diff options
author | joerg <joerg@pkgsrc.org> | 2009-01-08 00:01:30 +0000 |
---|---|---|
committer | joerg <joerg@pkgsrc.org> | 2009-01-08 00:01:30 +0000 |
commit | 9054f9ba432fe0ffe4e809ed98d75254874d8ca0 (patch) | |
tree | 187078f4341ad6f516e369f3fff3d6641ec0db73 | |
parent | 50060a77876b2c9d076e17965cfb8f04c3ade9f3 (diff) | |
download | pkgsrc-9054f9ba432fe0ffe4e809ed98d75254874d8ca0.tar.gz |
pkg_install-20090108:
pkg_add optionally checks for vulnerable packages and bails out.
-rw-r--r-- | pkgtools/pkg_install/files/add/perform.c | 56 | ||||
-rw-r--r-- | pkgtools/pkg_install/files/lib/lib.h | 3 | ||||
-rw-r--r-- | pkgtools/pkg_install/files/lib/parse-config.c | 9 | ||||
-rw-r--r-- | pkgtools/pkg_install/files/lib/pkg_install.conf.5 | 18 | ||||
-rw-r--r-- | pkgtools/pkg_install/files/lib/pkg_install.conf.cat5 | 15 | ||||
-rw-r--r-- | pkgtools/pkg_install/files/lib/version.h | 4 |
6 files changed, 92 insertions, 13 deletions
diff --git a/pkgtools/pkg_install/files/add/perform.c b/pkgtools/pkg_install/files/add/perform.c index d1644b8123e..f911b68b37c 100644 --- a/pkgtools/pkg_install/files/add/perform.c +++ b/pkgtools/pkg_install/files/add/perform.c @@ -1,4 +1,4 @@ -/* $NetBSD: perform.c,v 1.70.4.19 2008/08/25 19:15:11 joerg Exp $ */ +/* $NetBSD: perform.c,v 1.70.4.20 2009/01/08 00:01:30 joerg Exp $ */ #if HAVE_CONFIG_H #include "config.h" #endif @@ -6,13 +6,13 @@ #if HAVE_SYS_CDEFS_H #include <sys/cdefs.h> #endif -__RCSID("$NetBSD: perform.c,v 1.70.4.19 2008/08/25 19:15:11 joerg Exp $"); +__RCSID("$NetBSD: perform.c,v 1.70.4.20 2009/01/08 00:01:30 joerg Exp $"); /*- * Copyright (c) 2003 Grant Beattie <grant@NetBSD.org> * Copyright (c) 2005 Dieter Baron <dillo@NetBSD.org> * Copyright (c) 2007 Roland Illig <rillig@NetBSD.org> - * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org> + * Copyright (c) 2008, 2009 Joerg Sonnenberger <joerg@NetBSD.org> * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -1169,6 +1169,53 @@ check_signature(struct pkg_task *pkg, void *signature_cookie, int invalid_sig) return 1; } +static int +check_vulnerable(struct pkg_task *pkg) +{ + static struct pkg_vulnerabilities *pv; + size_t i; + int require_check; + char *line; + size_t len; + + if (strcasecmp(check_vulnerabilities, "never") == 0) + return 0; + else if (strcasecmp(check_vulnerabilities, "always")) + require_check = 1; + else if (strcasecmp(check_vulnerabilities, "interactive")) + require_check = 0; + else { + warnx("Unknown value of the configuration variable" + "CHECK_VULNERABILITIES"); + return 1; + } + + if (pv == NULL) { + pv = read_pkg_vulnerabilities(pkg_vulnerabilities_file, + require_check, 0); + if (pv == NULL) + return require_check; + } + + for (i = 0; i < pv->entries; ++i) { + if (!pkg_match(pv->vulnerability[i], pkg->pkgname)) + continue; + if (strcmp("eol", pv->classification[i]) == 0) + continue; + warnx("Package %s has a %s vulnerability, see %s", + pkg->pkgname, pv->classification[i], pv->advisory[i]); + fprintf(stderr, "Do you want to proceed with " + "the installation of %s [y/n]?