diff options
author | adrianp <adrianp@pkgsrc.org> | 2007-07-14 20:17:06 +0000 |
---|---|---|
committer | adrianp <adrianp@pkgsrc.org> | 2007-07-14 20:17:06 +0000 |
commit | 16b215dd7e202d492e64be305a4107c20d6f03b0 (patch) | |
tree | 8b9df8809682fba4ae922cacdd2b847235f10c39 | |
parent | 874717c9d3c96a77322220a6dbedb676a7d71649 (diff) | |
download | pkgsrc-16b215dd7e202d492e64be305a4107c20d6f03b0.tar.gz |
Update to pkg_install-20070714
Merge of audit-packages with various improvements:
* Version 20070714
Initial release of re-write in C
Add support for notfication of eol packages (-e)
Multiple levels of verbosity (e.g. -v -v)
Specify a custom config file to use (-c)
Query running config values (-Q)
Default to download .gz compress pkg-vulnerabilities file
Support for .bz2 compress pkg-vulnerabilities file
Verify signature on downloaded files (-s)
Thanks to tron@, jschauma@, agc@, joerg@ and pkgsrc-security@ for feedback
and testing.
20 files changed, 2841 insertions, 10 deletions
diff --git a/pkgtools/pkg_install/MESSAGE b/pkgtools/pkg_install/MESSAGE new file mode 100644 index 00000000000..0a841e623ca --- /dev/null +++ b/pkgtools/pkg_install/MESSAGE @@ -0,0 +1,42 @@ +=========================================================================== +$NetBSD: MESSAGE,v 1.1 2007/07/14 20:17:06 adrianp Exp $ + +You may wish to have the vulnerabilities file downloaded daily so that +it remains current. This may be done by adding an appropriate entry +to a users crontab(5) entry. For example the entry + +# download vulnerabilities file +0 3 * * * ${PREFIX}/sbin/download-vulnerability-list >/dev/null 2>&1 + +will update the vulnerability list every day at 3AM. You may wish to do +this more often than once a day. + +In addition, you may wish to run the package audit from the daily +security script. This may be accomplished by adding the following +lines to /etc/security.local + +if [ -x ${PREFIX}/sbin/audit-packages ]; then + ${PREFIX}/sbin/audit-packages +fi + +Alternatively this can also be acomplished by adding an entry to a users +crontab(5) file. e.g.: + +# run audit-packages +0 3 * * * ${PREFIX}/sbin/audit-packages + +audit-packages and/or download-vulnerability-list need not be run by +the root user. They will function as an unpriveleged user just so +long as the user chosen has permmission to write the pkg-vulnerabilites +to ${PKGVULNDIR}. + +A sample audit-packages.conf has been installed to: + + ${EGDIR}/audit-packages.conf + +You may want to customise this file and copy it to /etc/audit-packages.conf. +If you want to use signature verification you will need to install GnuPG and +set the path for GPG appropriately in your audit-packages.conf. See +audit-packages.conf(5) and audit-packages(8) for further information. + +=========================================================================== diff --git a/pkgtools/pkg_install/Makefile b/pkgtools/pkg_install/Makefile index 635861d4a0e..b8243fa802b 100644 --- a/pkgtools/pkg_install/Makefile +++ b/pkgtools/pkg_install/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.131 2007/07/10 15:19:18 joerg Exp $ +# $NetBSD: Makefile,v 1.132 2007/07/14 20:17:06 adrianp Exp $ # Notes to package maintainers: # @@ -17,13 +17,15 @@ MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= http://www.pkgsrc.org/ COMMENT= Package management and administration tools for pkgsrc +CONFLICTS+= audit-packages-[0-9]* + GNU_CONFIGURE= yes CONFIGURE_ARGS+= --with-pkgdbdir=${PKG_DBDIR:Q} CONFIGURE_ARGS+= --with-ftp="\"${FETCH_CMD}"\" CONFIGURE_ARGS+= --with-mtree="\"${MTREE}"\" CONFIGURE_ARGS+= --with-pax="\"${PAX}"\" CONFIGURE_ARGS+= --with-tar="\"${TAR}"\" -USE_TOOLS+= mtree pax tar +USE_TOOLS+= mtree pax tar gzcat # The following tools are needed by pkg_view and linkfarm. USE_TOOLS+= chmod cmp cp env find grep ln mkdir rm rmdir \ @@ -48,6 +50,8 @@ USE_NATIVE_GCC= yes PKG_DELETE= ${WRKSRC}/delete/pkg_delete CPPFLAGS+= -DDEF_UMASK=${DEF_UMASK} +CPPFLAGS+= -DPREFIX="\"${PREFIX}\"" +CPPFLAGS+= -DSYSCONFDIR="\"${PKG_SYSCONFDIR}\"" MAKE_ENV+= MACHINE_ARCH=${MACHINE_ARCH:Q} MAKE_ENV+= OPSYS=${OPSYS:Q} @@ -55,6 +59,7 @@ MAKE_ENV+= OPSYS=${OPSYS:Q} PKG_DBDIR?= /var/db/pkg PKG_INFO= PKG_DBDIR=${PKG_DBDIR:Q} ${PKG_INFO_CMD} PKG_ADMIN= PKG_DBDIR=${PKG_DBDIR:Q} ${PKG_ADMIN_CMD} +EGDIR= ${PREFIX}/share/examples/pkg_install PLIST_SUBST+= PKG_DBDIR=${PKG_DBDIR:Q} @@ -63,12 +68,32 @@ INSTALL_SRC= ${PKGDIR}/INSTALL FILES_SUBST+= PKG_DBDIR=${PKG_DBDIR:Q} \ PKG_TOOLS_BIN=${PKG_TOOLS_BIN:Q} \ MKDIR=${MKDIR:Q} +MESSAGE_SUBST+= PKGVULNDIR=${PKG_DBDIR:Q} \ + EGDIR=${EGDIR:Q} .include "../../mk/bsd.prefs.mk" VERSION!