index-pkg.html">[Sorted by package name]</a>
</p>
<xsl:call-template name="foo"/>
</body>
</html>
</xsl:document>
<!-- index page by packages, xhtml strict -->
<xsl:document href="index-pkg.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>portaudit: Vulnerability list by packages</title>
<xsl:call-template name="css"/>
</head>
<body>
<div>
<xsl:call-template name="bar"/>
</div>
<h1>Vulnerabilities</h1>
<table>
<xsl:for-each select="//vuxml:affects/vuxml:package/vuxml:name | document($extradoc)//vuxml:affects/vuxml:package/vuxml:name">
<xsl:sort select="translate(., 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz')"/>
<xsl:sort select="(ancestor-or-self::vuxml:vuln/vuxml:dates/vuxml:modified | ancestor-or-self::vuxml:vuln/vuxml:dates/vuxml:entry)[1]" order="descending"/>
<tr>
<td>
<xsl:value-of select="."/>
</td>
<td>
<a href="{translate(ancestor-or-self::vuxml:vuln/@vid, 'ABCDEF', 'abcdef')}.html">
<xsl:value-of select="ancestor-or-self::vuxml:vuln/vuxml:topic"/>
</a>
</td>
</tr>
</xsl:for-each>
</table>
<p>
<a href="index.html">[Sorted by last modification]</a>
</p>
<xsl:call-template name="foo"/>
</body>
</html>
</xsl:document>
<!-- individual pages, xhtml strict -->
<xsl:for-each select="vuxml:vuln | document($extradoc)/vuxml:vuxml/vuxml:vuln">
<xsl:document href="{translate(@vid, 'ABCDEF', 'abcdef')}.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>portaudit: <xsl:value-of select="vuxml:topic"/></title>
<xsl:call-template name="css"/>
</head>
<body>
<div>
<xsl:call-template name="bar"/>
</div>
<h1>
<xsl:value-of select="vuxml:topic"/>
</h1>
<h2>Description:</h2>
<xsl:copy-of select="vuxml:description/xhtml:body/*"/>
<h2>References:</h2>
<ul>
<xsl:apply-templates select="vuxml:references"/>
</ul>
<h2>Affects:</h2>
<ul>
<xsl:for-each select="vuxml:affects/vuxml:package">
<xsl:for-each select="vuxml:name">
<xsl:variable name="name" select="."/>
<xsl:for-each select="../vuxml:range">
<li>
<xsl:value-of select="$name"/>
<xsl:apply-templates/>
</li>
</xsl:for-each>
</xsl:for-each>
</xsl:for-each>
<xsl:for-each select="vuxml:affects/vuxml:system">
<xsl:for-each select="vuxml:name">
<xsl:variable name="name" select="."/>
<xsl:for-each select="../vuxml:range">
<li>
<xsl:value-of select="$name"/>
<xsl:apply-templates/>
</li>
</xsl:for-each>
</xsl:for-each>
</xsl:for-each>
</ul>
<xsl:call-template name="foo"/>
</body>
</html>
</xsl:document>
</xsl:for-each>
<!-- end of vuxml file processing -->
</xsl:template>
<!-- vulnerability references -->
<xsl:template match="vuxml:url">
<li>
<a href="{.}">
<xsl:value-of select="."/>
</a>
</li>
</xsl:template>
<xsl:template match="vuxml:cvename">
<li>CVE name <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name={text()}"><xsl:value-of select="text()"/></a></li>
</xsl:template>
<xsl:template match="vuxml:bid">
<li>BugTraq ID <a href="http://www.securityfocus.com/bid/{.}"><xsl:value-of select="."/></a></li>
</xsl:template>
<xsl:template match="vuxml:certsa">
<li>CERT security advisory <a href="http://www.cert.org/advisories/{.}.html"><xsl:value-of select="."/></a></li>
</xsl:template>
<xsl:template match="vuxml:certvu">
<li>CERT vulnerability note <a href="http://www.kb.cert.org/vuls/id/{.}"><xsl:value-of select="."/></a></li>
</xsl:template>
<xsl:template match="vuxml:freebsdsa">
