diff options
author | dillo <dillo> | 2005-06-07 19:17:01 +0000 |
---|---|---|
committer | dillo <dillo> | 2005-06-07 19:17:01 +0000 |
commit | d4b2fbda5772172f4b919901d30f5292f328f44c (patch) | |
tree | 2449b9685e962f6bca80eaf54d69ce419ed23013 | |
parent | 77f6575300574966197e00d52686fe124b76a0ee (diff) | |
download | pkgsrc-d4b2fbda5772172f4b919901d30f5292f328f44c.tar.gz |
Add a file format version to pkg-vulnerabilities, and check for
its compatiblity. Bump version to 1.35
Done during the freeze to have the support on the branch.
Okayed by wiz.
-rw-r--r-- | security/audit-packages/Makefile | 4 | ||||
-rwxr-xr-x | security/audit-packages/files/audit-packages | 48 | ||||
-rw-r--r-- | security/audit-packages/files/audit-packages.0 | 102 | ||||
-rw-r--r-- | security/audit-packages/files/audit-packages.8 | 39 |
4 files changed, 145 insertions, 48 deletions
diff --git a/security/audit-packages/Makefile b/security/audit-packages/Makefile index 883436aba9a..6b0aacaacd0 100644 --- a/security/audit-packages/Makefile +++ b/security/audit-packages/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.54 2005/05/21 16:36:37 dillo Exp $ +# $NetBSD: Makefile,v 1.55 2005/06/07 19:17:01 dillo Exp $ -DISTNAME= audit-packages-1.34 +DISTNAME= audit-packages-1.35 CATEGORIES= security pkgtools MASTER_SITES= # empty DISTFILES= # empty diff --git a/security/audit-packages/files/audit-packages b/security/audit-packages/files/audit-packages index 8010ff1ace1..297eec73fd4 100755 --- a/security/audit-packages/files/audit-packages +++ b/security/audit-packages/files/audit-packages @@ -1,6 +1,6 @@ #! @SH@ # -# $NetBSD: audit-packages,v 1.18 2005/05/21 16:36:37 dillo Exp $ +# $NetBSD: audit-packages,v 1.19 2005/06/07 19:17:01 dillo Exp $ # # Copyright (c) 2000-2003 Alistair Crooks. All rights reserved. # @@ -33,8 +33,14 @@ # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # +ERR_DOWNLOAD="Please run download-vulnerability-list" +ERR_UPGRADE="Please upgrade audit-packages to the newest version" + : ${PKGVULNDIR=@PKGVULNDIR@} +FORMAT_MAJOR=1 +FORMAT_MINOR=0 + if [ -r @PKG_SYSCONFDIR@/audit-packages.conf ]; then echo "Reading settings from @PKG_SYSCONFDIR@/audit-packages.conf" . @PKG_SYSCONFDIR@/audit-packages.conf @@ -53,7 +59,11 @@ done errmsg="" # check for missing vulnerabilities file -[ ! -f "$vuls" ] && errmsg="** Missing $vuls" +if [ ! -f "$vuls" ] +then + errmsg="Missing vulnerabilities file $vuls" + errsolution="$ERR_DOWNLOAD" +fi case "$errmsg" in "") # check for old vulnerabilities file if we're being verbose @@ -65,18 +75,42 @@ case "$errmsg" in esac case "$errmsg" in +"") # check format version of vulnerabilities file + file_major=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\."); print a[1] }' "$vuls"` + file_minor=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\."); print a[2] }' "$vuls"` + if [ "x$file_major" = "x" -o "x$file_minor" = "x" ] + then + errmsg="No file format version found in $vuls" + errsolution="$ERR_DOWNLOAD" + elif [ "$file_major" -ne "$FORMAT_MAJOR" -o "$file_minor" -gt "$FORMAT_MINOR" ] + then + errmsg="Unsupported file format version $file_major.$file_minor in $vuls (supported version: $FORMAT_MAJOR.