diff options
21 files changed, 1289 insertions, 0 deletions
diff --git a/ports-mgmt/portaudit-db/Makefile b/ports-mgmt/portaudit-db/Makefile new file mode 100644 index 000000000000..2a48688047d5 --- /dev/null +++ b/ports-mgmt/portaudit-db/Makefile @@ -0,0 +1,41 @@ +# New ports collection makefile for: portaudit-db +# Date created: 12 Jun 2004 +# Whom: Oliver Eikemeier +# +# $FreeBSD$ +# + +PORTNAME= portaudit-db +PORTVERSION= 0.1 +CATEGORIES= security +DISTFILES= + +MAINTAINER= eik@FreeBSD.org +COMMENT= Creates a portaudit database from a current ports tree + +RUN_DEPENDS= xsltproc:${PORTSDIR}/textproc/libxslt + +DATABASEDIR?= ${AUDITFILE:H} + +PLIST_SUB+= DATABASEDIR="${DATABASEDIR}" + +SED_SCRIPT= -e 's,%%PREFIX%%,${PREFIX},g' \ + -e "s|%%DATADIR%%|${DATADIR}|g" \ + -e "s|%%LOCALBASE%%|${LOCALBASE}|g" \ + -e "s|%%PORTSDIR%%|${PORTSDIR}|g" \ + -e "s|%%PORTVERSION%%|${PORTVERSION}|g" \ + -e "s|%%DATABASEDIR%%|${DATABASEDIR}|g" + +do-build: + @for f in packaudit.sh packaudit.conf; do \ + ${SED} ${SED_SCRIPT} "${FILESDIR}/$$f" > "${WRKDIR}/$$f"; \ + done + +do-install: + @${INSTALL_SCRIPT} ${WRKDIR}/packaudit.sh ${PREFIX}/bin/packaudit + @${INSTALL_DATA} ${WRKDIR}/packaudit.conf ${PREFIX}/etc/packaudit.conf.sample + @${MKDIR} ${DATADIR} + @${INSTALL_DATA} ${FILESDIR}/vuxml2html.xslt ${FILESDIR}/vuxml2portaudit.xslt ${DATADIR} + @${MKDIR} ${DATABASEDIR} + +.include <bsd.port.mk> diff --git a/ports-mgmt/portaudit-db/database/portaudit.txt b/ports-mgmt/portaudit-db/database/portaudit.txt new file mode 100644 index 000000000000..7d3a72b5aff2 --- /dev/null +++ b/ports-mgmt/portaudit-db/database/portaudit.txt @@ -0,0 +1,7 @@ +# portaudit text based database +# $FreeBSD$ +smtpproxy<=1.1.3|http://0xbadc0ded.org/advisories/0402.txt|remotely exploitable format string vulnerability|1abf65f9-bc9d-11d8-916c-000347dd607f +apache<1.3.31_1|http://www.apacheweek.com/features/security-13|mod_proxy buffer overflow (CAN-2004-0492)|5bcd500c-bc9d-11d8-916c-000347dd607f +apache+mod_ssl<1.3.31+2.8.18_3|http://www.apacheweek.com/features/security-13|mod_proxy buffer overflow (CAN-2004-0492)|5bcd500c-bc9d-11d8-916c-000347dd607f +apache<2.0.49_1|http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0488|mod_ssl stack-based buffer overflow|662cd99e-bc9d-11d8-916c-000347dd607f +apache+mod_ssl*<1.3.31+2.8.18_4|http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0488|mod_ssl stack-based buffer overflow|662cd99e-bc9d-11d8-916c-000347dd607f diff --git a/ports-mgmt/portaudit-db/database/portaudit.xlist b/ports-mgmt/portaudit-db/database/portaudit.xlist new file mode 100644 index 000000000000..48700b58868a --- /dev/null +++ b/ports-mgmt/portaudit-db/database/portaudit.xlist @@ -0,0 +1,4 @@ +# portaudit exclude list +# $FreeBSD$ +3362f2c1-8344-11d8-a41f-0020ed76ef5a +5e7f58c3-b3f8-4258-aeb8-795e5e940ff8 diff --git a/ports-mgmt/portaudit-db/database/portaudit.xml b/ports-mgmt/portaudit-db/database/portaudit.xml new file mode 100644 index 000000000000..ae616f4cbf7e --- /dev/null +++ b/ports-mgmt/portaudit-db/database/portaudit.xml @@ -0,0 +1,69 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- +This file is in the public domain. + $FreeBSD$ +--> +<!DOCTYPE vuxml PUBLIC "-//vuxml.org//DTD VuXML 1.1//EN" "http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd"> +<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + + <vuln vid="42e330ab-82a4-11d8-868e-000347dd607f"> + <topic>MPlayer remotely exploitable buffer overflow in the ASX parser</topic> + <affects> + <package> + <name>mplayer</name> + <name>mplayer-esound</name> + <name>mplayer-gtk</name> + <name>mplayer-gtk-esound</name> + <range><lt>0.92</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>A remotely exploitable buffer overflow vulnerability was found in + MPlayer. A malicious host can craft a harmful ASX header, + and trick MPlayer into executing arbitrary code upon parsing that header.</p> + </body> + </description> + <references> + <url>http://www.mplayerhq.hu/</url> + <url>http://www.securityfocus.com/archive/1/339330</url> + <url>http://www.securityfocus.com/archive/1/339193</url> + <cvename>CAN-2003-0835</cvename> + <bid>8702</bid> + </references> + <dates> + <discovery>2003-09-24</discovery> + <entry>2004-03-30</entry> + </dates> + </vuln> + + <vuln vid="d8c46d74-8288-11d8-868e-000347dd607f"> + <topic>MPlayer remotely exploitable buffer overflow in the HTTP parser</topic> + <affects> + <package> + <name>mplayer</name> + <name>mplayer-esound</name> + <name>mplayer-gtk</name> + <name>mplayer-gtk-esound</name> + <range><lt>0.92.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>A remotely exploitable buffer overflow vulnerability was found in + MPlayer. A malicious host can craft a harmful HTTP header ("Location:"), + and trick MPlayer into executing arbitrary code upon parsing that header.</p> + </body> + </description> + <references> + <url>http://www.mplayerhq.hu/</url> + <url>http://www.securityfocus.com/archive/1/359029</url> + <url>http://www.securityfocus.com/archive/1/359025</url> + </references> + <dates> + <discovery>2004-03-29</discovery> + <entry>2004-03-30</entry> + </dates> + </vuln> + +</vuxml> diff --git a/ports-mgmt/portaudit-db/files/packaudit.conf b/ports-mgmt/portaudit-db/files/packaudit.conf new file mode 100644 index 000000000000..6b952effc14f --- /dev/null +++ b/ports-mgmt/portaudit-db/files/packaudit.conf @@ -0,0 +1,9 @@ +# +# $FreeBSD$ +# +# packaudit.conf sample file +# + +# avoid network access +export SGML_CATALOG_FILES="%%LOCALBASE%%/share/xml/catalog" +XSLTPROC_EXTRA_ARGS="--catalogs --nonet" diff --git a/ports-mgmt/portaudit-db/files/packaudit.sh b/ports-mgmt/portaudit-db/files/packaudit.sh new file mode 100644 index 000000000000..ff8ebd767625 --- /dev/null +++ b/ports-mgmt/portaudit-db/files/packaudit.sh @@ -0,0 +1,112 @@ +#!