\n", pkg->pkgname); + line = fgetln(stdin, &len); + if (check_input(line, len)) { + fprintf(stderr, "Cancelling installation\n"); + return 1; + } + return 0; + } + return 0; +} + /* * Install a single package. */ @@ -1207,6 +1254,9 @@ pkg_do(const char *pkgpath, int mark_automatic) if (check_signature(pkg, &signature_cookie, invalid_sig)) goto clean_memory; + if (check_vulnerable(pkg)) + goto clean_memory; + if (pkg->meta_data.meta_mtree != NULL) warnx("mtree specification in pkg `%s' ignored", pkg->pkgname); diff --git a/pkgtools/pkg_install/files/lib/lib.h b/pkgtools/pkg_install/files/lib/lib.h index 8320ddf87a3..50b7f554cef 100644 --- a/pkgtools/pkg_install/files/lib/lib.h +++ b/pkgtools/pkg_install/files/lib/lib.h @@ -1,4 +1,4 @@ -/* $NetBSD: lib.h,v 1.42.2.16 2008/12/30 15:55:57 joerg Exp $ */ +/* $NetBSD: lib.h,v 1.42.2.17 2009/01/08 00:01:31 joerg Exp $ */ /* from FreeBSD Id: lib.h,v 1.25 1997/10/08 07:48:03 charnier Exp */ @@ -412,6 +412,7 @@ extern Boolean Force; extern const char *cert_chain_file; extern const char *certs_packages; extern const char *certs_pkg_vulnerabilities; +extern const char *check_vulnerabilities; extern const char *config_file; extern const char *verified_installation; extern const char *gpg_cmd; diff --git a/pkgtools/pkg_install/files/lib/parse-config.c b/pkgtools/pkg_install/files/lib/parse-config.c index e35271a36cf..d629c85c3af 100644 --- a/pkgtools/pkg_install/files/lib/parse-config.c +++ b/pkgtools/pkg_install/files/lib/parse-config.c @@ -1,4 +1,4 @@ -/* $NetBSD: parse-config.c,v 1.1.2.5 2008/08/21 16:04:39 joerg Exp $ */ +/* $NetBSD: parse-config.c,v 1.1.2.6 2009/01/08 00:01:31 joerg Exp $ */ #if HAVE_CONFIG_H #include "config.h" @@ -8,7 +8,7 @@ #include <sys/cdefs.h> #endif #ifndef lint -__RCSID("$NetBSD: parse-config.c,v 1.1.2.5 2008/08/21 16:04:39 joerg Exp $"); +__RCSID("$NetBSD: parse-config.c,v 1.1.2.6 2009/01/08 00:01:31 joerg Exp $"); #endif /*- @@ -58,6 +58,7 @@ static const char *ignore_proxy; const char *cert_chain_file; const char *certs_packages; const char *certs_pkg_vulnerabilities; +const char *check_vulnerabilities; const char *verified_installation; const char *gpg_cmd; const char *pkg_vulnerabilities_dir; @@ -75,6 +76,7 @@ static struct config_variable { { "CERTIFICATE_ANCHOR_PKGS", &certs_packages }, { "CERTIFICATE_ANCHOR_PKGVULN", &certs_pkg_vulnerabilities }, { "CERTIFICATE_CHAIN", &cert_chain_file }, + { "CHECK_VULNERABILITIES", &check_vulnerabilities }, { "GPG", &gpg_cmd }, { "IGNORE_PROXY", &ignore_proxy }, { "IGNORE_URL", &ignore_advisories }, @@ -108,6 +110,9 @@ pkg_install_config(void) if (verified_installation == NULL) verified_installation = "never"; + if (check_vulnerabilities == NULL) + check_vulnerabilities = "never"; + snprintf(fetch_flags, sizeof(fetch_flags), "%s%s%s", (verbose_netio && *verbose_netio) ? "v" : "", (active_ftp && *active_ftp) ? "" : "p", diff --git a/pkgtools/pkg_install/files/lib/pkg_install.conf.5 b/pkgtools/pkg_install/files/lib/pkg_install.conf.5 index f0996c0cac3..9a50fdaa4b8 100644 --- a/pkgtools/pkg_install/files/lib/pkg_install.conf.5 +++ b/pkgtools/pkg_install/files/lib/pkg_install.conf.5 @@ -1,6 +1,6 @@ -.