<li>FreeBSD security advisory <a href="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-{.}.asc">FreeBSD-<xsl:value-of select="."/></a></li>
</xsl:template>
<!-- comparison operators -->
<xsl:template match="vuxml:lt">
<xsl:text> &lt;</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<xsl:template match="vuxml:le">
<xsl:text> &lt;=</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<xsl:template match="vuxml:gt">
<xsl:text> &gt;</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<xsl:template match="vuxml:ge">
<xsl:text> &gt;=</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<xsl:template match="vuxml:eq">
<xsl:text> =</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<!-- style sheet -->
<xsl:template name="css">
<link rel="shortcut icon" href="http://www.freebsd.org/favicon.ico" type="image/x-icon"/>
<style type="text/css">
<xsl:comment>
<xsl:text>
body {
background-color : #ffffff;
color : #000000;
}
a:link { color: #0000ff }
a:visited { color: #840084 }
a:active { color: #0000ff }
h1 { color: #990000 }
img { color: white; border:none }
table {
border: none;
margin-top: 10px;
margin-bottom: 10px;
}
th {
text-align: left;
padding: 3px;
border: none;
vertical-align: top;
}
td {
padding: 3px;
border: none;
vertical-align: top;
}
tr.odd {
background: #eeeeee;
color: inherit;
}
</xsl:text>
</xsl:comment>
</style>
</xsl:template>
<!-- xhtml elements -->
<xsl:template name="bar">
<img src="http://www.freebsd.org/gifs/bar.gif" alt="Navigation Bar" height="33" width="565" usemap="#bar"/>
<map id="bar" name="bar">
<area shape="rect" coords="1,1,111,33" href="http://www.freebsd.org/" alt="Top"/>
<area shape="rect" coords="112,16,196,33" href="http://www.freebsd.org/ports/index.html" alt="Applications"/>
<area shape="rect" coords="197,16,256,33" href="http://www.freebsd.org/support.html" alt="Support"/>
<area shape="rect" coords="257,16,365,33" href="http://www.freebsd.org/docs.html" alt="Documentation"/>
<area shape="rect" coords="366,16,424,33" href="http://www.freebsd.org/commercial/commercial.html" alt="Vendors"/>
<area shape="rect" coords="425,16,475,33" href="http://www.freebsd.org/search/search.html" alt="Search"/>
<area shape="rect" coords="476,16,516,33" href="http://www.freebsd.org/search/index-site.html" alt="Index"/>
<area shape="rect" coords="517,16,565,33" href="http://www.freebsd.org/" alt="Top"/>
<area shape="rect" coords="0,0,565,33" href="http://www.freebsd.org/" alt="Top"/>
</map>
</xsl:template>
<xsl:template name="foo">
<hr/>
<p><strong>Disclaimer:</strong> The data contained on this page is derived for the VuXML document,
please refer to the <a href="{$vulurl}">the original document</a> for copyright information. The author of
portaudit makes no claim of authorship or ownership of any of the information contained herein.</p>
<p>
If you have found a vulnerability in a FreeBSD port not listed in the
database, please <a href="mailto:security-officer@FreeBSD.org">contact the
FreeBSD Security Officer</a>. Refer to
<a href="http://www.freebsd.org/security/#sec">"FreeBSD Security
Information"</a> for more information.
</p>
<hr/>
<address title="Oliver Eikemeier">
Oliver Eikemeier <a href="mailto:eik@FreeBSD.org?subject=portaudit">&lt;eik@FreeBSD.org&gt;</a>
</address>
</xsl:template>
</xsl:stylesheet>