= ${AWK} -F '"' '/PKGTOOLS_VERSION/ {print $$2}' \ ${FILESDIR}/lib/version.h +# Make sure download-vulnerability-list.sh picks up the right tools +# in the right directories. +# +SUBST_CLASSES= paths +SUBST_STAGE.paths= pre-configure +SUBST_MESSAGE.paths= Fixing paths in scripts. +SUBST_FILES.paths= audit-packages/download-vulnerability-list.sh.in +SUBST_FILES.paths+= audit-packages/audit-packages.1.in +SUBST_FILES.paths+= audit-packages/audit-packages.cat1.in +SUBST_FILES.paths+= audit-packages/audit-packages.conf.5.in +SUBST_FILES.paths+= audit-packages/audit-packages.conf.cat5.in +SUBST_FILES.paths+= audit-packages/audit-packages.conf.in +SUBST_FILES.paths+= audit-packages/download-vulnerability-list.1.in +SUBST_FILES.paths+= audit-packages/download-vulnerability-list.cat1.in +SUBST_SED.paths= -e 's,@gzcat@,${GZCAT},g' +SUBST_SED.paths+= -e 's,@sysconfdir@,${PKG_SYSCONFDIR},g' +SUBST_SED.paths+= -e 's,@prefix@/bin/gpg,${PREFIX}/bin/gpg,g' + do-extract: @${CP} -R ${FILESDIR} ${WRKSRC} diff --git a/pkgtools/pkg_install/PLIST b/pkgtools/pkg_install/PLIST index ed567251ddd..1c84fd1356c 100644 --- a/pkgtools/pkg_install/PLIST +++ b/pkgtools/pkg_install/PLIST @@ -1,4 +1,6 @@ -@comment $NetBSD: PLIST,v 1.8 2006/04/24 13:52:04 dillo Exp $ +@comment $NetBSD: PLIST,v 1.9 2007/07/14 20:17:06 adrianp Exp $ +man/cat1/audit-packages.0 +man/cat1/download-vulnerability-list.0 man/cat1/linkfarm.0 man/cat1/pkg_add.0 man/cat1/pkg_admin.0 @@ -6,7 +8,10 @@ man/cat1/pkg_create.0 man/cat1/pkg_delete.0 man/cat1/pkg_info.0 man/cat1/pkg_view.0 +man/cat5/audit-packages.conf.0 man/cat5/pkg_summary.0 +man/man1/audit-packages.1 +man/man1/download-vulnerability-list.1 man/man1/linkfarm.1 man/man1/pkg_add.1 man/man1/pkg_admin.1 @@ -14,7 +19,10 @@ man/man1/pkg_create.1 man/man1/pkg_delete.1 man/man1/pkg_info.1 man/man1/pkg_view.1 +man/man5/audit-packages.conf.5 man/man5/pkg_summary.5 +sbin/audit-packages +sbin/download-vulnerability-list sbin/linkfarm sbin/pkg_add sbin/pkg_admin @@ -22,3 +30,4 @@ sbin/pkg_create sbin/pkg_delete sbin/pkg_info sbin/pkg_view +share/examples/pkg_install/audit-packages.conf diff --git a/pkgtools/pkg_install/files/Makefile.in b/pkgtools/pkg_install/files/Makefile.in index 76d65266f0c..95eb89191b5 100644 --- a/pkgtools/pkg_install/files/Makefile.in +++ b/pkgtools/pkg_install/files/Makefile.in @@ -1,6 +1,6 @@ -# $NetBSD: Makefile.in,v 1.6 2004/08/31 17:40:41 jlam Exp $ +# $NetBSD: Makefile.in,v 1.7 2007/07/14 20:17:06 adrianp Exp $ -SUBDIRS= lib add admin create delete info view +SUBDIRS= lib add admin create delete info view audit-packages all: @for dir in $(SUBDIRS); do \ diff --git a/pkgtools/pkg_install/files/README b/pkgtools/pkg_install/files/README index ef70fdf33f3..50ecf4b1a9b 100644 --- a/pkgtools/pkg_install/files/README +++ b/pkgtools/pkg_install/files/README @@ -1,4 +1,4 @@ -# $NetBSD: README,v 1.7 2005/05/30 13:23:31 wiz Exp $ +# $NetBSD: README,v 1.8 2007/07/14 20:17:07 adrianp Exp $ # Original from FreeBSD, no rcs id. This is the pkg_install suite of tools for doing maintainance of @@ -12,7 +12,8 @@ of dozen features on top. Whee! :-) In another round of enhancements, NetBSD changes were added by Alistair Crooks, Hubert Feyrer, Thorsten Frueauf, Rene Hexel, -Christian E. Hopps, Thomas Klausner, Johnny Lam, and Matthias Scheler. +Christian E. Hopps, Thomas Klausner, Johnny Lam, Matthias Scheler and +Adrian Portelli. When making snapshots, please modify PKGTOOLS_VERSION in lib/version.h to that day's date. diff --git a/pkgtools/pkg_install/files/audit-packages/AUTHORS b/pkgtools/pkg_install/files/audit-packages/AUTHORS new file mode 100644 index 00000000000..f8cf8bc04ae --- /dev/null +++ b/pkgtools/pkg_install/files/audit-packages/AUTHORS @@ -0,0 +1,11 @@ +# $NetBSD: AUTHORS,v 1.1 2007/07/14 20:17:08 adrianp Exp $ + +* The functions that deal with finding packages such as fixpkgname() + foundpkg() and checkforpkg() were taken from the pkg_install + set of tools. Authors for this include Jordan Hubbard, John Kohl, + Alistair Crooks, Hubert Feyrer, Thorsten Frueauf, Rene Hexel, + Christian E. Hopps, Thomas Klausner, Johnny Lam, and Matthias Scheler. + +* This is basically a re-write in C of the audit-packages tool + by Adrian Portelli (adrianp@NetBSD.org). The tool was originally + authored by Alistair G. Crooks (agc@NetBSD.org). diff --git a/pkgtools/pkg_install/files/audit-packages/COPYING b/pkgtools/pkg_install/files/audit-packages/COPYING new file mode 100644 index 00000000000..06166a71426 --- /dev/null +++ b/pkgtools/pkg_install/files/audit-packages/COPYING @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2007 Adrian Portelli <adrianp@NetBSD.org>. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * 3. Neither the name of author(s) nor the names of its contributors + * may be used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ diff --git a/pkgtools/pkg_install/files/audit-packages/Makefile.in b/pkgtools/pkg_install/files/audit-packages/Makefile.in new file mode 100644 index 00000000000..724bd1ca373 --- /dev/null +++ b/pkgtools/pkg_install/files/audit-packages/Makefile.in @@ -0,0 +1,85 @@ +# $NetBSD: Makefile.in,v 1.1 2007/07/14 20:17:08 adrianp Exp $ + +prefix = @prefix@ +exec_prefix = @exec_prefix@ +sbindir = @sbindir@ +mandir = @mandir@ +pprefix = @prefix@ + +pkgdbdir = @pkgdbdir@ +sysconfdir = @sysconfdir@ + +man5dir = $(mandir)/man5 +man1dir = $(mandir)/man1 +cat5dir = $(mandir)/cat5 +cat1dir = $(mandir)/cat1 +sharedir = $(prefix)/share/examples/pkg_install + +do_subst = sed -e 's,_pkgdbdir_,$(pkgdbdir),g' \ + -e 's,_sysconfdir_,$(sysconfdir),g' \ + -e 's,_prefix_,$(prefix),g' \ + -e 's,_pprefix_,$(pprefix),g' \ + -e 's,_ftp_,@ftp@,g' \ + -e 's,_gzcat_,@gzcat@,g' + +CC = @CC@ +CCLD= $(CC) +LIBS= -linstall @LIBS@ +CPPFLAGS= @CPPFLAGS@ -DHOST=\"$(CANONICAL_HOST)\" -DPKGSRC -I. -I../lib +DEFS= @DEFS@ +CFLAGS= @CFLAGS@ -Wall +LDFLAGS= @LDFLAGS@ -L../lib +SUBST_FILES= audit-packages.1 download-vulnerability-list.1 audit-packages.conf audit-packages.conf.5 audit-packages.conf.cat5 + +INSTALL = @INSTALL@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +CANONICAL_HOST = @CANONICAL_HOST@ + +LINK= $(CCLD) $(CFLAGS) $(LDFLAGS) -o $@ +COMPILE= $(CC) $(DEFS) $(CPPFLAGS) $(CFLAGS) + +audit-packages_OBJS = audit-packages.o + +.c.o: + $(COMPILE) -c $< -o $@ + +all: audit-packages + +audit-packages: $(audit-packages_OBJS) + $(LINK) $(audit-packages_OBJS) $(LIBS) + +subst: + @list='$(SUBST_FILES)'; for f in $$list; do \ + $(do_subst) $$f > $$f.tmp; \ + rm $$f; mv $$f.tmp $$f; \ + done + +clean: + rm -f *.o audit-packages + +install: + $(INSTALL) -m 755 -d $(sbindir) + $(INSTALL) -m 755 -d $(man1dir) + $(INSTALL) -m 755 -d $(man5dir) + $(INSTALL) -m 755 -d $(cat1dir) + $(INSTALL) -m 755 -d $(cat5dir) + $(INSTALL) -m 755 -d $(sharedir) + + $(INSTALL_PROGRAM) audit-packages $(DESTDIR)$(sbindir)/audit-packages + $(INSTALL_SCRIPT) download-vulnerability-list.sh \ + $(DESTDIR)$(sbindir)/download-vulnerability-list + $(INSTALL_DATA) audit-packages.conf \ + $(DESTDIR)$(sharedir)/audit-packages.conf + $(INSTALL_DATA) audit-packages.1 $(DESTDIR)$(man1dir)/audit-packages.1 + $(INSTALL_DATA) audit-packages.cat1 \ + $(DESTDIR)$(cat1dir)/audit-packages.0 + $(INSTALL_DATA) audit-packages.conf.5 \ + $(DESTDIR)$(man5dir)/audit-packages.conf.5 + $(INSTALL_DATA) audit-packages.conf.cat5 \ + $(DESTDIR)$(cat5dir)/audit-packages.conf.0 + $(INSTALL_DATA) download-vulnerability-list.1 \ + $(DESTDIR)$(man1dir)/download-vulnerability-list.1 + $(INSTALL_DATA) download-vulnerability-list.cat1 \ + $(DESTDIR)$(cat1dir)/download-vulnerability-list.0 diff --git a/pkgtools/pkg_install/files/audit-packages/README b/pkgtools/pkg_install/files/audit-packages/README new file mode 100644 index 00000000000..d1fd769acc1 --- /dev/null +++ b/pkgtools/pkg_install/files/audit-packages/README @@ -0,0 +1,5 @@ +# $NetBSD: README,v 1.1 2007/07/14 20:17:08 adrianp Exp $ + +audit-packages, an easy way to audit the current machine, checking +for each vulnerability listed by the security officer. If a vulnerable +package is installed, it will be shown by output to stdout. diff --git a/pkgtools/pkg_install/files/audit-packages/audit-packages.1.in b/pkgtools/pkg_install/files/audit-packages/audit-packages.1.in new file mode 100644 index 00000000000..06ea4fa958c --- /dev/null +++ b/pkgtools/pkg_install/files/audit-packages/audit-packages.1.in @@ -0,0 +1,336 @@ +.\" $NetBSD: audit-packages.1.in,v 1.1 2007/07/14 20:17:08 adrianp Exp $ +.\" +.\" Copyright (c) 2003 Jeremy C. Reed. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by Jeremy C. Reed +.\" for the NetBSD project. +.\" 4. The name of the author may not be used to endorse or promote +.\" products derived from this software without specific prior written +.\" permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS +.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY +.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE +.\" GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +.\" NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +.\" SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd July 07, 2007 +.Os +.Dt AUDIT-PACKAGES 1 +.Sh NAME +.Nm audit-packages , +.Nm download-vulnerability-list +.Nd show vulnerabilities in installed packages +.Sh SYNOPSIS +.Nm +.Op Fl desVv +.Op Fl c Ar config_file +.Op Fl g Ar file +.Op Fl h Ar file +.Op Fl K Ar pkg_dbdir +.Op Fl n Ar package +.Op Fl p Ar package +.Op Fl Q Ar varname +.Op Fl t Ar type +.Nm download-vulnerability-list +.Op Fl hs +.Op Fl c Ar config_file +.Sh DESCRIPTION +The +.Nm +program compares the installed packages with the +.Pa pkg-vulnerabilities +file and reports any known security issues to standard output. +This output contains the name and version of the package, the +type of vulnerability, and an URL for further information for each +vulnerable package. +.Pp +The following flags are supported: +.Bl -tag -width Ar +.It Fl d +Attempt to download the vulnerabilities +file using the +.Pa download-vulnerability-list +script before scanning the installed packages for vulnerabilities. +.It Fl e +Check for end-of-life (eol) packages. +.It Fl s +Verify the signature of the current +.Pa pkg-vulnerabilities +file. The key used to sign the file is available from: +.Pa ftp.netbsd.org/pub/NetBSD/security/PGP/pkgsrc-security@NetBSD.org.asc +.Pp +In order for this to function correctly the above key must be +added to the gpg keyring of the user who runs +.Pa audit-packages -s +and/or +.Pa download-vulnerability-list -s . +In addition to this the gpg binary must be installed on your system. +The path to the gpg binary can be set in +.Xr audit-packages.conf 5 . +.Pp +The requirement for GnuPG may go away in the future when a suitable +replacement is implemented. +.It Fl V +Display the version number and exit. +.It Fl v +Be more verbose. Specify multiple -v flags to increase verbosity. +Currently a maximum level of three is supported. +.It Fl c Ar conf_file +Specify a custom +.Ar conf_file +configuration file to use. +.It Fl g Ar file +Compute the SHA512 hash on +.Ar file . +.It Fl h Ar file +Check the SHA512 hash of a +.Ar file +against the internally stored value. +.It Fl K Ar pkg_dbdir +Use package database directory +.Ar pkg_dbdir . +.It Fl n Ar package +Check only the package +.Ar package +for vulnerabilities. +.It Fl p Ar package +Check only the installed package +.Ar package +for vulnerabilities. +.It Fl Q Ar varname +Display the current value of +.Ar varname +and exit. Currently supported +.Ar varname +are GPG, PKGVULNDIR and IGNORE_URLS. +.It Fl t Ar type +Only check for the specified +.Ar type +of vulnerability. +.El +.Pp +The +.Nm download-vulnerability-list +program downloads the +.Pa pkg-vulnerabilities +file from +.Pa ftp.NetBSD.org +using +.Xr ftp 1 +by default. This vulnerabilities file documents all known security issues in +pkgsrc packages and is kept up-to-date by the +.Nx +pkgsrc-security team. +.Pp +The following flags are supported: +.Bl -tag -width Ar +.It Fl h +Display program usage. +.It Fl s +Verify the signature of the current +.Pa pkg-vulnerabilities +file. In order for this to function correctly you will need to add the +pkgsrc Security Team key to your gpg keyring and trust it. The key is +available from: +.Pa ftp.netbsd.org/pub/NetBSD/security/PGP/pkgsrc-security@NetBSD.org.asc +In addition to this the gpg binary must be installed on your system. +The path to the gpg binary can be set in +.Xr audit-packages.conf 5 . +.It Fl c Ar conf_file +Specify a custom +.Ar conf_file +configuration file to use. +.El +.Pp +By default +.Nm download-vulnerability-list +will download a compressed version of +.Pa pkg-vulnerabilities +from ftp.netbsd.org. The default file downloaded is compressed using +.Xr gzip 1 . +The compression tool used can set in +.Xr audit-packages.conf 5 . +Currently only +.Xr gzcat 1 +and +.Xr bzcat 1 +are supported. +.Pp +Each line lists the package and vulnerable versions, the type of exploit, +and an Internet address for further information: +.Bl -item +.It +.Aq package pattern +.Aq type +.Aq url +.El +.Pp +The type of exploit can be any text, although +some common types of exploits listed are: +.Bl -bullet -compact -offset indent +.It +cross-site-html +.It +cross-site-scripting +.It +denial-of-service +.It +eol +.It +file-permissions +.It +local-access +.It +local-code-execution +.It +local-file-read +.It +local-file-removal +.It +local-file-write +.It +local-root-file-view +.It +local-root-shell +.It +local-symlink-race +.It +local-user-file-view +.It +local-user-shell +.It +privacy-leak +.It +remote-code-execution +.It +remote-command-inject +.It +remote-file-creation +.It +remote-file-read +.It +remote-file-view +.It +remote-file-write +.It +remote-key-theft +.It +remote-root-access +.It +remote-root-shell +.It +remote-script-inject +.It +remote-server-admin +.It +remote-use-of-secret +.It +remote-user-access +.It +remote-user-file-view +.It +remote-user-shell +.It +unknown +.It +weak-authentication +.It +weak-encryption +.It +weak-ssl-authentication +.El +.Pp +The type +.Pa eol +implies that the package is no longer maintained by the software vendor but +is provided by the pkgsrc team for your convenience only. It may contain any +number of the above mentioned vulnerabilities. Any packages of type eol +are not reported by default. Run +.Nm Fl e +to also report on eol packages. +.Pp +By default, the vulnerabilities file is stored in the +PKG_DBDIR +directory. On a standard installation this will be set to @pkgdbdir@. +If you have installed pkgsrc on a supported platform this will be what +ever you specifed when bootstrapping pkgsrc i.e. --pkgdbdir <pkgdbdir>. +The path to the +.Pa pkg-vulnerabilities +file can be set in +.Xr audit-packages.conf 5 . +.Sh EXIT STATUS +.Ex -std audit-packages +.Sh FILES +@pkgdbdir@/pkg-vulnerabilities +.Pp +@sysconfdir@/audit-packages.conf +.Sh EXAMPLES +The +.Nm download-vulnerability-list +command can be run via +.Xr cron 8 +to update the +.Pa pkg-vulnerabilities +file daily. +And +.Nm +can be run via +.Xr cron 8 +(or with +.Nx Ap s +.Pa /etc/security.local +daily security script). +.Pp +The +.Nm download-vulnerability-list +command can be forced to use IPv4 with the following setting in +@sysconfdir@/audit-packages.conf: +.Pp +FETCH_ARGS="-4" +.Pp +The +.Nm download-vulnerability-list +command can be forced to use http to download the +.Pa pkg-vulnerabilities +file with the following setting in +@sysconfdir@/audit-packages.conf: +.Pp +FETCH_PROTO="http" +.Sh SEE ALSO +.Xr pkg_info 1 , +.Xr audit-packages.conf 5 , +.Xr mk.conf 5 , +.Xr packages 7 , +.%T "Documentation on the NetBSD Package System" +.Sh HISTORY +The +.Nm +and +.Nm download-vulnerability-list +commands were originally implemented and added to +.Nx Ap s +pkgsrc by +.An Alistair Crooks +on September 19, 2000. During April 2007 +.Nm +was re-written by Adrian Portelli +and support was added for compressed files and checking signatures on downloaded +files. +The original idea came from Roland Dowdeswell and Bill Sommerfeld. diff --git a/pkgtools/pkg_install/files/audit-packages/audit-packages.c b/pkgtools/pkg_install/files/audit-packages/audit-packages.c new file mode 100644 index 00000000000..1058191ae75 --- /dev/null +++ b/pkgtools/pkg_install/files/audit-packages/audit-packages.c @@ -0,0 +1,1093 @@ +/* $NetBSD: audit-packages.c,v 1.1 2007/07/14 20:17:08 adrianp Exp $ */ + +/* + * Copyright (c) 2007 Adrian Portelli <adrianp@NetBSD.org>. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * 3. Neither the name of author(s) nor the names of its contributors + * may be used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <limits.h> +#ifdef HAVE_UNISTD_H +#include <unistd.h> +#endif +#include <err.h> +#include <string.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/time.h> + +/* depending where we are being built pull in crypto support */ +#ifdef PKGSRC +#include <nbcompat/sha2.h> +#else +#include <sha2.h> +#endif + +#include "lib.h" + +#ifndef PATH_MAX +# ifdef MAXPATHLEN +# define PATH_MAX MAXPATHLEN +# else +# define PATH_MAX 1024 +# endif +#endif + +/* NetBSD has a special layout as it is included in the base OS */ +#ifdef NETBSD +# define PREFIX "/usr" +# define PKGPREFIX "/usr/pkg" +# define SYSCONFDIR "/etc" +#else +# define PKGPREFIX PREFIX +#endif + +/* macros */ +#define STRIP(c) ((c) == '\n' || (c) == '\'' || (c) == '\"' || \ + (c) == '\t' || (c) == ' ' || (c) == '=') + +/* default for src/ install */ +const char DVL_BIN[] = PREFIX"/sbin/download-vulnerability-list"; +const char EOL_URL[] = "ftp://ftp.NetBSD.org/pub/NetBSD/packages/vulns"; + +const int MSGSIZE = 1024; /* max message size */ +const int MAXLINELEN = 4092; /* max line length */ +const int MAXPKGNAMELEN = 1024; /* max pkg name */ +const int FORMAT[] = {1, 1, 0}; /* file format ver */ +const int MAXVERBOSE = 3; /* max verbosity */ + +/* globals (from config file) */ +char *verify_bin = PKGPREFIX"/bin/gpg"; /* verify bin location */ +char *pvfile = NULL; /* p-v file