pkg_install-20090108:

pkg_add optionally checks for vulnerable packages and bails out.
author: joerg <joerg> 2009-01-08 00:01:30 +0000
committer: joerg <joerg> 2009-01-08 00:01:30 +0000
commit: 198ddb4db2bad0166f1ff350eb784aaf07b9b6ed (patch)
tree: 187078f4341ad6f516e369f3fff3d6641ec0db73
parent: 8cc7fcaedff26298d9bb9834c61e5c40cbbe9ae8 (diff)
download: pkgsrc-198ddb4db2bad0166f1ff350eb784aaf07b9b6ed.tar.gz
6 files changed, 92 insertions, 13 deletions
diff --git a/pkgtools/pkg_install/files/add/perform.c b/pkgtools/pkg_install/files/add/perform.c
index d1644b8123e..f911b68b37c 100644
--- a/pkgtools/pkg_install/files/add/perform.c
+++ b/pkgtools/pkg_install/files/add/perform.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: perform.c,v 1.70.4.19 2008/08/25 19:15:11 joerg Exp $	*/
+/*	$NetBSD: perform.c,v 1.70.4.20 2009/01/08 00:01:30 joerg Exp $	*/
 #if HAVE_CONFIG_H
 #include "config.h"
 #endif
@@ -6,13 +6,13 @@
 #if HAVE_SYS_CDEFS_H
 #include <sys/cdefs.h>
 #endif
-__RCSID("$NetBSD: perform.c,v 1.70.4.19 2008/08/25 19:15:11 joerg Exp $");
+__RCSID("$NetBSD: perform.c,v 1.70.4.20 2009/01/08 00:01:30 joerg Exp $");
 
 /*-
  * Copyright (c) 2003 Grant Beattie <grant@NetBSD.org>
  * Copyright (c) 2005 Dieter Baron <dillo@NetBSD.org>
  * Copyright (c) 2007 Roland Illig <rillig@NetBSD.org>
- * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>
+ * Copyright (c) 2008, 2009 Joerg Sonnenberger <joerg@NetBSD.org>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -1169,6 +1169,53 @@ check_signature(struct pkg_task *pkg, void *signature_cookie, int invalid_sig)
 	return 1;
 }
 
+static int
+check_vulnerable(struct pkg_task *pkg)
+{
+	static struct pkg_vulnerabilities *pv;
+	size_t i;
+	int require_check;
+	char *line;
+	size_t len;
+
+	if (strcasecmp(check_vulnerabilities, "never") == 0)
+		return 0;
+	else if (strcasecmp(check_vulnerabilities, "always"))
+		require_check = 1;
+	else if (strcasecmp(check_vulnerabilities, "interactive"))
+		require_check = 0;
+	else {
+		warnx("Unknown value of the configuration variable"
+		    "CHECK_VULNERABILITIES");
+		return 1;
+	}
+
+	if (pv == NULL) {
+		pv = read_pkg_vulnerabilities(pkg_vulnerabilities_file,
+		    require_check, 0);
+		if (pv == NULL)
+			return require_check;
+	}
+
+	for (i = 0; i < pv->entries; ++i) {
+		if (!pkg_match(pv->vulnerability[i], pkg->pkgname))
+			continue;
+		if (strcmp("eol", pv->classification[i]) == 0)
+			continue;
+		warnx("Package %s has a %s vulnerability, see %s",
+		    pkg->pkgname, pv->classification[i], pv->advisory[i]);
+		fprintf(stderr, "Do you want to proceed with "
+		    "the installation of %s [y/n]?\n", pkg->pkgname);
+		line = fgetln(stdin, &len);
+		if (check_input(line, len)) {
+			fprintf(stderr, "Cancelling installation\n");
+			return 1;
+		}
+		return 0;
+	}
+	return 0;
+}
+
 /*
  * Install a single package.
  */
@@ -1207,6 +1254,9 @@ pkg_do(const char *pkgpath, int mark_automatic)
 	if (check_signature(pkg, &signature_cookie, invalid_sig))
 		goto clean_memory;
 