/bin/sh -e +# +# Copyright (c) 2004 Oliver Eikemeier. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# +# 1. Redistributions of source code must retain the above copyright notice +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the author nor the names of its contributors may be +# used to endorse or promote products derived from this software without +# specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# $FreeBSD$ +# + +AWK=/usr/bin/awk +BASENAME=/usr/bin/basename +CAT=/bin/cat +DATE=/bin/date +ENV=/usr/bin/env +MD5=/sbin/md5 +MKTEMP=/usr/bin/mktemp +RM=/bin/rm +SED=/usr/bin/sed +TAR=/usr/bin/tar +XSLTPROC=%%LOCALBASE%%/bin/xsltproc + +PORTSDIR="${PORTSDIR:-%%PORTSDIR%%}" +VUXMLDIR="${VUXMLDIR:-$PORTSDIR/security/vuxml}" +PORTAUDITDBDIR="${PORTAUDITDBDIR:-$PORTSDIR/security/portaudit-db}" + +DATABASEDIR="${DATABASEDIR:-%%DATABASEDIR%%}" + +STYLESHEET="%%DATADIR%%/vuxml2portaudit.xslt" + +PUBLIC_HTML="${PUBLIC_HTML:-$HOME/public_html/portaudit}" +HTMLSHEET="%%DATADIR%%/vuxml2html.xslt" +BASEURL="http://people.freebsd.org/~eik/portaudit/" + +[ -r "%%PREFIX%%/etc/packaudit.conf" ] && . "%%PREFIX%%/etc/packaudit.conf" + +VULVER=`$SED -En -e '/^.*\\$FreeBSD\: [^$ ]+,v ([0-9]+(\.[0-9]+)+) [^$]+\\$.*$/{s//\1/p;q;}' "$VUXMLDIR/vuln.xml"` +VULURL="http://cvsweb.freebsd.org/ports/security/vuxml/vuln.xml?rev=$VULVER" + +if [ -d "$PUBLIC_HTML" ]; then + VULNMD5=`$CAT "$VUXMLDIR/vuln.xml" "$PORTAUDITDBDIR/database/portaudit.xml" | $MD5` + if [ -f "$PUBLIC_HTML/portaudit.md5" ]; then + VULNMD5_OLD=`$CAT "$PUBLIC_HTML/portaudit.md5"` + fi + if [ "$VULNMD5" != "$VULNMD5_OLD" ]; then + echo -n "$VULNMD5" > "$PUBLIC_HTML/portaudit.md5" + $XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam vulurl "$VULURL" --stringparam extradoc "$PORTAUDITDBDIR/database/portaudit.xml" \ + -o "$PUBLIC_HTML/" "$HTMLSHEET" "$VUXMLDIR/vuln.xml" + fi +fi + +TMPNAME=`$BASENAME "$0"` +TMPDIR=`$MKTEMP -d -t "$TMPNAME.$$"` || exit 1 + +TESTPORT="vulnerability-test-port>=2000<`$DATE -u +%Y.%m.%d`" +TESTURL="http://cvsweb.freebsd.org/ports/security/vulnerability-test-port/" +TESTREASON="Not vulnerable, just a test port (database: `$DATE -u +%Y-%m-%d`)" + +XLIST_FILE="$PORTAUDITDBDIR/database/portaudit.xlist" + +cd "$TMPDIR" || exit 1 +{ + $DATE -u "+#CREATED: %Y-%m-%d %H:%M:%S" + echo "# Created by packaudit %%PORTVERSION%%" + echo "$TESTPORT|$TESTURL|$TESTREASON" + echo "# Please refer to the original document for copyright information:" + echo "# $VULURL" + $XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam baseurl "$BASEURL" "$STYLESHEET" "$VUXMLDIR/vuln.xml" + echo "# This part is in the public domain" + $XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam baseurl "$BASEURL" "$STYLESHEET" "$PORTAUDITDBDIR/database/portaudit.xml" + $CAT "$PORTAUDITDBDIR/database/portaudit.txt" +} | $AWK -F\| -v XLIST_FILE="$XLIST_FILE" ' + BEGIN { + while((getline < XLIST_FILE) > 0) + if(!/^(#|$)/) + ignore[$1]=1 + } + /^(#|$)/ { + print + next + } + { + if (!ignore[$4]) + print $1 "|" $2 "|" $3 + }' > auditfile +echo "#CHECKSUM: MD5 `$MD5 < auditfile`" >> auditfile +$TAR -jcf "$DATABASEDIR/auditfile.tbz" auditfile +cd +$RM -Rf "$TMPDIR" diff --git a/ports-mgmt/portaudit-db/files/vuxml2html.xslt b/ports-mgmt/portaudit-db/files/vuxml2html.xslt new file mode 100644 index 000000000000..75a5e4cfc48b --- /dev/null +++ b/ports-mgmt/portaudit-db/files/vuxml2html.xslt @@ -0,0 +1,287 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + + $FreeBSD$ + +Copyright (c) 2004 Oliver Eikemeier. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. +3. Neither the name of the author nor the names of its contributors may be + used to endorse or promote products derived from this software without + specific prior written permission. + +THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND +FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +VuXML to HTML converter. + +Usage: + xsltproc -o html/ vuxml2html.xslt vuxml.xml + +--> +<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:vuxml="http://www.vuxml.org/apps/vuxml-1" xmlns="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xhtml vuxml" version="1.0"> + <xsl:output method="xml"/> + <xsl:strip-space elements="vuxml:affects vuxml:package vuxml:name vuxml:range" /> +<!-- whole vuxml file --> + <xsl:template match="vuxml:vuxml"> +<!-- index page, xhtml strict --> + <xsl:document href="index.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> + <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> + <head> + <title>portaudit: Vulnerability list</title> + <xsl:call-template name="css"/> + </head> + <body> + <div> + <xsl:call-template name="bar"/> + </div> + <h1>Vulnerabilities</h1> + <table> + <xsl:for-each select="vuxml:vuln | document($extradoc)/vuxml:vuxml/vuxml:vuln"> + <xsl:sort select="(vuxml:dates/vuxml:modified | vuxml:dates/vuxml:entry)[1]" order="descending"/> + <tr> + <td> + <xsl:value-of select="(vuxml:dates/vuxml:modified | vuxml:dates/vuxml:entry)[1]"/> + </td> + <td> + <a href="{translate(@vid, 'ABCDEF', 'abcdef')}.html"> + <xsl:value-of select="vuxml:topic"/> + </a> + </td> + </tr> + </xsl:for-each> + </table> + <p> + <a href="index-pkg.html">[Sorted by package name]</a> + </p> + <xsl:call-template name="foo"/> + </body> + </html> + </xsl:document> +<!