location */ +char *pvdir = NULL; /* p-v dir location */ +char *ignore = NULL; /* ignore urls */ + +/* globals */ +char *conf_file = SYSCONFDIR"/audit-packages.conf"; /* config file location */ +char *program_name; /* the program name */ +char *pkgname; /* package name in msg */ + +/* program defaults */ +int verbose = 0; /* be quiet */ +Boolean eol = FALSE; /* don't check eol */ + +int main(int, char **); +void *safe_calloc(size_t, size_t); +char *ap_fixpkgname(char *); +static int foundpkg(const char *, void *); +static int checkforpkg(char *); +void usage(void); +int dvl(void); +void old_pvfile(void); +void pv_format(FILE *); +char *gen_hash(char *); +char *get_hash(char *); +int check_hash(char *); +int check_sig(char *); +int pv_message(char *[]); +int ap_ignore(char *[]); +void show_info(char *); +void set_pvfile(char *); +char *clean_conf(char *); +int get_confvalues(void); +char *safe_strdup(char *); + +/* + * TODO: + * + * merge download-vulnerability-list(1) + * + */ + +/* + * get the options for what were doing and do the actual processing of + * the pkg-vulnerabilities file + */ +int +main(int argc, char **argv) +{ + char *line_ptr; + char *one_pkg = NULL; + char *one_package = NULL; + char *pkg_type = NULL; + char *pv_token = NULL; + char *line_tmp = NULL; + char *pv_entry[] = {NULL, NULL, NULL}; + char *line = NULL; + char *check_hash_file = NULL; + char *gen_hash_file = NULL; + char *hash_generated = NULL; + char *query_var = NULL; + + int ch, i; + int line_count = 0; + int retval = -1; + int vuln_count = 0; + + Boolean ignore_found = FALSE; + Boolean download = FALSE; + Boolean pkg_installed = FALSE; + Boolean verify_sig = FALSE; + Boolean check_one = FALSE; + Boolean type = FALSE; + Boolean cli_check_hash = FALSE; + Boolean cli_gen_hash = FALSE; + Boolean vuln_found = FALSE; + Boolean info = FALSE; + + FILE *pv; + + program_name = argv[0]; + + setprogname(program_name); + + set_pvfile(_pkgdb_getPKGDB_DIR()); + + opterr = 0; + + while ((ch = getopt(argc, argv, ":dveK:n:h:g:c:p:st:Q:V")) != -1) { + + switch (ch) { + + case 'h': + check_hash_file = optarg; + cli_check_hash = TRUE; + break; + + case 'g': + gen_hash_file = optarg; + cli_gen_hash = TRUE; + break; + + case 'd': + download = TRUE; + break; + + case 'e': + eol = TRUE; + break; + + case 'K': + _pkgdb_setPKGDB_DIR(optarg); + break; + + case 'n': + one_package = optarg; + check_one = TRUE; + pkg_installed = FALSE; + break; + + case 'c': + conf_file = optarg; + break; + + case 'p': + one_package = optarg; + check_one = TRUE; + pkg_installed = TRUE; + break; + + case 's': + verify_sig = TRUE; + break; + + case 't': + pkg_type = optarg; + type = TRUE; + break; + + case 'v': + if (verbose <= MAXVERBOSE) + ++verbose; + break; + + case 'Q': + query_var = optarg; + info = TRUE; + break; + + case 'V': + show_version(); + /* not reached */ + + default: + usage(); + break; + } + } + argc -= optind; + argc += optind; + + /* + * generate the hash for a specified file (-g <file>) + * + * this is purely for download-vulnerability-list, users + * should not be directly calling audit-packages with -g <file>. + */ + if (cli_gen_hash == TRUE) { + + hash_generated = gen_hash(gen_hash_file); + fprintf(stdout, "%s\n", hash_generated); + + exit(EXIT_SUCCESS); + } + + /* + * check the hash and/or sig for a specified file + * + * if -h <file> is given then just the hash is checked + * but if -s -f <file> are given then both the hash and the + * sig are checked. this is purely for + * download-vulnerability-list, users should not be directly + * calling audit-packages with -h <file> or -s -h <file>. + */ + if (cli_check_hash == TRUE) { + + retval = check_hash(check_hash_file); + + if (retval != 0) { + exit(EXIT_FAILURE); + } else { + if (verify_sig == TRUE) { + retval = check_sig(check_hash_file); + + if (retval != 0) { + exit(EXIT_FAILURE); + } else { + exit(EXIT_SUCCESS); + } + } else { + exit(EXIT_SUCCESS); + } + } + } + + /* tell the user where we are reading the config file from */ + if (verbose >= 1) + fprintf(stderr, "Reading settings from: %s\n", conf_file); + + /* get the config file values */ + retval = get_confvalues(); + + /* if we found some IGNORE_URLS lines */ + if (ignore != NULL) + ignore_found = TRUE; + + if (verbose >= 2) { + fprintf(stderr, "debug2: Using PKGDB_DIR: %s\n", _pkgdb_getPKGDB_DIR()); + fprintf(stderr, "debug2: Using pkg-vulnerabilities file: %s\n", pvfile); + fprintf(stderr, "debug2: Using verify tool: %s\n", verify_bin); + fprintf(stderr, "debug2: Using ignore