View File

@ -0,0 +1,92 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
$FreeBSD$
Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the author nor the names of its contributors may be
used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
VuXML to portaudit database converter.
Usage:
xsltproc -o auditfile vuxml2portaudit.xslt vuxml.xml
-->
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:vuxml="http://www.vuxml.org/apps/vuxml-1" version="1.0">
<xsl:output method="text"/>
<xsl:variable name="newline">
<xsl:text>&#010;</xsl:text>
</xsl:variable>
<!-- xxx -->
<xsl:strip-space elements="vuxml:affects vuxml:package vuxml:name vuxml:range"/>
<xsl:template match="/">
<xsl:text># Converted by vuxml2portaudit
</xsl:text>
<xsl:for-each select="vuxml:vuxml/vuxml:vuln">
<xsl:variable name="topic" select="normalize-space(vuxml:topic)"/>
<xsl:variable name="vid" select="translate(@vid, 'ABCDEF', 'abcdef')"/>
<xsl:for-each select="vuxml:affects/vuxml:package">
<xsl:for-each select="vuxml:name">
<xsl:variable name="name" select="."/>
<xsl:for-each select="../vuxml:range">
<xsl:value-of select="$name"/>
<xsl:apply-templates/>
<xsl:text>|</xsl:text>
<xsl:value-of select="$baseurl"/>
<xsl:value-of select="$vid"/>
<xsl:text>.html</xsl:text>
<xsl:text>|</xsl:text>
<xsl:value-of select="$topic"/>
<xsl:text>|</xsl:text>
<xsl:value-of select="$vid"/>
<xsl:value-of select="$newline"/>
</xsl:for-each>
</xsl:for-each>
</xsl:for-each>
</xsl:for-each>
</xsl:template>
<!-- xxx -->
<xsl:template match="vuxml:lt">
<xsl:text>&lt;</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<xsl:template match="vuxml:le">
<xsl:text>&lt;=</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<xsl:template match="vuxml:gt">
<xsl:text>&gt;</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<xsl:template match="vuxml:ge">
<xsl:text>&gt;=</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<xsl:template match="vuxml:eq">
<xsl:text>=</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
</xsl:stylesheet>

View File

@ -0,0 +1,16 @@
In contrast to security/portaudit, which is designed to be an
install-and-forget solution, portaudit-db requires a current
ports tree and generates a database that can be used locally
or distributed over a network.
Furthermore committers that want to add entries to the VuXML
database may use this port to check their changes locally.
It also features a file `database/portaudit.txt' where UUIDs
for vulnerabilities can be allocated before they have been
investigated thoroughly and moved to the VuXML database by
the security officer team.
Call `packaudit' after upgrading your ports tree.
WWW: http://people.freebsd.org/~eik/portaudit/
Oliver Eikemeier <eik@FreeBSD.org>

View File

@ -0,0 +1,7 @@
bin/packaudit
etc/packaudit.conf.sample
%%DATADIR%%/vuxml2html.xslt
%%DATADIR%%/vuxml2portaudit.xslt
@dirrm %%DATADIR%%
@exec mkdir -p %%DATABASEDIR%%
@unexec rmdir %%DATABASEDIR%% 2>/dev/null || true

View File

@ -320,6 +320,7 @@
SUBDIR += pktsuckers
SUBDIR += poc
SUBDIR += portaudit
SUBDIR += portaudit-db
SUBDIR += portscanner
SUBDIR += portsentry
SUBDIR += ppgen

View File

@ -0,0 +1,41 @@
# New ports collection makefile for: portaudit-db
# Date created: 12 Jun 2004
# Whom: Oliver Eikemeier
#
# $FreeBSD$
#
PORTNAME= portaudit-db
PORTVERSION= 0.1
CATEGORIES= security
DISTFILES=
MAINTAINER= eik@FreeBSD.org
COMMENT= Creates a portaudit database from a current ports tree
RUN_DEPENDS= xsltproc:${PORTSDIR}/textproc/libxslt
DATABASEDIR?= ${AUDITFILE:H}
PLIST_SUB+= DATABASEDIR="${DATABASEDIR}"
SED_SCRIPT= -e 's,%%PREFIX%%,${PREFIX},g' \
-e "s|%%DATADIR%%|${DATADIR}|g" \
-e "s|%%LOCALBASE%%|${LOCALBASE}|g" \
-e "s|%%PORTSDIR%%|${PORTSDIR}|g" \
-e "s|%%PORTVERSION%%|${PORTVERSION}|g" \
-e "s|%%DATABASEDIR%%|${DATABASEDIR}|g"
do-build:
@for f in packaudit.sh packaudit.conf; do \
${SED} ${SED_SCRIPT} "${FILESDIR}/$$f" > "${WRKDIR}/$$f"; \
done
do-install:
@${INSTALL_SCRIPT} ${WRKDIR}/packaudit.sh ${PREFIX}/bin/packaudit
@${INSTALL_DATA} ${WRKDIR}/packaudit.conf ${PREFIX}/etc/packaudit.conf.sample
@${MKDIR} ${DATADIR}
@${INSTALL_DATA} ${FILESDIR}/vuxml2html.xslt ${FILESDIR}/vuxml2portaudit.xslt ${DATADIR}
@${MKDIR} ${DATABASEDIR}
.include <bsd.port.mk>

