summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordillo <dillo>2005-06-07 19:17:01 +0000
committerdillo <dillo>2005-06-07 19:17:01 +0000
commitd4b2fbda5772172f4b919901d30f5292f328f44c (patch)
tree2449b9685e962f6bca80eaf54d69ce419ed23013
parent77f6575300574966197e00d52686fe124b76a0ee (diff)
downloadpkgsrc-d4b2fbda5772172f4b919901d30f5292f328f44c.tar.gz
Add a file format version to pkg-vulnerabilities, and check for
its compatiblity. Bump version to 1.35 Done during the freeze to have the support on the branch. Okayed by wiz.
-rw-r--r--security/audit-packages/Makefile4
-rwxr-xr-xsecurity/audit-packages/files/audit-packages48
-rw-r--r--security/audit-packages/files/audit-packages.0102
-rw-r--r--security/audit-packages/files/audit-packages.839
4 files changed, 145 insertions, 48 deletions
diff --git a/security/audit-packages/Makefile b/security/audit-packages/Makefile
index 883436aba9a..6b0aacaacd0 100644
--- a/security/audit-packages/Makefile
+++ b/security/audit-packages/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.54 2005/05/21 16:36:37 dillo Exp $
+# $NetBSD: Makefile,v 1.55 2005/06/07 19:17:01 dillo Exp $
-DISTNAME= audit-packages-1.34
+DISTNAME= audit-packages-1.35
CATEGORIES= security pkgtools
MASTER_SITES= # empty
DISTFILES= # empty
diff --git a/security/audit-packages/files/audit-packages b/security/audit-packages/files/audit-packages
index 8010ff1ace1..297eec73fd4 100755
--- a/security/audit-packages/files/audit-packages
+++ b/security/audit-packages/files/audit-packages
@@ -1,6 +1,6 @@
#! @SH@
#
-# $NetBSD: audit-packages,v 1.18 2005/05/21 16:36:37 dillo Exp $
+# $NetBSD: audit-packages,v 1.19 2005/06/07 19:17:01 dillo Exp $
#
# Copyright (c) 2000-2003 Alistair Crooks. All rights reserved.
#
@@ -33,8 +33,14 @@
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
+ERR_DOWNLOAD="Please run download-vulnerability-list"
+ERR_UPGRADE="Please upgrade audit-packages to the newest version"
+
: ${PKGVULNDIR=@PKGVULNDIR@}
+FORMAT_MAJOR=1
+FORMAT_MINOR=0
+
if [ -r @PKG_SYSCONFDIR@/audit-packages.conf ]; then
echo "Reading settings from @PKG_SYSCONFDIR@/audit-packages.conf"
. @PKG_SYSCONFDIR@/audit-packages.conf
@@ -53,7 +59,11 @@ done
errmsg=""
# check for missing vulnerabilities file
-[ ! -f "$vuls" ] && errmsg="** Missing $vuls"
+if [ ! -f "$vuls" ]
+then
+ errmsg="Missing vulnerabilities file $vuls"
+ errsolution="$ERR_DOWNLOAD"
+fi
case "$errmsg" in
"") # check for old vulnerabilities file if we're being verbose
@@ -65,18 +75,42 @@ case "$errmsg" in
esac
case "$errmsg" in
+"") # check format version of vulnerabilities file
+ file_major=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\."); print a[1] }' "$vuls"`
+ file_minor=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\."); print a[2] }' "$vuls"`
+ if [ "x$file_major" = "x" -o "x$file_minor" = "x" ]
+ then
+ errmsg="No file format version found in $vuls"
+ errsolution="$ERR_DOWNLOAD"
+ elif [ "$file_major" -ne "$FORMAT_MAJOR" -o "$file_minor" -gt "$FORMAT_MINOR" ]
+ then
+ errmsg="Unsupported file format version $file_major.$file_minor in $vuls (supported version: $FORMAT_MAJOR.$FORMAT_MINOR)."