directives: %s\n", ignore); + } + + /* now that we have read in the config file we can show the info */ + if (info == TRUE) { + show_info(query_var); + exit(EXIT_SUCCESS); + } + + /* we need to download the file first and check it went ok */ + if (download == TRUE) { + retval = dvl(); + + if (retval != 0) + exit(EXIT_FAILURE); + } + + /* check for an old vulnerabilities file if we're being verbose */ + if ((verbose >= 1) && (download == FALSE)) + old_pvfile(); + + /* open pvfile */ + if ((pv = fopen(pvfile, "r")) == NULL) { + errx(EXIT_FAILURE, "Unable to open: %s", pvfile); + } + + /* check the #FORMAT from the pkg-vulnerabilities file */ + pv_format(pv); + + rewind(pv); + + /* check the hashes */ + retval = check_hash(pvfile); + + if (retval != 0) { + errx(EXIT_FAILURE, "Hash mismatch."); + } else { + if (verbose >= 2) + fprintf(stderr, "debug2: Hash match.\n"); + } + + /* do signature checking - if required */ + if (verify_sig == TRUE) { + retval = check_sig(pvfile); + + if (retval != 0) { + errx(EXIT_FAILURE, "Signature verification failure."); + } + } + + /* + * this is for -p: + * (Check a specific installed package for vulnerabilities.) + * we run pkg_info to get the package name into one_pkg + * and to check if it's actually installed. + * + * if we find that it's not installed then just exit silently. + */ + if ((pkg_installed == TRUE) && (check_one == TRUE)) { + if ((checkforpkg(one_package)) == 0) { + if (verbose >= 3) + fprintf(stderr, "debug3: Package found to be installed (-p): %s\n", one_package); + } else { + if (verbose >= 3) + fprintf(stderr, "debug3: Package not found to be installed (-p): %s\n", one_package); + exit(EXIT_SUCCESS); + } + } + + /* + * this is for -n + * Check a specific installed package for vulnerabilities. + * + * here we don't care if it's installed or not. + */ + if ((pkg_installed == FALSE) && (check_one == TRUE)) { + one_pkg = one_package; + pkgname = one_package; + + if (verbose >= 3) + fprintf(stderr, "debug3: Looking for package (-n): %s\n", one_pkg); + } + + line = safe_calloc(MAXLINELEN, sizeof(char)); + rewind(pv); + + while ((line_ptr = fgets(line, MAXLINELEN, pv)) != NULL) { + + ++line_count; + + /* what we're not interested in */ + if ((line[0] == '#') || + (line[0] == '\n') || + (strncmp(line, "-----BEGIN", 10) == 0) || + (strncmp(line, "Hash:", 5) == 0)) + continue; + + /* effective EOF */ + if (strncmp(line, "Version:", 8) == 0) + break; + + i = 0; + + line_tmp = safe_strdup(line); + + if (line_tmp[strlen(line_tmp) - 1] == '\n') + line_tmp[strlen(line_tmp) - 1] = ' '; + + do { + pv_token = strsep(&line_tmp, " \t"); + + /* + * pv_entry[0] = pattern + * pv_entry[1] = type + * pv_entry[2] = URL + */ + + /* loop processing all tokens into pv_entry[] */ + if ((pv_token != NULL) && + (pv_token[0] != '\0') && + (pv_token[0] != ' ')) { + /* three tokens make a valid entry */ + pv_entry[i] = pv_token; + ++i; + } + } while ((pv_token != NULL) && (i <= 2)); + + /* look for invalid (short) entries */ + if (i < 3) { + errx(EXIT_FAILURE, "Invalid pkg-vulnerabilities entry rejected on line %i.", line_count); + } + + /* if doing type checking, ignore what we don't want to see */ + if (type == TRUE) { + if (strcmp(pv_entry[1], pkg_type) != 0) + continue; + } + + /* deal with URLs that we're ignorning */ + if (ignore_found == TRUE) { + retval = ap_ignore(pv_entry); + + /* if we got an ignore hit then stop here */ + if (retval == 1) + continue; + } + + if (check_one == TRUE) { + + /* + * if we're checking for just one package (i.e. + * check_one) regardless if it's installed or not + * (i.e. -n and -p) then use pmatch + * to see if we have a hit using pattern + * matching. + */ + + if ((pmatch(pv_entry[0], one_package)) == 1) { + + /* flag to indicate we have found something */ + vuln_found = TRUE; + } + + } else { + + /* + * if we're not checking for a specific package + * then run checkforpkg to see if the + * pattern in pv_entry[0] is installed. + */ + + if ((checkforpkg(pv_entry[0])) == 0) { + + /* flag to indicate we have found something */ + vuln_found = TRUE; + } + } + + /* display the messages for all the vulnerable packages seen */ + if (vuln_found == TRUE) { + + /* EOL or vulnerable message and increment the count */ + retval = pv_message(pv_entry); + vuln_count = vuln_count + retval; + + /* reset the found flag */ + vuln_found = FALSE; + } + } + + /* bail if ferror is set */ + if (ferror(pv) != 0) { + errx(EXIT_FAILURE, "Unable to read specified pkg-vulnerabilities file: %s", pvfile); + } + + fclose(pv); + + free(line); + + if ((verbose >= 1) && (vuln_count == 0)) + fprintf(stderr, "No vulnerable packages found.