View File

@ -0,0 +1,7 @@
# portaudit text based database
# $FreeBSD$
smtpproxy<=1.1.3|http://0xbadc0ded.org/advisories/0402.txt|remotely exploitable format string vulnerability|1abf65f9-bc9d-11d8-916c-000347dd607f
apache<1.3.31_1|http://www.apacheweek.com/features/security-13|mod_proxy buffer overflow (CAN-2004-0492)|5bcd500c-bc9d-11d8-916c-000347dd607f
apache+mod_ssl<1.3.31+2.8.18_3|http://www.apacheweek.com/features/security-13|mod_proxy buffer overflow (CAN-2004-0492)|5bcd500c-bc9d-11d8-916c-000347dd607f
apache<2.0.49_1|http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0488|mod_ssl stack-based buffer overflow|662cd99e-bc9d-11d8-916c-000347dd607f
apache+mod_ssl*<1.3.31+2.8.18_4|http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0488|mod_ssl stack-based buffer overflow|662cd99e-bc9d-11d8-916c-000347dd607f

View File

@ -0,0 +1,4 @@
# portaudit exclude list
# $FreeBSD$
3362f2c1-8344-11d8-a41f-0020ed76ef5a
5e7f58c3-b3f8-4258-aeb8-795e5e940ff8

View File

@ -0,0 +1,69 @@
<?xml version="1.0" encoding="utf-8"?>
<!--
This file is in the public domain.
$FreeBSD$
-->
<!DOCTYPE vuxml PUBLIC "-//vuxml.org//DTD VuXML 1.1//EN" "http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd">
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="42e330ab-82a4-11d8-868e-000347dd607f">
<topic>MPlayer remotely exploitable buffer overflow in the ASX parser</topic>
<affects>
<package>
<name>mplayer</name>
<name>mplayer-esound</name>
<name>mplayer-gtk</name>
<name>mplayer-gtk-esound</name>
<range><lt>0.92</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header,
and trick MPlayer into executing arbitrary code upon parsing that header.</p>
</body>
</description>
<references>
<url>http://www.mplayerhq.hu/</url>
<url>http://www.securityfocus.com/archive/1/339330</url>
<url>http://www.securityfocus.com/archive/1/339193</url>
<cvename>CAN-2003-0835</cvename>
<bid>8702</bid>
</references>
<dates>
<discovery>2003-09-24</discovery>
<entry>2004-03-30</entry>
</dates>
</vuln>
<vuln vid="d8c46d74-8288-11d8-868e-000347dd607f">
<topic>MPlayer remotely exploitable buffer overflow in the HTTP parser</topic>
<affects>
<package>
<name>mplayer</name>
<name>mplayer-esound</name>
<name>mplayer-gtk</name>
<name>mplayer-gtk-esound</name>
<range><lt>0.92.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful HTTP header (&quot;Location:&quot;),
and trick MPlayer into executing arbitrary code upon parsing that header.</p>
</body>
</description>
<references>
<url>http://www.mplayerhq.hu/</url>
<url>http://www.securityfocus.com/archive/1/359029</url>
<url>http://www.securityfocus.com/archive/1/359025</url>
</references>
<dates>
<discovery>2004-03-29</discovery>
<entry>2004-03-30</entry>
</dates>
</vuln>
</vuxml>

View File

@ -0,0 +1,9 @@
#
# $FreeBSD$
#
# packaudit.conf sample file
#
# avoid network access
export SGML_CATALOG_FILES="%%LOCALBASE%%/share/xml/catalog"
XSLTPROC_EXTRA_ARGS="--catalogs --nonet"