+	if (check_vulnerable(pkg))
+		goto clean_memory;
+
 	if (pkg->meta_data.meta_mtree != NULL)
 		warnx("mtree specification in pkg `%s' ignored", pkg->pkgname);
 
diff --git a/pkgtools/pkg_install/files/lib/lib.h b/pkgtools/pkg_install/files/lib/lib.h
index 8320ddf87a3..50b7f554cef 100644
--- a/pkgtools/pkg_install/files/lib/lib.h
+++ b/pkgtools/pkg_install/files/lib/lib.h
@@ -1,4 +1,4 @@
-/* $NetBSD: lib.h,v 1.42.2.16 2008/12/30 15:55:57 joerg Exp $ */
+/* $NetBSD: lib.h,v 1.42.2.17 2009/01/08 00:01:31 joerg Exp $ */
 
 /* from FreeBSD Id: lib.h,v 1.25 1997/10/08 07:48:03 charnier Exp */
 
@@ -412,6 +412,7 @@ extern Boolean Force;
 extern const char *cert_chain_file;
 extern const char *certs_packages;
 extern const char *certs_pkg_vulnerabilities;
+extern const char *check_vulnerabilities;
 extern const char *config_file;
 extern const char *verified_installation;
 extern const char *gpg_cmd;
diff --git a/pkgtools/pkg_install/files/lib/parse-config.c b/pkgtools/pkg_install/files/lib/parse-config.c
index e35271a36cf..d629c85c3af 100644
--- a/pkgtools/pkg_install/files/lib/parse-config.c
+++ b/pkgtools/pkg_install/files/lib/parse-config.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: parse-config.c,v 1.1.2.5 2008/08/21 16:04:39 joerg Exp $	*/
+/*	$NetBSD: parse-config.c,v 1.1.2.6 2009/01/08 00:01:31 joerg Exp $	*/
 
 #if HAVE_CONFIG_H
 #include "config.h"
@@ -8,7 +8,7 @@
 #include <sys/cdefs.h>
 #endif
 #ifndef lint
-__RCSID("$NetBSD: parse-config.c,v 1.1.2.5 2008/08/21 16:04:39 joerg Exp $");
+__RCSID("$NetBSD: parse-config.c,v 1.1.2.6 2009/01/08 00:01:31 joerg Exp $");
 #endif
 
 /*-
@@ -58,6 +58,7 @@ static const char *ignore_proxy;
 const char *cert_chain_file;
 const char *certs_packages;
 const char *certs_pkg_vulnerabilities;
+const char *check_vulnerabilities;
 const char *verified_installation;
 const char *gpg_cmd;
 const char *pkg_vulnerabilities_dir;
@@ -75,6 +76,7 @@ static struct config_variable {
 	{ "CERTIFICATE_ANCHOR_PKGS", &certs_packages },
 	{ "CERTIFICATE_ANCHOR_PKGVULN", &certs_pkg_vulnerabilities },
 	{ "CERTIFICATE_CHAIN", &cert_chain_file },
+	{ "CHECK_VULNERABILITIES", &check_vulnerabilities },
 	{ "GPG", &gpg_cmd },
 	{ "IGNORE_PROXY", &ignore_proxy },
 	{ "IGNORE_URL", &ignore_advisories },
@@ -108,6 +110,9 @@ pkg_install_config(void)
 	if (verified_installation == NULL)
 		verified_installation = "never";
 
