# Portaudit Question



## Fatman (Dec 26, 2009)

Hello,

I have a question regarding portaudit. I just updated my porttree using portsnap and executed the portaudit command. 

It presented me with a list of packages that are vulnerable.


```
Affected package: php5-5.2.11_1
Type of problem: php -- multiple vulnerabilities.
Reference: <http://portaudit.FreeBSD.org/39a25a63-eb5c-11de-b650-00215c6a37bb.html>

Affected package: libtool-1.5.26
Type of problem: libtool -- Library Search Path Privilege Escalation Issue.
Reference: <http://portaudit.FreeBSD.org/77c14729-dc5e-11de-92ae-02e0184b8d35.html>
```

I ran portmaster -dB /usr/ports/lang/php5 but complains about the package being vulnerable.


```
===>  Cleaning for php5-5.2.11_1

===>  php5-5.2.11_1 has known vulnerabilities:
=> php -- multiple vulnerabilities.
   Reference: <http://portaudit.FreeBSD.org/39a25a63-eb5c-11de-b650-00215c6a37bb.html>
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/lang/php5.
*** Error code 1

Stop in /usr/ports/lang/php5.

===>>> make failed for lang/php5
===>>> Aborting update

===>>> There are messages from installed ports to display,
       but first take a moment to review the error messages
       above.  Then press Enter when ready to proceed.

===>>> pkg-message for apache-2.2.14_5
To run apache www server from startup, add apache22_enable="YES"
in your /etc/rc.conf. Extra options can be found in startup script.

Your hostname must be resolvable using at least 1 mechanism in
/etc/nsswitch typically DNS or /etc/hosts or apache might
have issues starting depending on the modules you are using.

===>>> Done displaying pkg-message files
===>>> The following actions were performed:
        Upgrade of libxml2-2.7.6 to libxml2-2.7.6_1
        Upgrade of libtool-2.2.6a to libtool-2.2.6b
        Upgrade of pcre-7.9 to pcre-8.00
        Upgrade of expat-2.0.1 to expat-2.0.1_1
        Upgrade of apache-2.2.13 to apache-2.2.14_5
```

Should I proceed by uninstalling the port and then try reinstalling it?

Thanks,


----------



## dennylin93 (Dec 27, 2009)

You can use -DDISABLE_SECURITY_CHECK to bypass the security check.


----------



## Fatman (Dec 27, 2009)

Thanks,

Does this mean that the PHP5 port is still vulnerable and needs to be patched manually? I was under the impression that I just needed to update my port-tree and use portmaster to update the package manually.


----------



## DutchDaemon (Dec 27, 2009)

I don't think a manual patch is available, or it would already have been applied and released to the version in the ports tree. You'll have to wait for it.


----------



## Alt (Dec 27, 2009)

You can patch it manually using 'make extract' command on needed port. But better to update with portsnap =)


----------



## Fatman (Dec 28, 2009)

Thanks Guys.


----------



## Fatman (Dec 29, 2009)

Sorry guys but I have a couple more questions if you don't mind.

I've been trying to figure out how to deal with the following vulnerability found by portaudit:


```
Affected package: libtool-1.5.26
Type of problem: libtool -- Library Search Path Privilege Escalation Issue.
Reference: <http://portaudit.FreeBSD.org/77c14729-dc5e-11de-92ae-02e0184b8d35.html>
```

I quick check shows that I have two versions of this package installed:


```
test# pkg_info | grep libtool
libtool-1.5.26      Generic shared library support script
libtool-2.2.6b      Generic shared library support script
```

When I check the port-tree, i don't see it:


```
test# ls /usr/ports/devel/ | grep libtool
libtool22
```

I do however see it when executing a search and noticed it has been moved:



> Port:   devel/libtool15
> Moved:  devel/libtool22
> Date:   2009-08-02
> Reason: Update to libtool22



So my first question is how do I find out what packages installed rely on devel/libtool15? I'd like to remove it with pkg_delete however I'm afraid i'll break something.

Thanks,


----------



## DutchDaemon (Dec 29, 2009)

Take a look at /usr/ports/UPDATING, date 20090802.


----------



## vivek (Dec 29, 2009)

Almost all problem are documented in /usr/ports/UPDATING and /usr/src/UPDATING. Did you install portaudit port and cron job is running to get updates?


----------



## Fatman (Dec 30, 2009)

Thanks again for the quick response. Dutchdeamon's reply fixed the issue. 


```
Portmaster:
  -----------

  portmaster -o devel/libtool22 devel/libtool15
  portmaster -o devel/libltdl22 devel/libltdl15

  After that, you will need to rebuild all ports that depend on libltdl.
  Since all dependent ports' PORTREVISIONs have been bumped, you can run
  portupgrade or portmaster with '-a' to complete the upgrade.
```

I followed the instructions in /usr/ports/UPDATING however I was kind of afraid and reluctant to run portmaster -a at the end. 

All in all, it seems to have resolved it:


```
test# pkg_info | grep libtool
libtool-2.2.6b      Generic shared library support script
```


```
test# portaudit -Fda
auditfile.tbz                                 100% of   59 kB   59 kBps
New database installed.
Database created: Tue Dec 29 18:50:00 EST 2009
Affected package: php5-5.2.11_1
Type of problem: php -- multiple vulnerabilities.
Reference: <http://portaudit.FreeBSD.org/39a25a63-eb5c-11de-b650-00215c6a37bb.html>

1 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.
```

Thanks again for the help!

Fatman


----------



## dennylin93 (Dec 31, 2009)

PHP 5.2.12 is now in ports.


----------