View File

@ -0,0 +1,112 @@
#!/bin/sh -e
#
# Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# 1. Redistributions of source code must retain the above copyright notice
# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the author nor the names of its contributors may be
# used to endorse or promote products derived from this software without
# specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# $FreeBSD$
#
AWK=/usr/bin/awk
BASENAME=/usr/bin/basename
CAT=/bin/cat
DATE=/bin/date
ENV=/usr/bin/env
MD5=/sbin/md5
MKTEMP=/usr/bin/mktemp
RM=/bin/rm
SED=/usr/bin/sed
TAR=/usr/bin/tar
XSLTPROC=%%LOCALBASE%%/bin/xsltproc
PORTSDIR="${PORTSDIR:-%%PORTSDIR%%}"
VUXMLDIR="${VUXMLDIR:-$PORTSDIR/security/vuxml}"
PORTAUDITDBDIR="${PORTAUDITDBDIR:-$PORTSDIR/security/portaudit-db}"
DATABASEDIR="${DATABASEDIR:-%%DATABASEDIR%%}"
STYLESHEET="%%DATADIR%%/vuxml2portaudit.xslt"
PUBLIC_HTML="${PUBLIC_HTML:-$HOME/public_html/portaudit}"
HTMLSHEET="%%DATADIR%%/vuxml2html.xslt"
BASEURL="http://people.freebsd.org/~eik/portaudit/"
[ -r "%%PREFIX%%/etc/packaudit.conf" ] && . "%%PREFIX%%/etc/packaudit.conf"
VULVER=`$SED -En -e '/^.*\\$FreeBSD\: [^$ ]+,v ([0-9]+(\.[0-9]+)+) [^$]+\\$.*$/{s//\1/p;q;}' "$VUXMLDIR/vuln.xml"`
VULURL="http://cvsweb.freebsd.org/ports/security/vuxml/vuln.xml?rev=$VULVER"
if [ -d "$PUBLIC_HTML" ]; then
VULNMD5=`$CAT "$VUXMLDIR/vuln.xml" "$PORTAUDITDBDIR/database/portaudit.xml" | $MD5`
if [ -f "$PUBLIC_HTML/portaudit.md5" ]; then
VULNMD5_OLD=`$CAT "$PUBLIC_HTML/portaudit.md5"`
fi
if [ "$VULNMD5" != "$VULNMD5_OLD" ]; then
echo -n "$VULNMD5" > "$PUBLIC_HTML/portaudit.md5"
$XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam vulurl "$VULURL" --stringparam extradoc "$PORTAUDITDBDIR/database/portaudit.xml" \
-o "$PUBLIC_HTML/" "$HTMLSHEET" "$VUXMLDIR/vuln.xml"
fi
fi
TMPNAME=`$BASENAME "$0"`
TMPDIR=`$MKTEMP -d -t "$TMPNAME.$$"` || exit 1
TESTPORT="vulnerability-test-port>=2000<`$DATE -u +%Y.%m.%d`"
TESTURL="http://cvsweb.freebsd.org/ports/security/vulnerability-test-port/"
TESTREASON="Not vulnerable, just a test port (database: `$DATE -u +%Y-%m-%d`)"
XLIST_FILE="$PORTAUDITDBDIR/database/portaudit.xlist"
cd "$TMPDIR" || exit 1
{
$DATE -u "+#CREATED: %Y-%m-%d %H:%M:%S"
echo "# Created by packaudit %%PORTVERSION%%"
echo "$TESTPORT|$TESTURL|$TESTREASON"
echo "# Please refer to the original document for copyright information:"
echo "# $VULURL"
$XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam baseurl "$BASEURL" "$STYLESHEET" "$VUXMLDIR/vuln.xml"
echo "# This part is in the public domain"
$XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam baseurl "$BASEURL" "$STYLESHEET" "$PORTAUDITDBDIR/database/portaudit.xml"
$CAT "$PORTAUDITDBDIR/database/portaudit.txt"
} | $AWK -F\| -v XLIST_FILE="$XLIST_FILE" '
BEGIN {
while((getline < XLIST_FILE) > 0)
if(!/^(#|$)/)
ignore[$1]=1
}
/^(#|$)/ {
print
next
}
{
if (!ignore[$4])
print $1 "|" $2 "|" $3
}' > auditfile
echo "#CHECKSUM: MD5 `$MD5 < auditfile`" >> auditfile
$TAR -jcf "$DATABASEDIR/auditfile.tbz" auditfile
cd
$RM -Rf "$TMPDIR"