+	if (check_vulnerabilities == NULL)
+		check_vulnerabilities = "never";
+
 	snprintf(fetch_flags, sizeof(fetch_flags), "%s%s%s",
 	    (verbose_netio && *verbose_netio) ? "v" : "",
 	    (active_ftp && *active_ftp) ? "" : "p",
diff --git a/pkgtools/pkg_install/files/lib/pkg_install.conf.5 b/pkgtools/pkg_install/files/lib/pkg_install.conf.5
index f0996c0cac3..9a50fdaa4b8 100644
--- a/pkgtools/pkg_install/files/lib/pkg_install.conf.5
+++ b/pkgtools/pkg_install/files/lib/pkg_install.conf.5
@@ -1,6 +1,6 @@
-.\"	$NetBSD: pkg_install.conf.5,v 1.1.2.3 2008/08/21 16:10:01 joerg Exp $
+.\"	$NetBSD: pkg_install.conf.5,v 1.1.2.4 2009/01/08 00:01:31 joerg Exp $
 .\"
-.\" Copyright (c) 2008 The NetBSD Foundation, Inc.
+.\" Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
 .\" All rights reserved.
 .\"
 .\" This code is derived from software contributed to The NetBSD Foundation
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd August 21, 2008
+.Dd January 8, 2009
 .Dt PKG_INSTALL.CONF 5
 .Os
 .Sh NAME
@@ -67,6 +67,18 @@ contained in this file.
 Path to a file containing additional certificates that can be used
 for completing certicate chains when validating binary packages or
 pkg-vulnerabilities files.
+.Dv CHECK_VULNERABILITIES
+Check for vulnerabilities when installating packages.
+Supported values are:
+.Bl -tag -width interactiveXX
+.It Dv never
+No check is performed.
+.It Dv always
+Passing the vulnerability check is required.
+A missing pkg-vulnerabilities file is considered an error.
+.It Dv interactive
+The user is always asked to confirm installation of vulnerable packages.
+.El
 .It Dv GPG
 Deprecated.
 Path to
diff --git a/pkgtools/pkg_install/files/lib/pkg_install.conf.cat5 b/pkgtools/pkg_install/files/lib/pkg_install.conf.cat5
index 8721a7fd9eb..47b15c26ef1 100644
--- a/pkgtools/pkg_install/files/lib/pkg_install.conf.cat5
+++ b/pkgtools/pkg_install/files/lib/pkg_install.conf.cat5
@@ -31,7 +31,18 @@ DDEESSCCRRIIPPTTIIOONN
      CERTIFICATE_CHAIN
              Path to a file containing additional certificates that can be
              used for completing certicate chains when validating binary pack-
-             ages or pkg-vulnerabilities files.
+             ages or pkg-vulnerabilities files.  CHECK_VULNERABILITIES Check
+             for vulnerabilities when installating packages.  Supported values
+             are:
+
+             never          No check is performed.
+
+             always         Passing the vulnerability check is required.  A
+                            missing pkg-vulnerabilities file is considered an
+                            error.
+
+             interactive    The user is always asked to confirm installation
+                            of vulnerable packages.
 
      GPG     Deprecated.  Path to gpg(1), which can be used to verify the sig-
              nature in the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file when running
@@ -88,4 +99,4 @@ FFIILLEESS
 SSEEEE AALLSSOO
      pkg_add(1), pkg_admin(1)
 
-NetBSD 4.0                      August 21, 2008                     NetBSD 4.0
+NetBSD 5.0                      January 8, 2009                     NetBSD 5.0
diff --git a/pkgtools/pkg_install/files/lib/version.h b/pkgtools/pkg_install/files/lib/version.h
index 15191bcc6a7..13832d54163 100644
--- a/pkgtools/pkg_install/files/lib/version.h
+++ b/pkgtools/pkg_install/files/lib/version.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: version.h,v 1.102.2.19 2008/12/30 15:55:57 joerg Exp $	*/
+/*	$NetBSD: version.h,v 1.102.2.20 2009/01/08 00:01:31 joerg Exp $	*/
 
 /*
  * Copyright (c) 2001 Thomas Klausner.  All rights reserved.
@@ -27,6 +27,6 @@
 #ifndef _INST_LIB_VERSION_H_
 #define _INST_LIB_VERSION_H_
 
-#define PKGTOOLS_VERSION "20081230"
+#define PKGTOOLS_VERSION "20090108"
 
 #endif /* _INST_LIB_VERSION_H_ */
author	joerg <joerg>	2009-01-08 00:01:30 +0000
committer	joerg <joerg>	2009-01-08 00:01:30 +0000
commit	198ddb4db2bad0166f1ff350eb784aaf07b9b6ed (patch)
tree	187078f4341ad6f516e369f3fff3d6641ec0db73
parent	8cc7fcaedff26298d9bb9834c61e5c40cbbe9ae8 (diff)
download	pkgsrc-198ddb4db2bad0166f1ff350eb784aaf07b9b6ed.tar.gz