+ if [ "$file_major" -le "$FORMAT_MAJOR" ]
+ then
+ errsolution="$ERR_DOWNLOAD"
+ else
+ errsolution="$ERR_UPGRADE"
+ fi
+ fi
+ ;;
+esac
+
+case "$errmsg" in
"") # check integrity of vulnerabilities file
recordedsum=`@AWK@ '$1 == "#CHECKSUM" { print $3 }' "$vuls"`
recordedalg=`@AWK@ '$1 == "#CHECKSUM" { print $2 }' "$vuls"`
case "$recordedsum" in
- "") errmsg="***WARNING*** No checksum found in $vuls"
+ "") errmsg="No checksum found in $vuls"
+ errsolution="$ERR_DOWNLOAD"
;;
*) case "$recordedalg" in
- "") errmsg="***WARNING*** No checksum algorithm found in $vuls file"
+ "") errmsg="No checksum algorithm found in $vuls file"
+ errsolution="$ERR_DOWNLOAD"
;;
*) calcsum=`@AWK@ '$1 == "#CHECKSUM" || /\$NetBSD.*/ { next } { print }' "$vuls" | @DIGEST@ "$recordedalg"`
if [ "$recordedsum" != "$calcsum" ]; then
- errmsg="***WARNING*** Checksum mismatch - recorded $recordedalg checksum \"$recordedsum\", calculated checksum \"$calcsum\""
+ errmsg="Checksum mismatch - recorded $recordedalg checksum \"$recordedsum\", calculated checksum \"$calcsum\""
+ errsolution="$ERR_DOWNLOAD"
fi
;;
esac
@@ -88,8 +122,8 @@ esac
# if we have found an error, then complain and exit
case "$errmsg" in
"") ;;
-*) echo "$errmsg" 1>&2
- echo "** Please run download-vulnerability-list" 1>&2
+*) echo "***ERROR*** $errmsg" 1>&2
+ echo "** $errsolution" 1>&2
exit 1
;;
esac
diff --git a/security/audit-packages/files/audit-packages.0 b/security/audit-packages/files/audit-packages.0
index 7e035259687..025782aa1b6 100644
--- a/security/audit-packages/files/audit-packages.0
+++ b/security/audit-packages/files/audit-packages.0
@@ -1,7 +1,7 @@
AUDIT-PACKAGES(8) NetBSD System Manager's Manual AUDIT-PACKAGES(8)
NNAAMMEE
- aauuddiitt--ppaacckkaaggeess, ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt - show vulnerabilities in
+ aauuddiitt--ppaacckkaaggeess, ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt -- show vulnerabilities in
installed packages
SSYYNNOOPPSSIISS
@@ -25,40 +25,40 @@ DDEESSCCRRIIPPTTIIOONN
Each line lists the package and vulnerable versions, the type of exploit,
and an Internet address for further information. The type of exploit can
be any text, although some common types of exploits listed are:
- ++oo cross-site-html
- ++oo cross-site-scripting
- ++oo denial-of-service
- ++oo file-permissions
- ++oo local-access
- ++oo local-code-execution
- ++oo local-file-read
- ++oo local-file-removal
- ++oo local-file-write
- ++oo local-root-file-view
- ++oo local-root-shell
- ++oo local-symlink-race
- ++oo local-user-file-view
- ++oo local-user-shell
- ++oo privacy-leak
- ++oo remote-code-execution
- ++oo remote-command-inject
- ++oo remote-file-creation
- ++oo remote-file-read
- ++oo remote-file-view
- ++oo remote-file-write
- ++oo remote-key-theft
- ++oo remote-root-access
- ++oo remote-root-shell
- ++oo remote-script-inject
- ++oo remote-server-admin
- ++oo remote-use-of-secret
- ++oo remote-user-access
- ++oo remote-user-file-view
- ++oo remote-user-shell
- ++oo unknown
- ++oo weak-authentication
- ++oo weak-encryption
- ++oo weak-ssl-authentication
+ ·· cross-site-html
+ ·· cross-site-scripting
+ ·· denial-of-service
+ ·· file-permissions
+ ·· local-access
+ ·· local-code-execution
+ ·· local-file-read
+ ·· local-file-removal
+ ·· local-file-write
+ ·· local-root-file-view
+ ·· local-root-shell
+ ·· local-symlink-race
+ ·· local-user-file-view
+ ·· local-user-shell
+ ·· privacy-leak
+ ·· remote-code-execution
+ ·· remote-command-inject
+ ·· remote-file-creation
+ ·· remote-file-read
+ ·· remote-file-view
+ ·· remote-file-write
+ ·· remote-key-theft
+ ·· remote-root-access
+ ·· remote-root-shell
+ ·· remote-script-inject
+ ·· remote-server-admin
+ ·· remote-use-of-secret
+ ·· remote-user-access
+ ·· remote-user-file-view
+ ·· remote-user-shell
+ ·· unknown
+ ·· weak-authentication
+ ·· weak-encryption
+ ·· weak-ssl-authentication
By default, the vulnerabilities file is stored in the @PKGVULNDIR@ direc-
tory. This can be changed by defining the environment variable
@@ -88,6 +88,36 @@ EEXXAAMMPPLLEESS
export FETCH_ARGS="-4"
+DDIIAAGGNNOOSSTTIICCSS
+ The aauuddiitt--ppaacckkaaggeess utility exits 0 on success, and >0 if an error occurs.