-- index page by packages, xhtml strict --> + <xsl:document href="index-pkg.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> + <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> + <head> + <title>portaudit: Vulnerability list by packages</title> + <xsl:call-template name="css"/> + </head> + <body> + <div> + <xsl:call-template name="bar"/> + </div> + <h1>Vulnerabilities</h1> + <table> + <xsl:for-each select="//vuxml:affects/vuxml:package/vuxml:name | document($extradoc)//vuxml:affects/vuxml:package/vuxml:name"> + <xsl:sort select="translate(., 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz')"/> + <xsl:sort select="(ancestor-or-self::vuxml:vuln/vuxml:dates/vuxml:modified | ancestor-or-self::vuxml:vuln/vuxml:dates/vuxml:entry)[1]" order="descending"/> + <tr> + <td> + <xsl:value-of select="."/> + </td> + <td> + <a href="{translate(ancestor-or-self::vuxml:vuln/@vid, 'ABCDEF', 'abcdef')}.html"> + <xsl:value-of select="ancestor-or-self::vuxml:vuln/vuxml:topic"/> + </a> + </td> + </tr> + </xsl:for-each> + </table> + <p> + <a href="index.html">[Sorted by last modification]</a> + </p> + <xsl:call-template name="foo"/> + </body> + </html> + </xsl:document> +<!-- individual pages, xhtml strict --> + <xsl:for-each select="vuxml:vuln | document($extradoc)/vuxml:vuxml/vuxml:vuln"> + <xsl:document href="{translate(@vid, 'ABCDEF', 'abcdef')}.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> + <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> + <head> + <title>portaudit: <xsl:value-of select="vuxml:topic"/></title> + <xsl:call-template name="css"/> + </head> + <body> + <div> + <xsl:call-template name="bar"/> + </div> + <h1> + <xsl:value-of select="vuxml:topic"/> + </h1> + <h2>Description:</h2> + <xsl:copy-of select="vuxml:description/xhtml:body/*"/> + <h2>References:</h2> + <ul> + <xsl:apply-templates select="vuxml:references"/> + </ul> + <h2>Affects:</h2> + <ul> + <xsl:for-each select="vuxml:affects/vuxml:package"> + <xsl:for-each select="vuxml:name"> + <xsl:variable name="name" select="."/> + <xsl:for-each select="../vuxml:range"> + <li> + <xsl:value-of select="$name"/> + <xsl:apply-templates/> + </li> + </xsl:for-each> + </xsl:for-each> + </xsl:for-each> + <xsl:for-each select="vuxml:affects/vuxml:system"> + <xsl:for-each select="vuxml:name"> + <xsl:variable name="name" select="."/> + <xsl:for-each select="../vuxml:range"> + <li> + <xsl:value-of select="$name"/> + <xsl:apply-templates/> + </li> + </xsl:for-each> + </xsl:for-each> + </xsl:for-each> + </ul> + <xsl:call-template name="foo"/> + </body> + </html> + </xsl:document> + </xsl:for-each> +<!-- end of vuxml file processing --> + </xsl:template> +<!-- vulnerability references --> + <xsl:template match="vuxml:url"> + <li> + <a href="{.}"> + <xsl:value-of select="."/> + </a> + </li> + </xsl:template> + <xsl:template match="vuxml:cvename"> + <li>CVE name <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name={text()}"><xsl:value-of select="text()"/></a></li> + </xsl:template> + <xsl:template match="vuxml:bid"> + <li>BugTraq ID <a href="http://www.securityfocus.com/bid/{.}"><xsl:value-of select="."/></a></li> + </xsl:template> + <xsl:template match="vuxml:certsa"> + <li>CERT security advisory <a href="http://www.cert.org/advisories/{.}.html"><xsl:value-of select="."/></a></li> + </xsl:template> + <xsl:template match="vuxml:certvu"> + <li>CERT vulnerability note <a href="http://www.kb.cert.org/vuls/id/{.}"><xsl:value-of select="."/></a></li> + </xsl:template> + <xsl:template match="vuxml:freebsdsa"> + <li>FreeBSD security advisory <a href="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-{.}.asc">FreeBSD-<xsl:value-of select="."/></a></li> + </xsl:template> +<!-- comparison operators --> + <xsl:template match="vuxml:lt"> + <xsl:text> <</xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> + <xsl:template match="vuxml:le"> + <xsl:text> <=</xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> + <xsl:template match="vuxml:gt"> + <xsl:text> ></xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> + <xsl:template match="vuxml:ge"> + <xsl:text> >=</xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> + <xsl:template match="vuxml:eq"> + <xsl:text> =</xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> +<!-- style sheet --> + <xsl:template name="css"> + <link rel="shortcut icon" href="http://www.freebsd.org/favicon.ico" type="image/x-icon"/> + <style type="text/css"> + <xsl:comment> + <xsl:text> + body { + background-color : #ffffff; + color : #000000; + } + + a:link { color: #0000ff } + a:visited { color: #840084 } + a:active { color: #0000ff } + + h1 { color: #990000 } + + img { color: white; border:none } + + table { + border: none; + margin-top: 10px; + margin-bottom: 10px; + } + + th { + text-align: left; + padding: 3px; + border: none; + vertical-align: top; + } + + td { + padding: 3px; + border: none; + vertical-align: top; + } + + tr.odd { + background: #eeeeee; + color: inherit; + } + </xsl:text> + </xsl:comment> + </style> + </xsl:template> +<!