\" $NetBSD: pkg_install.conf.5,v 1.1.2.3 2008/08/21 16:10:01 joerg Exp $ +.\" $NetBSD: pkg_install.conf.5,v 1.1.2.4 2009/01/08 00:01:31 joerg Exp $ .\" -.\" Copyright (c) 2008 The NetBSD Foundation, Inc. +.\" Copyright (c) 2008, 2009 The NetBSD Foundation, Inc. .\" All rights reserved. .\" .\" This code is derived from software contributed to The NetBSD Foundation @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 21, 2008 +.Dd January 8, 2009 .Dt PKG_INSTALL.CONF 5 .Os .Sh NAME @@ -67,6 +67,18 @@ contained in this file. Path to a file containing additional certificates that can be used for completing certicate chains when validating binary packages or pkg-vulnerabilities files. +.Dv CHECK_VULNERABILITIES +Check for vulnerabilities when installating packages. +Supported values are: +.Bl -tag -width interactiveXX +.It Dv never +No check is performed. +.It Dv always +Passing the vulnerability check is required. +A missing pkg-vulnerabilities file is considered an error. +.It Dv interactive +The user is always asked to confirm installation of vulnerable packages. +.El .It Dv GPG Deprecated. Path to diff --git a/pkgtools/pkg_install/files/lib/pkg_install.conf.cat5 b/pkgtools/pkg_install/files/lib/pkg_install.conf.cat5 index 8721a7fd9eb..47b15c26ef1 100644 --- a/pkgtools/pkg_install/files/lib/pkg_install.conf.cat5 +++ b/pkgtools/pkg_install/files/lib/pkg_install.conf.cat5 @@ -31,7 +31,18 @@ DDEESSCCRRIIPPTTIIOONN CERTIFICATE_CHAIN Path to a file containing additional certificates that can be used for completing certicate chains when validating binary pack- - ages or pkg-vulnerabilities files. + ages or pkg-vulnerabilities files. CHECK_VULNERABILITIES Check + for vulnerabilities when installating packages. Supported values + are: + + never No check is performed. + + always Passing the vulnerability check is required. A + missing pkg-vulnerabilities file is considered an + error. + + interactive The user is always asked to confirm installation + of vulnerable packages. GPG Deprecated. Path to gpg(1), which can be used to verify the sig- nature in the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file when running @@ -88,4 +99,4 @@ FFIILLEESS SSEEEE AALLSSOO pkg_add(1), pkg_admin(1) -NetBSD 4.0 August 21, 2008 NetBSD 4.0 +NetBSD 5.0 January 8, 2009 NetBSD 5.0 diff --git a/pkgtools/pkg_install/files/lib/version.h b/pkgtools/pkg_install/files/lib/version.h index 15191bcc6a7..13832d54163 100644 --- a/pkgtools/pkg_install/files/lib/version.h +++ b/pkgtools/pkg_install/files/lib/version.h @@ -1,4 +1,4 @@ -/* $NetBSD: version.h,v 1.102.2.19 2008/12/30 15:55:57 joerg Exp $ */ +/* $NetBSD: version.h,v 1.102.2.20 2009/01/08 00:01:31 joerg Exp $ */ /* * Copyright (c) 2001 Thomas Klausner. All rights reserved. @@ -27,6 +27,6 @@ #ifndef _INST_LIB_VERSION_H_ #define _INST_LIB_VERSION_H_ -#define PKGTOOLS_VERSION "20081230" +#define PKGTOOLS_VERSION "20090108" #endif /* _INST_LIB_VERSION_H_ */ |