# portaudit



## exile (Jun 3, 2012)

Just finished installing this port, ran it and wham shows up on itself.
*T*hought it was quite funny and I'd share.


```
===>   Registering installation for portaudit-0.5.17
===>  Cleaning for portaudit-0.5.17
root@Freedom[/usr/ports/ports-mgmt/portaudit]
[14]: /usr/local/sbin/portaudit -Fda
auditfile.tbz                                 100% of   77 kB  104 kBps
New database installed.
Database created: Sun Jun  3 14:00:04 PDT 2012
Affected package: libxml2-2.7.8_1
Type of problem: libxml2 -- An off-by-one out-of-bounds write by XPointer.
Reference: [url]http://portaudit.FreeBSD.org/b8ae4659-a0da-11e1-a294-bcaec565249c.html[/url]

Affected package: portaudit-0.5.17
Type of problem: portaudit -- auditfile remote code execution.
Reference: [url]http://portaudit.FreeBSD.org/6d329b64-6bbb-11e1-9166-001e4f0fb9b1.html[/url]
```


----------



## DutchDaemon (Jun 4, 2012)

The funny thing is that you haven't updated your ports tree and are installing an old, vulnerable version as a consequence. The current version of portaudit is portaudit-0.6.0 and libxml is at libxml2-2.7.8_3.


----------



## exile (Jun 4, 2012)

*N*ot outdated enough to know it was vulnerable*.*


----------



## funky (Jun 4, 2012)

exile said:
			
		

> not outdated enough to know it was vulnerable


portaudit simply parses the auditfile.tbz and extracts the entries important for your system by looking at currently installed package versions. So the version of portaudit does not matter for this task, though it matters for its own vulnerabilities .


----------



## Deleted member 30996 (Jun 5, 2012)

exile said:
			
		

> *N*ot outdated enough to know it was vulnerable*.*





> Revision 1.30: download - view: text, markup, annotated - select for diffs
> *Sun Mar 11 21:32:57 2012* UTC (2 months, 3 weeks ago) by simon
> Branches: MAIN
> CVS tags: RELEASE_8_3_0, HEAD
> ...



Get out much?


----------