-- xhtml elements --> + <xsl:template name="bar"> + <img src="http://www.freebsd.org/gifs/bar.gif" alt="Navigation Bar" height="33" width="565" usemap="#bar"/> + <map id="bar" name="bar"> + <area shape="rect" coords="1,1,111,33" href="http://www.freebsd.org/" alt="Top"/> + <area shape="rect" coords="112,16,196,33" href="http://www.freebsd.org/ports/index.html" alt="Applications"/> + <area shape="rect" coords="197,16,256,33" href="http://www.freebsd.org/support.html" alt="Support"/> + <area shape="rect" coords="257,16,365,33" href="http://www.freebsd.org/docs.html" alt="Documentation"/> + <area shape="rect" coords="366,16,424,33" href="http://www.freebsd.org/commercial/commercial.html" alt="Vendors"/> + <area shape="rect" coords="425,16,475,33" href="http://www.freebsd.org/search/search.html" alt="Search"/> + <area shape="rect" coords="476,16,516,33" href="http://www.freebsd.org/search/index-site.html" alt="Index"/> + <area shape="rect" coords="517,16,565,33" href="http://www.freebsd.org/" alt="Top"/> + <area shape="rect" coords="0,0,565,33" href="http://www.freebsd.org/" alt="Top"/> + </map> + </xsl:template> + <xsl:template name="foo"> + <hr/> + <p><strong>Disclaimer:</strong> The data contained on this page is derived for the VuXML document, + please refer to the <a href="{$vulurl}">the original document</a> for copyright information. The author of + portaudit makes no claim of authorship or ownership of any of the information contained herein.</p> + <p> + If you have found a vulnerability in a FreeBSD port not listed in the + database, please <a href="mailto:security-officer@FreeBSD.org">contact the + FreeBSD Security Officer</a>. Refer to + <a href="http://www.freebsd.org/security/#sec">"FreeBSD Security + Information"</a> for more information. + </p> + <hr/> + <address title="Oliver Eikemeier"> + Oliver Eikemeier <a href="mailto:eik@FreeBSD.org?subject=portaudit"><eik@FreeBSD.org></a> + </address> + </xsl:template> +</xsl:stylesheet> diff --git a/ports-mgmt/portaudit-db/files/vuxml2portaudit.xslt b/ports-mgmt/portaudit-db/files/vuxml2portaudit.xslt new file mode 100644 index 000000000000..60beed5ec52e --- /dev/null +++ b/ports-mgmt/portaudit-db/files/vuxml2portaudit.xslt @@ -0,0 +1,92 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + + $FreeBSD$ + +Copyright (c) 2004 Oliver Eikemeier. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. +3. Neither the name of the author nor the names of its contributors may be + used to endorse or promote products derived from this software without + specific prior written permission. + +THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND +FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +VuXML to portaudit database converter. + +Usage: + xsltproc -o auditfile vuxml2portaudit.xslt vuxml.xml + +--> +<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:vuxml="http://www.vuxml.org/apps/vuxml-1" version="1.0"> + <xsl:output method="text"/> + <xsl:variable name="newline"> + <xsl:text>
</xsl:text> + </xsl:variable> +<!-- xxx --> + <xsl:strip-space elements="vuxml:affects vuxml:package vuxml:name vuxml:range"/> + <xsl:template match="/"> + <xsl:text># Converted by vuxml2portaudit +</xsl:text> + <xsl:for-each select="vuxml:vuxml/vuxml:vuln"> + <xsl:variable name="topic" select="normalize-space(vuxml:topic)"/> + <xsl:variable name="vid" select="translate(@vid, 'ABCDEF', 'abcdef')"/> + <xsl:for-each select="vuxml:affects/vuxml:package"> + <xsl:for-each select="vuxml:name"> + <xsl:variable name="name" select="."/> + <xsl:for-each select="../vuxml:range"> + <xsl:value-of select="$name"/> + <xsl:apply-templates/> + <xsl:text>|</xsl:text> + <xsl:value-of select="$baseurl"/> + <xsl:value-of select="$vid"/> + <xsl:text>.html</xsl:text> + <xsl:text>|</xsl:text> + <xsl:value-of select="$topic"/> + <xsl:text>|</xsl:text> + <xsl:value-of select="$vid"/> + <xsl:value-of select="$newline"/> + </xsl:for-each> + </xsl:for-each> + </xsl:for-each> + </xsl:for-each> + </xsl:template> +<!-- xxx --> + <xsl:template match="vuxml:lt"> + <xsl:text><</xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> + <xsl:template match="vuxml:le"> + <xsl:text><=</xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> + <xsl:template match="vuxml:gt"> + <xsl:text>></xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> + <xsl:template match="vuxml:ge"> + <xsl:text>>=</xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> + <xsl:template match="vuxml:eq"> + <xsl:text>=</xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> +</xsl:stylesheet> diff --git a/ports-mgmt/portaudit-db/pkg-descr b/ports-mgmt/portaudit-db/pkg-descr new file mode 100644 index 000000000000..85b315a9d87b --- /dev/null +++ b/ports-mgmt/portaudit-db/pkg-descr @@ -0,0 +1,16 @@ +In contrast to security/portaudit, which is designed to be an +install-and-forget solution, portaudit-db requires a current +ports tree and generates a database that can be used locally +or distributed over a network. + +Furthermore committers that want to add entries to the VuXML +database may use this port to check their changes locally. +It also features a file `database/portaudit.txt' where UUIDs +for vulnerabilities can be allocated before they have been +investigated thoroughly and moved to the VuXML database by +the security officer team. + +Call `packaudit' after upgrading your ports tree. + +WWW: http://people.freebsd.org/~eik/portaudit/ +Oliver Eikemeier <eik@FreeBSD.org> diff --git a/ports-mgmt/portaudit-db/pkg-plist b/ports-mgmt/portaudit-db/pkg-plist new file mode 100644 index 000000000000..a5c18909f2d6 --- /dev/null +++ b/ports-mgmt/portaudit-db/pkg-plist @@ -0,0 +1,7 @@ +bin/packaudit +etc/packaudit.conf.sample +%%DATADIR%%/vuxml2html.xslt +%%DATADIR%%/vuxml2portaudit.xslt +@dirrm %%DATADIR%% +@exec mkdir -p %%DATABASEDIR%% +@unexec rmdir %%DATABASEDIR%% 2>/dev/null || true diff --git a/security/Makefile b/security/Makefile index 2a6f4ee92bc7..cd544830e813 100644 --- a/security/Makefile +++ b/security/Makefile @@ -320,6 +320,7 @@ SUBDIR += pktsuckers SUBDIR += poc SUBDIR += portaudit + SUBDIR += portaudit-db SUBDIR += portscanner SUBDIR += portsentry SUBDIR += ppgen diff --git a/security/portaudit-db/Makefile b/security/portaudit-db/Makefile new file mode 100644 index 000000000000..2a48688047d5 --- /dev/null +++ b/security/portaudit-db/Makefile @@ -0,0 +1,41 @@ +# New ports collection makefile for: portaudit-db +# Date created: 12 Jun 2004 +# Whom: Oliver Eikemeier +# +# $FreeBSD$ +# + +PORTNAME= portaudit-db +PORTVERSION= 0.1 +CATEGORIES= security +DISTFILES= + +MAINTAINER= eik@FreeBSD.org +COMMENT= Creates a portaudit database from a current ports tree + +RUN_DEPENDS= xsltproc:${PORTSDIR}/textproc/libxslt + +DATABASEDIR?