FreeBSD Security Risk:
Some ports/ install binaries Not localy compiled from matching sources.

This page is notes from analysis Jan 2010. Results have been discarded as the ports/ tree is constantly changing, & meausrements should be run on a current tree.

• 1
  • http://docs.FreeBSD.org/ cgi/ mid.cgi?201001210247.o0L2lno8035853
  • http://www.freebsd.org/ cgi/ getmsg.cgi?fetch=342895+0+/ usr/ local/ www/ db/ text/ 2010/ freebsd-ports/ 20100124.freebsd-ports
• 2

2010 January:
Searching for FreeBSD ports that install binaries not built locally.
uname -a FreeBSD
john.js.berklix.net 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Tue Jan 5 19:21:23 CET 2010
jhs@john.js.berklix.net:/usr/src/sys/amd64/compile/JOHN64mod amd64
ls -l /host/fire/usrb/tmp/ports/.ctm_status
-rw-r--r-- 1 jhs staff 15 Jan 26 00:15 .ctm_status
cd /host/fire/usrb/search/ports
setenv PORTSDIR /host/fire/usrb/search/ports
ln -s /pub/FreeBSD/dists/current distfiles
mv /pub/FreeBSD/branches/-current/ports /pub/FreeBSD/branches/-current/portsX
(cd /pub/FreeBSD/branches/-current/portsX;tar cf - . ) | tar xf -
mv /pub/FreeBSD/branches/-current/portsX /pub/FreeBSD/branches/-current/ports
make -k extract
find .  -type f -name \.\*extract_done\* > ../done # count ports done,
# some I don't have distfiles for & some don't get built on amd64
wc -l done
find .  -type f -exec file {} \; > ../result.find # Takes a few days!
du > ../du
cd ..
nice bzip2 result.find &
sed -e s/..// < result.find | \
grep -v "ASCII C program text" | \
grep -v "ASCII C++ program text" | \
grep -v "ASCII English text" | \
grep -v "ASCII Java program text" | \
grep -v "ASCII M4 macro language pre-processor text" | \
grep -v "ASCII Pascal program text" | \
grep -v "ASCII assembler program text" | \
grep -v "ASCII mail text" | \
grep -v "ASCII make commands text" | \
grep -v "ASCII text" | \
grep -v "Bourne shell script text executable" | \
grep -v "C program text" | \
grep -v "C shell script" | \
grep -v "GIF image data" | \
grep -v "HTML document text" | \
grep -v "PNG image data" | \
grep -v "TeX DVI file" | \
grep -v "TeX document text" | \
grep -v "TeX font aliases" | \
grep -v "TeX font metric data" | \
grep -v "UTF-8 Unicode C program text" | \
grep -v "UTF-8 Unicode C++ program text" | \
grep -v "UTF-8 Unicode English text" | \
grep -v "UTF-8 Unicode Java program text" | \
grep -v "UTF-8 Unicode M4 macro language pre-processor text" | \
grep -v "UTF-8 Unicode PL/1 program text" | \
grep -v "UTF-8 Unicode Pascal program text" | \
grep -v "UTF-8 Unicode assembler program text" | \
grep -v "perl script text executable" | \
grep -v "python script text executable" | \
grep -v "ruby script text executable" | \
grep -v "script text executable for" | \
grep -v "script text executable" | \
grep -v "tcpdump capture file" | \
grep -v "text/html" | \
grep -v "text/plain" | \
grep -v "troff or preprocessor input text" | \

cat > result6
cat result6 | awk -F : '{printf "%s\n",$2}' | sort | uniq > types

-------
More work pending, to strip more innocuous types.
To consider:
- What about Linux binaries run under emulation mode.
- What about eg BLOBS downoaded into USB DSL modems & WLANs etc.
  Perhaps best to mark them with different strings in BINARY += ?

• A sample syntax to add to ports/*/*/Makefile
• Features of the += syntax:
• The ports/Mk/*.mk should test if var is set, not if var == "YES".
• The += Any string (Rather than '= "YES"') allows multiple lines, of more information if user wishes.
• Later, the Mk/ macros could (optionaly( be extended to parse for a use preference list of file types to accept or reject. (So one would block "ELF 64-bit LSB" but might not necessarily block if just "Zip archive data"
• An initial set can be generated automatically with `make extract` & `find` & `file` & optionally pruned before adding to various ports/*/*/Makefile
• (possibly a ports master might for logistics reasons want to instead have macros read some [new] file in ports/*/*/files/ ? )

Sample - 1 or more for ports/www/opera/Makefile:

• BINARY += "ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), for FreeBSD 7.0 (700055), dynamically linked (uses shared libs), FreeBSD-style, stripped" # usr/ lib/ opera/ 9.63/ opera
• BINARY += "ELF 64-bit LSB shared object, x86-64, version 1 (FreeBSD), stripped" # usr/ lib/ opera/ 9.63/ missingsyms.so
• BINARY += "Zip archive data, at least v2.0 to extract" # usr/ local/ share/ opera/ java/ opera.jar
• Below are repeats of file types, that could be omitted, or commented out with #, path names left for info/ warning,.
  • # BINARY += "ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), for FreeBSD 7.0 (700055), dynamically linked (uses shared libs), FreeBSD-style, stripped" # usr/ lib/ opera/ 9.63/ operaplugincleaner
  • # BINARY += "ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), for FreeBSD 7.0 (700055), dynamically linked (uses shared libs), FreeBSD-style, stripped" # usr/ lib/ opera/ 9.63/ operapluginwrapper
  • # BINARY += "ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), for FreeBSD 7.0 (700055), dynamically linked (uses shared libs), FreeBSD-style, stripped"
  • # usr/ lib/ opera/ 9.63/ works
  • # BINARY += "ELF 64-bit LSB shared object, x86-64, version 1 (FreeBSD), stripped" # usr/ lib/ opera/ 9.63/ spellcheck.so
  • # BINARY += "Zip archive data, at least v1.0 to extract" # usr/ local/ share/ opera/ skin/ standard_skin.zip
  • # BINARY += "Zip archive data, at least v2.0 to extract" # usr/ local/ share/ opera/ skin/ windows_skin.zip

There are 1720 listed maintainers of the FreeBSD ports skeleton/ templates, & some of those names will be mail lists, some ports will be orphans, some other people also have CVS commit priveleges, & all may respond to public sending in fixes by send-pr, mail lists, private mail etc. With that many Maintainers, best Not contact them all asking them to review their ports, just run a script to automatically add "BINARY +=" to appropriate Makefiles, then later let Maintainers hand amend if appropriate.