+
+ The following errors can occur:
+
+ Checksum mismatch
+ The vulnerabilities file is corrupted. Run
+ ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt.
+
+ Missing vulnerabilities file
+ The vulnerabilities file could not be found. Run
+ ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt.
+
+ No checksum algorithm found
+ The vulnerabilities file is too old or incomplete. Run
+ ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt.
+
+ No checksum found
+ The vulnerabilities file is too old or incomplete. Run
+ ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt.
+
+ No file format version found
+ The vulnerabilities file is too old or incomplete. Run
+ ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt.
+
+ Unsupported file format version
+ The vulnerabilities file is too old or too new. If it's too
+ old, run ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt. If it's too new,
+ update the aauuddiitt--ppaacckkaaggeess package.
+
SSEEEE AALLSSOO
pkg_info(1), mk.conf(5), packages(7), @PKGSRCDIR@/mk/bsd.pkg.defaults.mk
and
@@ -100,4 +130,4 @@ HHIISSTTOORRYY
September 19, 2000. The original idea came from Roland Dowdeswell and
Bill Sommerfeld.
-NetBSD 2.0 May 12, 2004 NetBSD 2.0
+NetBSD 3.0 May 27, 2005 NetBSD 3.0
diff --git a/security/audit-packages/files/audit-packages.8 b/security/audit-packages/files/audit-packages.8
index 5a9c31c344f..17c8477a403 100644
--- a/security/audit-packages/files/audit-packages.8
+++ b/security/audit-packages/files/audit-packages.8
@@ -1,5 +1,6 @@
-.\" $NetBSD: audit-packages.8,v 1.9 2005/05/07 22:15:25 wiz Exp $
-.Dd May 12, 2004
+.\" $NetBSD: audit-packages.8,v 1.10 2005/06/07 19:17:01 dillo Exp $
+.\" XXX: License?
+.Dd May 27, 2005
.Os
.Dt AUDIT-PACKAGES 8
.Sh NAME
@@ -135,7 +136,6 @@ Specifies optional arguments for the ftp client.
@PKGVULNDIR@/pkg-vulnerabilities
.Pp
@PKG_SYSCONFDIR@/audit-packages.conf
-.\" .Sh EXAMPLES
.Sh EXAMPLES
The
.Nm download-vulnerability-list
@@ -159,6 +159,39 @@ command can be forced to use IPv4 with the following setting in
@PKG_SYSCONFDIR@/audit-packages.conf :
.Pp
export FETCH_ARGS="-4"
+.Sh DIAGNOSTICS
+.Ex -std audit-packages
+.Pp
+The following errors can occur:
+.Bl -tag -width 10n
+.It Checksum mismatch
+The vulnerabilities file is corrupted.
+Run
+.Nm download-vulnerability-list .
+.It Missing vulnerabilities file
+The vulnerabilities file could not be found.
+Run
+.Nm download-vulnerability-list .
+.It \&No checksum algorithm found
+The vulnerabilities file is too old or incomplete.
+Run
+.Nm download-vulnerability-list .
+.It \&No checksum found
+The vulnerabilities file is too old or incomplete.
+Run
+.Nm download-vulnerability-list .
+.It \&No file format version found
+The vulnerabilities file is too old or incomplete.
+Run
+.Nm download-vulnerability-list .
+.It Unsupported file format version
+The vulnerabilities file is too old or too new.
+If it's too old, run
+.Nm download-vulnerability-list .
+If it's too new, update the
+.Nm audit-packages
+package.
+.El
.Sh SEE ALSO
.Xr pkg_info 1 ,
.Xr mk.conf 5 ,