= ${AUDITFILE:H} + +PLIST_SUB+= DATABASEDIR="${DATABASEDIR}" + +SED_SCRIPT= -e 's,%%PREFIX%%,${PREFIX},g' \ + -e "s|%%DATADIR%%|${DATADIR}|g" \ + -e "s|%%LOCALBASE%%|${LOCALBASE}|g" \ + -e "s|%%PORTSDIR%%|${PORTSDIR}|g" \ + -e "s|%%PORTVERSION%%|${PORTVERSION}|g" \ + -e "s|%%DATABASEDIR%%|${DATABASEDIR}|g" + +do-build: + @for f in packaudit.sh packaudit.conf; do \ + ${SED} ${SED_SCRIPT} "${FILESDIR}/$$f" > "${WRKDIR}/$$f"; \ + done + +do-install: + @${INSTALL_SCRIPT} ${WRKDIR}/packaudit.sh ${PREFIX}/bin/packaudit + @${INSTALL_DATA} ${WRKDIR}/packaudit.conf ${PREFIX}/etc/packaudit.conf.sample + @${MKDIR} ${DATADIR} + @${INSTALL_DATA} ${FILESDIR}/vuxml2html.xslt ${FILESDIR}/vuxml2portaudit.xslt ${DATADIR} + @${MKDIR} ${DATABASEDIR} + +.include <bsd.port.mk> diff --git a/security/portaudit-db/database/portaudit.txt b/security/portaudit-db/database/portaudit.txt new file mode 100644 index 000000000000..7d3a72b5aff2 --- /dev/null +++ b/security/portaudit-db/database/portaudit.txt @@ -0,0 +1,7 @@ +# portaudit text based database +# $FreeBSD$ +smtpproxy<=1.1.3|http://0xbadc0ded.org/advisories/0402.txt|remotely exploitable format string vulnerability|1abf65f9-bc9d-11d8-916c-000347dd607f +apache<1.3.31_1|http://www.apacheweek.com/features/security-13|mod_proxy buffer overflow (CAN-2004-0492)|5bcd500c-bc9d-11d8-916c-000347dd607f +apache+mod_ssl<1.3.31+2.8.18_3|http://www.apacheweek.com/features/security-13|mod_proxy buffer overflow (CAN-2004-0492)|5bcd500c-bc9d-11d8-916c-000347dd607f +apache<2.0.49_1|http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0488|mod_ssl stack-based buffer overflow|662cd99e-bc9d-11d8-916c-000347dd607f +apache+mod_ssl*<1.3.31+2.8.18_4|http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0488|mod_ssl stack-based buffer overflow|662cd99e-bc9d-11d8-916c-000347dd607f diff --git a/security/portaudit-db/database/portaudit.xlist b/security/portaudit-db/database/portaudit.xlist new file mode 100644 index 000000000000..48700b58868a --- /dev/null +++ b/security/portaudit-db/database/portaudit.xlist @@ -0,0 +1,4 @@ +# portaudit exclude list +# $FreeBSD$ +3362f2c1-8344-11d8-a41f-0020ed76ef5a +5e7f58c3-b3f8-4258-aeb8-795e5e940ff8 diff --git a/security/portaudit-db/database/portaudit.xml b/security/portaudit-db/database/portaudit.xml new file mode 100644 index 000000000000..ae616f4cbf7e --- /dev/null +++ b/security/portaudit-db/database/portaudit.xml @@ -0,0 +1,69 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- +This file is in the public domain. + $FreeBSD$ +--> +<!DOCTYPE vuxml PUBLIC "-//vuxml.org//DTD VuXML 1.1//EN" "http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd"> +<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + + <vuln vid="42e330ab-82a4-11d8-868e-000347dd607f"> + <topic>MPlayer remotely exploitable buffer overflow in the ASX parser</topic> + <affects> + <package> + <name>mplayer</name> + <name>mplayer-esound</name> + <name>mplayer-gtk</name> + <name>mplayer-gtk-esound</name> + <range><lt>0.92</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>A remotely exploitable buffer overflow vulnerability was found in + MPlayer. A malicious host can craft a harmful ASX header, + and trick MPlayer into executing arbitrary code upon parsing that header.</p> + </body> + </description> + <references> + <url>http://www.mplayerhq.hu/</url> + <url>http://www.securityfocus.com/archive/1/339330</url> + <url>http://www.securityfocus.com/archive/1/339193</url> + <cvename>CAN-2003-0835</cvename> + <bid>8702</bid> + </references> + <dates> + <discovery>2003-09-24</discovery> + <entry>2004-03-30</entry> + </dates> + </vuln> + + <vuln vid="d8c46d74-8288-11d8-868e-000347dd607f"> + <topic>MPlayer remotely exploitable buffer overflow in the HTTP parser</topic> + <affects> + <package> + <name>mplayer</name> + <name>mplayer-esound</name> + <name>mplayer-gtk</name> + <name>mplayer-gtk-esound</name> + <range><lt>0.92.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>A remotely exploitable buffer overflow vulnerability was found in + MPlayer. A malicious host can craft a harmful HTTP header ("Location:"), + and trick MPlayer into executing arbitrary code upon parsing that header.</p> + </body> + </description> + <references> + <url>http://www.mplayerhq.hu/</url> + <url>http://www.securityfocus.com/archive/1/359029</url> + <url>http://www.securityfocus.com/archive/1/359025</url> + </references> + <dates> + <discovery>2004-03-29</discovery> + <entry>2004-03-30</entry> + </dates> + </vuln> + +</vuxml> diff --git a/security/portaudit-db/files/packaudit.conf b/security/portaudit-db/files/packaudit.conf new file mode 100644 index 000000000000..6b952effc14f --- /dev/null +++ b/security/portaudit-db/files/packaudit.conf @@ -0,0 +1,9 @@ +# +# $FreeBSD$ +# +# packaudit.conf sample file +# + +# avoid network access +export SGML_CATALOG_FILES="%%LOCALBASE%%/share/xml/catalog" +XSLTPROC_EXTRA_ARGS="--catalogs --nonet" diff --git a/security/portaudit-db/files/packaudit.sh b/security/portaudit-db/files/packaudit.sh new file mode 100644 index 000000000000..ff8ebd767625 --- /dev/null +++ b/security/portaudit-db/files/packaudit.sh @@ -0,0 +1,112 @@ +#!