View File

@ -0,0 +1,287 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
$FreeBSD$
Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the author nor the names of its contributors may be
used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
VuXML to HTML converter.
Usage:
xsltproc -o html/ vuxml2html.xslt vuxml.xml
-->
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:vuxml="http://www.vuxml.org/apps/vuxml-1" xmlns="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xhtml vuxml" version="1.0">
<xsl:output method="xml"/>
<xsl:strip-space elements="vuxml:affects vuxml:package vuxml:name vuxml:range" />
<!-- whole vuxml file -->
<xsl:template match="vuxml:vuxml">
<!-- index page, xhtml strict -->
<xsl:document href="index.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>portaudit: Vulnerability list</title>
<xsl:call-template name="css"/>
</head>
<body>
<div>
<xsl:call-template name="bar"/>
</div>
<h1>Vulnerabilities</h1>
<table>
<xsl:for-each select="vuxml:vuln | document($extradoc)/vuxml:vuxml/vuxml:vuln">
<xsl:sort select="(vuxml:dates/vuxml:modified | vuxml:dates/vuxml:entry)[1]" order="descending"/>
<tr>
<td>
<xsl:value-of select="(vuxml:dates/vuxml:modified | vuxml:dates/vuxml:entry)[1]"/>
</td>
<td>
<a href="{translate(@vid, 'ABCDEF', 'abcdef')}.html">
<xsl:value-of select="vuxml:topic"/>
</a>
</td>
</tr>
</xsl:for-each>
</table>
<p>
<a href="index-pkg.html">[Sorted by package name]</a>
</p>
<xsl:call-template name="foo"/>
</body>
</html>
</xsl:document>
<!-- index page by packages, xhtml strict -->
<xsl:document href="index-pkg.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>portaudit: Vulnerability list by packages</title>
<xsl:call-template name="css"/>
</head>
<body>
<div>
<xsl:call-template name="bar"/>
</div>
<h1>Vulnerabilities</h1>
<table>
<xsl:for-each select="//vuxml:affects/vuxml:package/vuxml:name | document($extradoc)//vuxml:affects/vuxml:package/vuxml:name">
<xsl:sort select="translate(., 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz')"/>
<xsl:sort select="(ancestor-or-self::vuxml:vuln/vuxml:dates/vuxml:modified | ancestor-or-self::vuxml:vuln/vuxml:dates/vuxml:entry)[1]" order="descending"/>
<tr>
<td>
<xsl:value-of select="."/>
</td>
<td>
<a href="{translate(ancestor-or-self::vuxml:vuln/@vid, 'ABCDEF', 'abcdef')}.html">
<xsl:value-of select="ancestor-or-self::vuxml:vuln/vuxml:topic"/>
</a>
</td>
</tr>
</xsl:for-each>
</table>
<p>
<a href="index.html">[Sorted by last modification]</a>
</p>
<xsl:call-template name="foo"/>
</body>
</html>
</xsl:document>
<!-- individual pages, xhtml strict -->
<xsl:for-each select="vuxml:vuln | document($extradoc)/vuxml:vuxml/vuxml:vuln">
<xsl:document href="{translate(@vid, 'ABCDEF', 'abcdef')}.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>portaudit: <xsl:value-of select="vuxml:topic"/></title>
<xsl:call-template name="css"/>
</head>
<body>
<div>
<xsl:call-template name="bar"/>
</div>
<h1>
<xsl:value-of select="vuxml:topic"/>
</h1>
<h2>Description:</h2>
<xsl:copy-of select="vuxml:description/xhtml:body/*"/>
<h2>References:</h2>
<ul>
<xsl:apply-templates select="vuxml:references"/>
</ul>
<h2>Affects:</h2>
<ul>
<xsl:for-each select="vuxml:affects/vuxml:package">
<xsl:for-each select="vuxml:name">
<xsl:variable name="name" select="."/>
<xsl:for-each select="../vuxml:range">
<li>
<xsl:value-of select="$name"/>
<xsl:apply-templates/>
</li>
</xsl:for-each>
</xsl:for-each>
</xsl:for-each>
<xsl:for-each select="vuxml:affects/vuxml:system">
<xsl:for-each select="vuxml:name">
<xsl:variable name="name" select="."/>
<xsl:for-each select="../vuxml:range">
<li>
<xsl:value-of select="$name"/>
<xsl:apply-templates/>
</li>
</xsl:for-each>
</xsl:for-each>
</xsl:for-each>
</ul>
<xsl:call-template name="foo"/>
</body>
</html>
</xsl:document>
</xsl:for-each>
<!-- end of vuxml file processing -->
</xsl:template>
<!-- vulnerability references -->
<xsl:template match="vuxml:url">
<li>
<a href="{.}">
<xsl:value-of select="."/>
</a>
</li>
