Translate

Arm Ukraine, zap Putin

Stolen Votes

berklix.com logo

berklix.org logo

No Cookies

Flag UK DE

BSD-PIE

BSD

GNU

Linux

No Tracking

Disclaimer

IBU

Consol

FreeBSD Security Risk:
Some ports/ install binaries Not localy compiled from matching sources.

Web Ref: http://www.berklix.com/ ~jhs/ src/ bsd/ fixes/ FreeBSD/ ports/ binaries.html

Author Company, Work & Contact

Intro

This page is notes from analysis Jan 2010. Results have been discarded as the ports/ tree is constantly changing, & meausrements should be run on a current tree.

Mail Threads

Log

2010 January:
Searching for FreeBSD ports that install binaries not built locally.
uname -a FreeBSD
john.js.berklix.net 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Tue Jan 5 19:21:23 CET 2010
jhs@john.js.berklix.net:/usr/src/sys/amd64/compile/JOHN64mod amd64
ls -l /host/fire/usrb/tmp/ports/.ctm_status
-rw-r--r-- 1 jhs staff 15 Jan 26 00:15 .ctm_status
cd /host/fire/usrb/search/ports
setenv PORTSDIR /host/fire/usrb/search/ports
ln -s /pub/FreeBSD/dists/current distfiles
mv /pub/FreeBSD/branches/-current/ports /pub/FreeBSD/branches/-current/portsX
(cd /pub/FreeBSD/branches/-current/portsX;tar cf - . ) | tar xf -
mv /pub/FreeBSD/branches/-current/portsX /pub/FreeBSD/branches/-current/ports
make -k extract
find .  -type f -name \.\*extract_done\* > ../done # count ports done,
# some I don't have distfiles for & some don't get built on amd64
wc -l done
find .  -type f -exec file {} \; > ../result.find # Takes a few days!
du > ../du
cd ..
nice bzip2 result.find &
sed -e s/..// < result.find | \
grep -v "ASCII C program text" | \
grep -v "ASCII C++ program text" | \
grep -v "ASCII English text" | \
grep -v "ASCII Java program text" | \
grep -v "ASCII M4 macro language pre-processor text" | \
grep -v "ASCII Pascal program text" | \
grep -v "ASCII assembler program text" | \
grep -v "ASCII mail text" | \
grep -v "ASCII make commands text" | \
grep -v "ASCII text" | \
grep -v "Bourne shell script text executable" | \
grep -v "C program text" | \
grep -v "C shell script" | \
grep -v "GIF image data" | \
grep -v "HTML document text" | \
grep -v "PNG image data" | \
grep -v "TeX DVI file" | \
grep -v "TeX document text" | \
grep -v "TeX font aliases" | \
grep -v "TeX font metric data" | \
grep -v "UTF-8 Unicode C program text" | \
grep -v "UTF-8 Unicode C++ program text" | \
grep -v "UTF-8 Unicode English text" | \
grep -v "UTF-8 Unicode Java program text" | \
grep -v "UTF-8 Unicode M4 macro language pre-processor text" | \
grep -v "UTF-8 Unicode PL/1 program text" | \
grep -v "UTF-8 Unicode Pascal program text" | \
grep -v "UTF-8 Unicode assembler program text" | \
grep -v "perl script text executable" | \
grep -v "python script text executable" | \
grep -v "ruby script text executable" | \
grep -v "script text executable for" | \
grep -v "script text executable" | \
grep -v "tcpdump capture file" | \
grep -v "text/html" | \
grep -v "text/plain" | \
grep -v "troff or preprocessor input text" | \

cat > result6
cat result6 | awk -F : '{printf "%s\n",$2}' | sort | uniq > types

-------
More work pending, to strip more innocuous types.
To consider:
- What about Linux binaries run under emulation mode.
- What about eg BLOBS downoaded into USB DSL modems & WLANs etc.
  Perhaps best to mark them with different strings in BINARY += ?

Suggestion:

  • A sample syntax to add to ports/*/*/Makefile
  • Features of the += syntax:
  • The ports/Mk/*.mk should test if var is set, not if var == "YES".
  • The += Any string (Rather than '= "YES"') allows multiple lines, of more information if user wishes.
  • Later, the Mk/ macros could (optionaly( be extended to parse for a use preference list of file types to accept or reject. (So one would block "ELF 64-bit LSB" but might not necessarily block if just "Zip archive data"
  • An initial set can be generated automatically with `make extract` & `find` & `file` & optionally pruned before adding to various ports/*/*/Makefile
  • (possibly a ports master might for logistics reasons want to instead have macros read some [new] file in ports/*/*/files/ ? )
Sample - 1 or more for ports/www/opera/Makefile:
  • BINARY += "ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), for FreeBSD 7.0 (700055), dynamically linked (uses shared libs), FreeBSD-style, stripped" # usr/ lib/ opera/ 9.63/ opera
  • BINARY += "ELF 64-bit LSB shared object, x86-64, version 1 (FreeBSD), stripped" # usr/ lib/ opera/ 9.63/ missingsyms.so
  • BINARY += "Zip archive data, at least v2.0 to extract" # usr/ local/ share/ opera/ java/ opera.jar
  • Below are repeats of file types, that could be omitted, or commented out with #, path names left for info/ warning,.
    • # BINARY += "ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), for FreeBSD 7.0 (700055), dynamically linked (uses shared libs), FreeBSD-style, stripped" # usr/ lib/ opera/ 9.63/ operaplugincleaner
    • # BINARY += "ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), for FreeBSD 7.0 (700055), dynamically linked (uses shared libs), FreeBSD-style, stripped" # usr/ lib/ opera/ 9.63/ operapluginwrapper
    • # BINARY += "ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), for FreeBSD 7.0 (700055), dynamically linked (uses shared libs), FreeBSD-style, stripped"
    • # usr/ lib/ opera/ 9.63/ works
    • # BINARY += "ELF 64-bit LSB shared object, x86-64, version 1 (FreeBSD), stripped" # usr/ lib/ opera/ 9.63/ spellcheck.so
    • # BINARY += "Zip archive data, at least v1.0 to extract" # usr/ local/ share/ opera/ skin/ standard_skin.zip
    • # BINARY += "Zip archive data, at least v2.0 to extract" # usr/ local/ share/ opera/ skin/ windows_skin.zip

Number Of Ports Maintainers

There are 1720 listed maintainers of the FreeBSD ports skeleton/ templates, & some of those names will be mail lists, some ports will be orphans, some other people also have CVS commit priveleges, & all may respond to public sending in fixes by send-pr, mail lists, private mail etc.
cd /pub/FreeBSD/branches/-current/ports
find . -name Makefile | xargs grep MAINTAINER > /tmp/MAINTAINER
vi /tmp/MAINTAINER
a bit of editring with eg
:1,$s/\t/ /g :1,$s/  / /g ...etc
:1,$s/MAINTAINER=/MAINTAINER/
:1,$s/MAINTAINER\?=/MAINTAINER/
:1,$s/MAINTAINER//
With that many Maintainers, best Not contact them all asking them to review their ports, just run a script to automatically add "BINARY +=" to appropriate Makefiles, then later let Maintainers hand amend if appropriate.

Stolen VotesBerklix.Net Computer AssociatesDomainsApache: Web ServerFreeBSD: Operating System