/bin/sh -e +# +# Copyright (c) 2004 Oliver Eikemeier. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# +# 1. Redistributions of source code must retain the above copyright notice +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the author nor the names of its contributors may be +# used to endorse or promote products derived from this software without +# specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# $FreeBSD$ +# + +AWK=/usr/bin/awk +BASENAME=/usr/bin/basename +CAT=/bin/cat +DATE=/bin/date +ENV=/usr/bin/env +MD5=/sbin/md5 +MKTEMP=/usr/bin/mktemp +RM=/bin/rm +SED=/usr/bin/sed +TAR=/usr/bin/tar +XSLTPROC=%%LOCALBASE%%/bin/xsltproc + +PORTSDIR="${PORTSDIR:-%%PORTSDIR%%}" +VUXMLDIR="${VUXMLDIR:-$PORTSDIR/security/vuxml}" +PORTAUDITDBDIR="${PORTAUDITDBDIR:-$PORTSDIR/security/portaudit-db}" + +DATABASEDIR="${DATABASEDIR:-%%DATABASEDIR%%}" + +STYLESHEET="%%DATADIR%%/vuxml2portaudit.xslt" + +PUBLIC_HTML="${PUBLIC_HTML:-$HOME/public_html/portaudit}" +HTMLSHEET="%%DATADIR%%/vuxml2html.xslt" +BASEURL="http://people.freebsd.org/~eik/portaudit/" + +[ -r "%%PREFIX%%/etc/packaudit.conf" ] && . "%%PREFIX%%/etc/packaudit.conf" + +VULVER=`$SED -En -e '/^.*\\$FreeBSD\: [^$ ]+,v ([0-9]+(\.[0-9]+)+) [^$]+\\$.*$/{s//\1/p;q;}' "$VUXMLDIR/vuln.xml"` +VULURL="http://cvsweb.freebsd.org/ports/security/vuxml/vuln.xml?rev=$VULVER" + +if [ -d "$PUBLIC_HTML" ]; then + VULNMD5=`$CAT "$VUXMLDIR/vuln.xml" "$PORTAUDITDBDIR/database/portaudit.xml" | $MD5` + if [ -f "$PUBLIC_HTML/portaudit.md5" ]; then + VULNMD5_OLD=`$CAT "$PUBLIC_HTML/portaudit.md5"` + fi + if [ "$VULNMD5" != "$VULNMD5_OLD" ]; then + echo -n "$VULNMD5" > "$PUBLIC_HTML/portaudit.md5" + $XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam vulurl "$VULURL" --stringparam extradoc "$PORTAUDITDBDIR/database/portaudit.xml" \ + -o "$PUBLIC_HTML/" "$HTMLSHEET" "$VUXMLDIR/vuln.xml" + fi +fi + +TMPNAME=`$BASENAME "$0"` +TMPDIR=`$MKTEMP -d -t "$TMPNAME.$$"` || exit 1 + +TESTPORT="vulnerability-test-port>=2000<`$DATE -u +%Y.%m.%d`" +TESTURL="http://cvsweb.freebsd.org/ports/security/vulnerability-test-port/" +TESTREASON="Not vulnerable, just a test port (database: `$DATE -u +%Y-%m-%d`)" + +XLIST_FILE="$PORTAUDITDBDIR/database/portaudit.xlist" + +cd "$TMPDIR" || exit 1 +{ + $DATE -u "+#CREATED: %Y-%m-%d %H:%M:%S" + echo "# Created by packaudit %%PORTVERSION%%" + echo "$TESTPORT|$TESTURL|$TESTREASON" + echo "# Please refer to the original document for copyright information:" + echo "# $VULURL" + $XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam baseurl "$BASEURL" "$STYLESHEET" "$VUXMLDIR/vuln.xml" + echo "# This part is in the public domain" + $XSLTPROC $XSLTPROC_EXTRA_ARGS --stringparam baseurl "$BASEURL" "$STYLESHEET" "$PORTAUDITDBDIR/database/portaudit.xml" + $CAT "$PORTAUDITDBDIR/database/portaudit.txt" +} | $AWK -F\| -v XLIST_FILE="$XLIST_FILE" ' + BEGIN { + while((getline < XLIST_FILE) > 0) + if(!/^(#|$)/) + ignore[$1]=1 + } + /^(#|$)/ { + print + next + } + { + if (!ignore[$4]) + print $1 "|" $2 "|" $3 + }' > auditfile +echo "#CHECKSUM: MD5 `$MD5 < auditfile`" >> auditfile +$TAR -jcf "$DATABASEDIR/auditfile.tbz" auditfile +cd +$RM -Rf "$TMPDIR" diff --git a/security/portaudit-db/files/vuxml2html.xslt b/security/portaudit-db/files/vuxml2html.xslt new file mode 100644 index 000000000000..75a5e4cfc48b --- /dev/null +++ b/security/portaudit-db/files/vuxml2html.xslt @@ -0,0 +1,287 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + + $FreeBSD$ + +Copyright (c) 2004 Oliver Eikemeier. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. +3. Neither the name of the author nor the names of its contributors may be + used to endorse or promote products derived from this software without + specific prior written permission. + +THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND +FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +VuXML to HTML converter. + +Usage: + xsltproc -o html/ vuxml2html.xslt vuxml.xml + +--> +<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:vuxml="http://www.vuxml.org/apps/vuxml-1" xmlns="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xhtml vuxml" version="1.0"> + <xsl:output method="xml"/> + <xsl:strip-space elements="vuxml:affects vuxml:package vuxml:name vuxml:range" /> +<!-- whole vuxml file --> + <xsl:template match="vuxml:vuxml"> +<!-- index page, xhtml strict --> + <xsl:document href="index.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> + <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> + <head> + <title>portaudit: Vulnerability list</title> + <xsl:call-template name="css"/> + </head> + <body> + <div> + <xsl:call-template name="bar"/> + </div> + <h1>Vulnerabilities</h1> + <table> + <xsl:for-each select="vuxml:vuln | document($extradoc)/vuxml:vuxml/vuxml:vuln"> + <xsl:sort select="(vuxml:dates/vuxml:modified | vuxml:dates/vuxml:entry)[1]" order="descending"/> + <tr> + <td> + <xsl:value-of select="(vuxml:dates/vuxml:modified | vuxml:dates/vuxml:entry)[1]"/> + </td> + <td> + <a href="{translate(@vid, 'ABCDEF', 'abcdef')}.html"> + <xsl:value-of select="vuxml:topic"/> + </a> + </td> + </tr> + </xsl:for-each> + </table> + <p> + <a href="index-pkg.html">[Sorted by package name]</a> + </p> + <xsl:call-template name="foo"/> + </body> + </html> + </xsl:document> +<!