$FORMAT_MINOR)." + if [ "$file_major" -le "$FORMAT_MAJOR" ] + then + errsolution="$ERR_DOWNLOAD" + else + errsolution="$ERR_UPGRADE" + fi + fi + ;; +esac + +case "$errmsg" in "") # check integrity of vulnerabilities file recordedsum=`@AWK@ '$1 == "#CHECKSUM" { print $3 }' "$vuls"` recordedalg=`@AWK@ '$1 == "#CHECKSUM" { print $2 }' "$vuls"` case "$recordedsum" in - "") errmsg="***WARNING*** No checksum found in $vuls" + "") errmsg="No checksum found in $vuls" + errsolution="$ERR_DOWNLOAD" ;; *) case "$recordedalg" in - "") errmsg="***WARNING*** No checksum algorithm found in $vuls file" + "") errmsg="No checksum algorithm found in $vuls file" + errsolution="$ERR_DOWNLOAD" ;; *) calcsum=`@AWK@ '$1 == "#CHECKSUM" || /\$NetBSD.*/ { next } { print }' "$vuls" | @DIGEST@ "$recordedalg"` if [ "$recordedsum" != "$calcsum" ]; then - errmsg="***WARNING*** Checksum mismatch - recorded $recordedalg checksum \"$recordedsum\", calculated checksum \"$calcsum\"" + errmsg="Checksum mismatch - recorded $recordedalg checksum \"$recordedsum\", calculated checksum \"$calcsum\"" + errsolution="$ERR_DOWNLOAD" fi ;; esac @@ -88,8 +122,8 @@ esac # if we have found an error, then complain and exit case "$errmsg" in "") ;; -*) echo "$errmsg" 1>&2 - echo "** Please run download-vulnerability-list" 1>&2 +*) echo "***ERROR*** $errmsg" 1>&2 + echo "** $errsolution" 1>&2 exit 1 ;; esac diff --git a/security/audit-packages/files/audit-packages.0 b/security/audit-packages/files/audit-packages.0 index 7e035259687..025782aa1b6 100644 --- a/security/audit-packages/files/audit-packages.0 +++ b/security/audit-packages/files/audit-packages.0 @@ -1,7 +1,7 @@ AUDIT-PACKAGES(8) NetBSD System Manager's Manual AUDIT-PACKAGES(8) NNAAMMEE - aauuddiitt--ppaacckkaaggeess, ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt - show vulnerabilities in + aauuddiitt--ppaacckkaaggeess, ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt -- show vulnerabilities in installed packages SSYYNNOOPPSSIISS @@ -25,40 +25,40 @@ DDEESSCCRRIIPPTTIIOONN Each line lists the package and vulnerable versions, the type of exploit, and an Internet address for further information. The type of exploit can be any text, although some common types of exploits listed are: - ++oo cross-site-html - ++oo cross-site-scripting - ++oo denial-of-service - ++oo file-permissions - ++oo local-access - ++oo local-code-execution - ++oo local-file-read - ++oo local-file-removal - ++oo local-file-write - ++oo local-root-file-view - ++oo local-root-shell - ++oo local-symlink-race - ++oo local-user-file-view - ++oo local-user-shell - ++oo privacy-leak - ++oo remote-code-execution - ++oo remote-command-inject - ++oo remote-file-creation - ++oo remote-file-read - ++oo remote-file-view - ++oo remote-file-write - ++oo remote-key-theft - ++oo remote-root-access - ++oo remote-root-shell - ++oo remote-script-inject - ++oo remote-server-admin - ++oo remote-use-of-secret - ++oo remote-user-access - ++oo remote-user-file-view - ++oo remote-user-shell - ++oo unknown - ++oo weak-authentication - ++oo weak-encryption - ++oo weak-ssl-authentication + ·· cross-site-html + ·· cross-site-scripting + ·· denial-of-service + ·· file-permissions + ·· local-access + ·· local-code-execution + ·· local-file-read + ·· local-file-removal + ·· local-file-write + ·· local-root-file-view + ·· local-root-shell + ·· local-symlink-race + ·· local-user-file-view + ·· local-user-shell + ·· privacy-leak + ·· remote-code-execution + ·· remote-command-inject + ·· remote-file-creation + ·· remote-file-read + ·· remote-file-view + ·· remote-file-write + ·· remote-key-theft + ·· remote-root-access + ·· remote-root-shell + ·· remote-script-inject + ·· remote-server-admin + ·· remote-use-of-secret + ·· remote-user-access + ·· remote-user-file-view + ·· remote-user-shell + ·· unknown + ·· weak-authentication + ·· weak-encryption + ·· weak-ssl-authentication By default, the vulnerabilities file is stored in the @PKGVULNDIR@ direc- tory. This can be changed by defining the environment variable @@ -88,6 +88,36 @@ EEXXAAMMPPLLEESS export FETCH_ARGS="-4" +DDIIAAGGNNOOSSTTIICCSS + The aauuddiitt--ppaacckkaaggeess utility exits 0 on success, and >0 if an error occurs. + + The following errors can occur: + + Checksum mismatch + The vulnerabilities file is corrupted. Run + ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt. + + Missing vulnerabilities file + The vulnerabilities file could not be found. Run + ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt. + + No checksum algorithm found + The vulnerabilities file is too old or incomplete. Run + ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt. + + No checksum found + The vulnerabilities file is too old or incomplete. Run + ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt. + + No file format version found + The vulnerabilities file is too old or incomplete. Run + ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt. + + Unsupported file format version + The vulnerabilities file is too old or too new. If it's too + old, run ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt. If it's too new, + update the aauuddiitt--ppaacckkaaggeess package. + SSEEEE AALLSSOO pkg_info(1), mk.conf(5), packages(7), @PKGSRCDIR@/mk/bsd.pkg.defaults.mk and @@ -100,4 +130,4 @@ HHIISSTTOORRYY September 19, 2000. The original idea came from Roland Dowdeswell and Bill Sommerfeld. -NetBSD 2.0 May 12, 2004 NetBSD 2.0 +NetBSD 3.0 May 27, 2005 NetBSD 3.0 diff --git a/security/audit-packages/files/audit-packages.8 b/security/audit-packages/files/audit-packages.8 index 5a9c31c344f..17c8477a403 100644 --- a/security/audit-packages/files/audit-packages.8 +++ b/security/audit-packages/files/audit-packages.8 @@ -1,5 +1,6 @@ -.\" $NetBSD: audit-packages.8,v 1.9 2005/05/07 22:15:25 wiz Exp $ -.Dd May 12, 2004 +.\" $NetBSD: audit-packages.8,v 1.10 2005/06/07 19:17:01 dillo Exp $ +.\" XXX: License? +.Dd May 27, 2005 .Os .Dt AUDIT-PACKAGES 8 .Sh NAME @@ -135,7 +136,6 @@ Specifies optional arguments for the ftp client. @PKGVULNDIR@/pkg-vulnerabilities .Pp @PKG_SYSCONFDIR@/audit-packages.conf -.\" .Sh EXAMPLES .Sh EXAMPLES The .Nm download-vulnerability-list @@ -159,6 +159,39 @@ command can be forced to use IPv4 with the following setting in @PKG_SYSCONFDIR@/audit-packages.conf : .Pp export FETCH_ARGS="-4" +.Sh DIAGNOSTICS +.Ex -std audit-packages +.Pp +The following errors can occur: +.Bl -tag -width 10n +.It Checksum mismatch +The vulnerabilities file is corrupted. +Run +.Nm download-vulnerability-list . +.It Missing vulnerabilities file +The vulnerabilities file could not be found. +Run +.Nm download-vulnerability-list . +.It \&No checksum algorithm found +The vulnerabilities file is too old or incomplete. +Run +.Nm download-vulnerability-list . +.It \&No checksum found +The vulnerabilities file is too old or incomplete. +Run +.Nm download-vulnerability-list . +.It \&No file format version found +The vulnerabilities file is too old or incomplete. +Run +.Nm download-vulnerability-list . +.It Unsupported file format version +The vulnerabilities file is too old or too new. +If it's too old, run +.Nm download-vulnerability-list . +If it's too new, update the +.Nm audit-packages +package. +.El .Sh SEE ALSO .Xr pkg_info 1 , .Xr mk.conf 5 , |