</xsl:template>
<xsl:template match="vuxml:cvename">
<li>CVE name <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name={text()}"><xsl:value-of select="text()"/></a></li>
</xsl:template>
<xsl:template match="vuxml:bid">
<li>BugTraq ID <a href="http://www.securityfocus.com/bid/{.}"><xsl:value-of select="."/></a></li>
</xsl:template>
<xsl:template match="vuxml:certsa">
<li>CERT security advisory <a href="http://www.cert.org/advisories/{.}.html"><xsl:value-of select="."/></a></li>
</xsl:template>
<xsl:template match="vuxml:certvu">
<li>CERT vulnerability note <a href="http://www.kb.cert.org/vuls/id/{.}"><xsl:value-of select="."/></a></li>
</xsl:template>
<xsl:template match="vuxml:freebsdsa">
<li>FreeBSD security advisory <a href="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-{.}.asc">FreeBSD-<xsl:value-of select="."/></a></li>
</xsl:template>
<!-- comparison operators -->
<xsl:template match="vuxml:lt">
<xsl:text> &lt;</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<xsl:template match="vuxml:le">
<xsl:text> &lt;=</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<xsl:template match="vuxml:gt">
<xsl:text> &gt;</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<xsl:template match="vuxml:ge">
<xsl:text> &gt;=</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<xsl:template match="vuxml:eq">
<xsl:text> =</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<!-- style sheet -->
<xsl:template name="css">
<link rel="shortcut icon" href="http://www.freebsd.org/favicon.ico" type="image/x-icon"/>
<style type="text/css">
<xsl:comment>
<xsl:text>
body {
background-color : #ffffff;
color : #000000;
}
a:link { color: #0000ff }
a:visited { color: #840084 }
a:active { color: #0000ff }
h1 { color: #990000 }
img { color: white; border:none }
table {
border: none;
margin-top: 10px;
margin-bottom: 10px;
}
th {
text-align: left;
padding: 3px;
border: none;
vertical-align: top;
}
td {
padding: 3px;
border: none;
vertical-align: top;
}
tr.odd {
background: #eeeeee;
color: inherit;
}
</xsl:text>
</xsl:comment>
</style>
</xsl:template>
<!-- xhtml elements -->
<xsl:template name="bar">
<img src="http://www.freebsd.org/gifs/bar.gif" alt="Navigation Bar" height="33" width="565" usemap="#bar"/>
<map id="bar" name="bar">
<area shape="rect" coords="1,1,111,33" href="http://www.freebsd.org/" alt="Top"/>
<area shape="rect" coords="112,16,196,33" href="http://www.freebsd.org/ports/index.html" alt="Applications"/>
<area shape="rect" coords="197,16,256,33" href="http://www.freebsd.org/support.html" alt="Support"/>
<area shape="rect" coords="257,16,365,33" href="http://www.freebsd.org/docs.html" alt="Documentation"/>
<area shape="rect" coords="366,16,424,33" href="http://www.freebsd.org/commercial/commercial.html" alt="Vendors"/>
<area shape="rect" coords="425,16,475,33" href="http://www.freebsd.org/search/search.html" alt="Search"/>
<area shape="rect" coords="476,16,516,33" href="http://www.freebsd.org/search/index-site.html" alt="Index"/>
<area shape="rect" coords="517,16,565,33" href="http://www.freebsd.org/" alt="Top"/>
<area shape="rect" coords="0,0,565,33" href="http://www.freebsd.org/" alt="Top"/>
</map>
</xsl:template>
<xsl:template name="foo">
<hr/>
<p><strong>Disclaimer:</strong> The data contained on this page is derived for the VuXML document,
please refer to the <a href="{$vulurl}">the original document</a> for copyright information. The author of
portaudit makes no claim of authorship or ownership of any of the information contained herein.</p>
<p>
If you have found a vulnerability in a FreeBSD port not listed in the
database, please <a href="mailto:security-officer@FreeBSD.org">contact the
FreeBSD Security Officer</a>. Refer to
<a href="http://www.freebsd.org/security/#sec">"FreeBSD Security
Information"</a> for more information.
</p>
<hr/>
<address title="Oliver Eikemeier">
Oliver Eikemeier <a href="mailto:eik@FreeBSD.org?subject=portaudit">&lt;eik@FreeBSD.org&gt;</a>
</address>
</xsl:template>
</xsl:stylesheet>