-- index page by packages, xhtml strict --> + <xsl:document href="index-pkg.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> + <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> + <head> + <title>portaudit: Vulnerability list by packages</title> + <xsl:call-template name="css"/> + </head> + <body> + <div> + <xsl:call-template name="bar"/> + </div> + <h1>Vulnerabilities</h1> + <table> + <xsl:for-each select="//vuxml:affects/vuxml:package/vuxml:name | document($extradoc)//vuxml:affects/vuxml:package/vuxml:name"> + <xsl:sort select="translate(., 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz')"/> + <xsl:sort select="(ancestor-or-self::vuxml:vuln/vuxml:dates/vuxml:modified | ancestor-or-self::vuxml:vuln/vuxml:dates/vuxml:entry)[1]" order="descending"/> + <tr> + <td> + <xsl:value-of select="."/> + </td> + <td> + <a href="{translate(ancestor-or-self::vuxml:vuln/@vid, 'ABCDEF', 'abcdef')}.html"> + <xsl:value-of select="ancestor-or-self::vuxml:vuln/vuxml:topic"/> + </a> + </td> + </tr> + </xsl:for-each> + </table> + <p> + <a href="index.html">[Sorted by last modification]</a> + </p> + <xsl:call-template name="foo"/> + </body> + </html> + </xsl:document> +<!-- individual pages, xhtml strict --> + <xsl:for-each select="vuxml:vuln | document($extradoc)/vuxml:vuxml/vuxml:vuln"> + <xsl:document href="{translate(@vid, 'ABCDEF', 'abcdef')}.html" method="xml" indent="yes" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> + <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> + <head> + <title>portaudit: <xsl:value-of select="vuxml:topic"/></title> + <xsl:call-template name="css"/> + </head> + <body> + <div> + <xsl:call-template name="bar"/> + </div> + <h1> + <xsl:value-of select="vuxml:topic"/> + </h1> + <h2>Description:</h2> + <xsl:copy-of select="vuxml:description/xhtml:body/*"/> + <h2>References:</h2> + <ul> + <xsl:apply-templates select="vuxml:references"/> + </ul> + <h2>Affects:</h2> + <ul> + <xsl:for-each select="vuxml:affects/vuxml:package"> + <xsl:for-each select="vuxml:name"> + <xsl:variable name="name" select="."/> + <xsl:for-each select="../vuxml:range"> + <li> + <xsl:value-of select="$name"/> + <xsl:apply-templates/> + </li> + </xsl:for-each> + </xsl:for-each> + </xsl:for-each> + <xsl:for-each select="vuxml:affects/vuxml:system"> + <xsl:for-each select="vuxml:name"> + <xsl:variable name="name" select="."/> + <xsl:for-each select="../vuxml:range"> + <li> + <xsl:value-of select="$name"/> + <xsl:apply-templates/> + </li> + </xsl:for-each> + </xsl:for-each> + </xsl:for-each> + </ul> + <xsl:call-template name="foo"/> + </body> + </html> + </xsl:document> + </xsl:for-each> +<!-- end of vuxml file processing --> + </xsl:template> +<!-- vulnerability references --> + <xsl:template match="vuxml:url"> + <li> + <a href="{.}"> + <xsl:value-of select="."/> + </a> + </li> + </xsl:template> + <xsl:template match="vuxml:cvename"> + <li>CVE name <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name={text()}"><xsl:value-of select="text()"/></a></li> + </xsl:template> + <xsl:template match="vuxml:bid"> + <li>BugTraq ID <a href="http://www.securityfocus.com/bid/{.}"><xsl:value-of select="."/></a></li> + </xsl:template> + <xsl:template match="vuxml:certsa"> + <li>CERT security advisory <a href="http://www.cert.org/advisories/{.}.html"><xsl:value-of select="."/></a></li> + </xsl:template> + <xsl:template match="vuxml:certvu"> + <li>CERT vulnerability note <a href="http://www.kb.cert.org/vuls/id/{.}"><xsl:value-of select="."/></a></li> + </xsl:template> + <xsl:template match="vuxml:freebsdsa"> + <li>FreeBSD security advisory <a href="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-{.}.asc">FreeBSD-<xsl:value-of select="."/></a></li> + </xsl:template> +<!-- comparison operators --> + <xsl:template match="vuxml:lt"> + <xsl:text> <</xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> + <xsl:template match="vuxml:le"> + <xsl:text> <=</xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> + <xsl:template match="vuxml:gt"> + <xsl:text> ></xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> + <xsl:template match="vuxml:ge"> + <xsl:text> >=</xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> + <xsl:template match="vuxml:eq"> + <xsl:text> =</xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> +<!-- style sheet --> + <xsl:template name="css"> + <link rel="shortcut icon" href="http://www.freebsd.org/favicon.ico" type="image/x-icon"/> + <style type="text/css"> + <xsl:comment> + <xsl:text> + body { + background-color : #ffffff; + color : #000000; + } + + a:link { color: #0000ff } + a:visited { color: #840084 } + a:active { color: #0000ff } + + h1 { color: #990000 } + + img { color: white; border:none } + + table { + border: none; + margin-top: 10px; + margin-bottom: 10px; + } + + th { + text-align: left; + padding: 3px; + border: none; + vertical-align: top; + } + + td { + padding: 3px; + border: none; + vertical-align: top; + } + + tr.odd { + background: #eeeeee; + color: inherit; + } + </xsl:text> + </xsl:comment> + </style> + </xsl:template> +<!