Re: Determining vulnerability to issues described by SAs

Dolan- Gavitt, Brendan F. wrote:
I've been trying for the past few days to come up with a method for
checking a FreeBSD system to see if it is vulnerable to an issue
described by a FreeBSD security advisory in some automated way [...]

Yes, this is a problem.

[1] Checking the patchlevel as reported by uname -r.
[2] Checking the RCS version tags in the source files listed as
changed by the SA
[3] Using ident on the binaries affected to extract the RCS
tags of the source files used to compile them.

[1] Can fail if the user updates through binary patches of the sort
offered by freebsd-update; as far as I can tell, these do not affect
the output of uname unless they directly patch the kernel. Worse, the
patchlevel reported may be up-to-date even if the userland is still
vulnerable to an issue mentioned in an SA (eg if the user does a make
buildkernel but not a make buildworld).

Yes. Also, the instructions contained in advisories usually involve
rebuilding only the affected part(s) of FreeBSD -- we've considered
having a "kernel patch number" and "userland patch number" separately,
but even this wouldn't really work.

[2] Can fail if the user does not build from source to update the
system.

It would also fail if people update their src tree by applying the
patches distributed on http://security.freebsd.org/, since these patches
don't modify the $FreeBSD$ CVS tags.

[3] Should work in all cases (aside from custom modifications to the
sources, but there's really no way to handle this case), but I don't
know of any way to automatically determine what binary to ident based
on the list of source files given in a security advisory.

Most binaries do not include $FreeBSD$ tags corresponding to all of the
source files used to compile them, so this approach doesn't work very
well, even if the user is updating their source tree with a method which
propagates the $FreeBSD$ tags. In addition, FreeBSD Update does not
include updated $FreeBSD$ tags, since the new values in those tags are
generated at commit time, well after the FreeBSD Update builds are run.

I'm fairly new to FreeBSD, so I may just be missing something
here--is there a reliable way to determine if a system is patched
according to a particular security advisory?

In short, no. If you have any ideas, let me know. :-)

Colin Percival
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Determining vulnerability to issues described by SAs
    ... described by a FreeBSD security advisory in some automated way, ... to the way portaudit can use VuXML to check for vulnerabilities in ... Checking the RCS version tags in the source files listed as ... on the list of source files given in a security advisory. ...
    (FreeBSD-Security)
  • Re: how to apply a patch set
    ... I am trying to apply a patch set to FreeBSD ... production and the patches, bug fixes, and security ... A.7.2 Release Tags ...
    (freebsd-questions)
  • Re: Dell SCSI problem (reasonly long with some debugging)
    ... I tried using FreeBSD 6.0 stable Snap 10, ... I tried installing Solaris 10 and the card is not detected by ... I lowered the "tags" using camcontrol: ... Adaptec card and has presumably been modified in some way. ...
    (freebsd-questions)
  • RE: Branch Tags vs Release Tags
    ... Branch Tags vs Release Tags ... > Need to upgrade to FreeBSD 4.9 so all my ports will run. ... and any other critical fixes worthy of committing. ...
    (freebsd-questions)
  • Re: FreeBSD 1.1.5.1-R cvs repo archive?
    ... CVS branch tags only appear to be listed for versions as ... The /usr/ncvs repository includes all the ... FreeBSD releases back to RELEASE_2_0. ...
    (freebsd-hackers)