View File

@ -0,0 +1,92 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
$FreeBSD$
Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the author nor the names of its contributors may be
used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
VuXML to portaudit database converter.
Usage:
xsltproc -o auditfile vuxml2portaudit.xslt vuxml.xml
-->
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:vuxml="http://www.vuxml.org/apps/vuxml-1" version="1.0">
<xsl:output method="text"/>
<xsl:variable name="newline">
<xsl:text>&#010;</xsl:text>
</xsl:variable>
<!-- xxx -->
<xsl:strip-space elements="vuxml:affects vuxml:package vuxml:name vuxml:range"/>
<xsl:template match="/">
<xsl:text># Converted by vuxml2portaudit
</xsl:text>
<xsl:for-each select="vuxml:vuxml/vuxml:vuln">
<xsl:variable name="topic" select="normalize-space(vuxml:topic)"/>
<xsl:variable name="vid" select="translate(@vid, 'ABCDEF', 'abcdef')"/>
<xsl:for-each select="vuxml:affects/vuxml:package">
<xsl:for-each select="vuxml:name">
<xsl:variable name="name" select="."/>
<xsl:for-each select="../vuxml:range">
<xsl:value-of select="$name"/>
<xsl:apply-templates/>
<xsl:text>|</xsl:text>
<xsl:value-of select="$baseurl"/>
<xsl:value-of select="$vid"/>
<xsl:text>.html</xsl:text>
<xsl:text>|</xsl:text>
<xsl:value-of select="$topic"/>
<xsl:text>|</xsl:text>
<xsl:value-of select="$vid"/>
<xsl:value-of select="$newline"/>
</xsl:for-each>
</xsl:for-each>
</xsl:for-each>
</xsl:for-each>
</xsl:template>
<!-- xxx -->
<xsl:template match="vuxml:lt">
<xsl:text>&lt;</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<xsl:template match="vuxml:le">
<xsl:text>&lt;=</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<xsl:template match="vuxml:gt">
<xsl:text>&gt;</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<xsl:template match="vuxml:ge">
<xsl:text>&gt;=</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
<xsl:template match="vuxml:eq">
<xsl:text>=</xsl:text>
<xsl:value-of select="text()"/>
</xsl:template>
</xsl:stylesheet>

View File

@ -0,0 +1,16 @@
In contrast to security/portaudit, which is designed to be an
install-and-forget solution, portaudit-db requires a current
ports tree and generates a database that can be used locally
or distributed over a network.
Furthermore committers that want to add entries to the VuXML
database may use this port to check their changes locally.
It also features a file `database/portaudit.txt' where UUIDs
for vulnerabilities can be allocated before they have been
investigated thoroughly and moved to the VuXML database by
the security officer team.
Call `packaudit' after upgrading your ports tree.
WWW: http://people.freebsd.org/~eik/portaudit/
Oliver Eikemeier <eik@FreeBSD.org>

View File

@ -0,0 +1,7 @@
bin/packaudit
etc/packaudit.conf.sample
%%DATADIR%%/vuxml2html.xslt
%%DATADIR%%/vuxml2portaudit.xslt
@dirrm %%DATADIR%%
@exec mkdir -p %%DATABASEDIR%%
@unexec rmdir %%DATABASEDIR%% 2>/dev/null || true