-- xhtml elements --> + <xsl:template name="bar"> + <img src="http://www.freebsd.org/gifs/bar.gif" alt="Navigation Bar" height="33" width="565" usemap="#bar"/> + <map id="bar" name="bar"> + <area shape="rect" coords="1,1,111,33" href="http://www.freebsd.org/" alt="Top"/> + <area shape="rect" coords="112,16,196,33" href="http://www.freebsd.org/ports/index.html" alt="Applications"/> + <area shape="rect" coords="197,16,256,33" href="http://www.freebsd.org/support.html" alt="Support"/> + <area shape="rect" coords="257,16,365,33" href="http://www.freebsd.org/docs.html" alt="Documentation"/> + <area shape="rect" coords="366,16,424,33" href="http://www.freebsd.org/commercial/commercial.html" alt="Vendors"/> + <area shape="rect" coords="425,16,475,33" href="http://www.freebsd.org/search/search.html" alt="Search"/> + <area shape="rect" coords="476,16,516,33" href="http://www.freebsd.org/search/index-site.html" alt="Index"/> + <area shape="rect" coords="517,16,565,33" href="http://www.freebsd.org/" alt="Top"/> + <area shape="rect" coords="0,0,565,33" href="http://www.freebsd.org/" alt="Top"/> + </map> + </xsl:template> + <xsl:template name="foo"> + <hr/> + <p><strong>Disclaimer:</strong> The data contained on this page is derived for the VuXML document, + please refer to the <a href="{$vulurl}">the original document</a> for copyright information. The author of + portaudit makes no claim of authorship or ownership of any of the information contained herein.</p> + <p> + If you have found a vulnerability in a FreeBSD port not listed in the + database, please <a href="mailto:security-officer@FreeBSD.org">contact the + FreeBSD Security Officer</a>. Refer to + <a href="http://www.freebsd.org/security/#sec">"FreeBSD Security + Information"</a> for more information. + </p> + <hr/> + <address title="Oliver Eikemeier"> + Oliver Eikemeier <a href="mailto:eik@FreeBSD.org?subject=portaudit"><eik@FreeBSD.org></a> + </address> + </xsl:template> +</xsl:stylesheet> diff --git a/security/portaudit-db/files/vuxml2portaudit.xslt b/security/portaudit-db/files/vuxml2portaudit.xslt new file mode 100644 index 000000000000..60beed5ec52e --- /dev/null +++ b/security/portaudit-db/files/vuxml2portaudit.xslt @@ -0,0 +1,92 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + + $FreeBSD$ + +Copyright (c) 2004 Oliver Eikemeier. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. +3. Neither the name of the author nor the names of its contributors may be + used to endorse or promote products derived from this software without + specific prior written permission. + +THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND +FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +VuXML to portaudit database converter. + +Usage: + xsltproc -o auditfile vuxml2portaudit.xslt vuxml.xml + +--> +<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:vuxml="http://www.vuxml.org/apps/vuxml-1" version="1.0"> + <xsl:output method="text"/> + <xsl:variable name="newline"> + <xsl:text>
</xsl:text> + </xsl:variable> +<!-- xxx --> + <xsl:strip-space elements="vuxml:affects vuxml:package vuxml:name vuxml:range"/> + <xsl:template match="/"> + <xsl:text># Converted by vuxml2portaudit +</xsl:text> + <xsl:for-each select="vuxml:vuxml/vuxml:vuln"> + <xsl:variable name="topic" select="normalize-space(vuxml:topic)"/> + <xsl:variable name="vid" select="translate(@vid, 'ABCDEF', 'abcdef')"/> + <xsl:for-each select="vuxml:affects/vuxml:package"> + <xsl:for-each select="vuxml:name"> + <xsl:variable name="name" select="."/> + <xsl:for-each select="../vuxml:range"> + <xsl:value-of select="$name"/> + <xsl:apply-templates/> + <xsl:text>|</xsl:text> + <xsl:value-of select="$baseurl"/> + <xsl:value-of select="$vid"/> + <xsl:text>.html</xsl:text> + <xsl:text>|</xsl:text> + <xsl:value-of select="$topic"/> + <xsl:text>|</xsl:text> + <xsl:value-of select="$vid"/> + <xsl:value-of select="$newline"/> + </xsl:for-each> + </xsl:for-each> + </xsl:for-each> + </xsl:for-each> + </xsl:template> +<!-- xxx --> + <xsl:template match="vuxml:lt"> + <xsl:text><</xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> + <xsl:template match="vuxml:le"> + <xsl:text><=</xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> + <xsl:template match="vuxml:gt"> + <xsl:text>></xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> + <xsl:template match="vuxml:ge"> + <xsl:text>>=</xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> + <xsl:template match="vuxml:eq"> + <xsl:text>=</xsl:text> + <xsl:value-of select="text()"/> + </xsl:template> +</xsl:stylesheet> diff --git a/security/portaudit-db/pkg-descr b/security/portaudit-db/pkg-descr new file mode 100644 index 000000000000..85b315a9d87b --- /dev/null +++ b/security/portaudit-db/pkg-descr @@ -0,0 +1,16 @@ +In contrast to security/portaudit, which is designed to be an +install-and-forget solution, portaudit-db requires a current +ports tree and generates a database that can be used locally +or distributed over a network. + +Furthermore committers that want to add entries to the VuXML +database may use this port to check their changes locally. +It also features a file `database/portaudit.txt' where UUIDs +for vulnerabilities can be allocated before they have been +investigated thoroughly and moved to the VuXML database by +the security officer team. + +Call `packaudit' after upgrading your ports tree. + +WWW: http://people.freebsd.org/~eik/portaudit/ +Oliver Eikemeier <eik@FreeBSD.org> diff --git a/security/portaudit-db/pkg-plist b/security/portaudit-db/pkg-plist new file mode 100644 index 000000000000..a5c18909f2d6 --- /dev/null +++ b/security/portaudit-db/pkg-plist @@ -0,0 +1,7 @@ +bin/packaudit +etc/packaudit.conf.sample +%%DATADIR%%/vuxml2html.xslt +%%DATADIR%%/vuxml2portaudit.xslt +@dirrm %%DATADIR%% +@exec mkdir -p %%DATABASEDIR%% +@unexec rmdir %%DATABASEDIR%% 2>/dev/null || true |