\n"); + + if (vuln_count == 0) { + return EXIT_SUCCESS; + } else { + return EXIT_FAILURE; + } +} + +/* wrap calloc in some common error checking */ +void * +safe_calloc(size_t number, size_t size) +{ + void *ptr; + + ptr = calloc(number, size); + + if (ptr == NULL) { + errx(EXIT_FAILURE, "Unable to allocate memory at line: %d.", __LINE__); + } + + return ptr; +} + +/* fix a pkgname by removing a directory prefix (if any) */ +char * +ap_fixpkgname(char *fixpkgname) +{ + char *tmppkgname = NULL; + char *retval = NULL; + + retval = safe_calloc(MAXPKGNAMELEN, sizeof(char)); + + /* get the last separator */ + tmppkgname = strrchr(fixpkgname, '/'); + + /* if there's no separator present then we assume the name is ok */ + if (tmppkgname == NULL) { + retval = fixpkgname; + } else { + /* strrchr will leave the first separator still in the string */ + if (tmppkgname[0] == '/') + strlcpy(retval, &tmppkgname[1], MAXPKGNAMELEN); + } + + return retval; +} + +/* clean a valid line from the configuration file */ +char * +clean_conf(char *conf_line) +{ + int i = 0; + char *token = NULL; + char *cp; + + if (((cp = strchr(conf_line, '\n')) == NULL) || + ((cp = strchr(conf_line, '=')) == NULL)) { + /* no newline or no '=' */ + errx(EXIT_FAILURE, "Malformed entry in audit-packages.conf file."); + } + + /* split the line up and get what we need */ + token = strchr(conf_line, '='); + + /* remove any leading characters we don't want */ + while (STRIP(*token)) { + token++; + } + + /* remove any trailing characters we don't want */ + for (i = (strlen(token) - 1); i > 0; --i) { + if (STRIP(token[i])) { + token[i] = '\0'; + } else { + i = 0; + } + } + + return token; +} + +/* read in our values from a configuration file */ +int +get_confvalues(void) +{ + FILE *conf; + char *line_ptr = NULL; + char *line = NULL; + char *retval = NULL; + + if ((conf = fopen(conf_file, "r")) == NULL) { + if (verbose >= 1) + fprintf(stderr, "Unable to open specified configuration file: %s\n", conf_file); + return 0; + } + + line = safe_calloc(MAXLINELEN, sizeof(char)); + + while ((line_ptr = fgets(line, MAXLINELEN, conf)) != NULL) { + + /* what we're not interested in */ + if ((line[0] == '#') || (line[0] == '\n')) + continue; + + if (strncmp(line, "IGNORE_URLS", 11) == 0) { + retval = clean_conf(line); + if (retval != NULL) + ignore = safe_strdup(retval); + } + else if (strncmp(line, "GPG", 3) == 0) { + retval = clean_conf(line); + if (retval != NULL) + verify_bin = retval; + } + else if (strncmp(line, "PKGVULNDIR", 9) == 0) { + retval = clean_conf(line); + if (retval != NULL) + set_pvfile(retval); + } + + retval = NULL; + } + + /* bail if eof has not been set or ferror is set */ + if ((feof(conf) == 0) || (ferror(conf) != 0)) { + errx(EXIT_FAILURE, "Unable to read specified configuration file: %s", conf_file); + } + + free(line); + fclose(conf); + + return 0; +} + +/* called by checkforpkg to see if a package exists */ +static int +foundpkg(const char *found, void *vp) +{ + char *data = vp; + char *buf; + int retval = 0; + + buf = safe_calloc(PATH_MAX, sizeof(char)); + + /* we only want to display this if it really is a directory */ + retval = snprintf(buf, PATH_MAX, "%s/%s", data, found); + + if (retval < 0 || retval >= PATH_MAX) + return 0; + + if (!(isdir(buf) || islinktodir(buf))) + return -1; /* return value seems to be ignored for now */ + + pkgname = ap_fixpkgname(buf); + free(buf); + + return 0; +} + +/* check to see if a package exists */ +static int +checkforpkg(char *one_package) +{ + char *dbdir = NULL; + int retval; + char *buf = NULL; + char *try = NULL; + + dbdir = _pkgdb_getPKGDB_DIR(); + + /* expensive (pattern) match */ + if (strpbrk(one_package, "<>[]?*{")) { + retval = findmatchingname(dbdir, one_package, foundpkg, dbdir); + + if (retval == -1) { + return 1; + } else { + return !retval; + } + } + + buf = safe_calloc(PATH_MAX, sizeof(char)); + + /* simple match */ + (void) snprintf(buf, PATH_MAX, "%s/%s", dbdir, one_package); + retval = !(isdir(buf) || islinktodir(buf)); + + pkgname = ap_fixpkgname(buf); + + if (retval == 1) { + + /* found nothing - try 'pkg-[0-9]*' */ + try = safe_calloc(PATH_MAX, sizeof(char)); + + snprintf(try, PATH_MAX, "%s-[0-9]*", one_package); + if (findmatchingname(dbdir, try, foundpkg, dbdir) > 0) + retval = 0; + } + + free(buf); + free(try); + + return retval; +} + +/* usage message for this program */ +void +usage(void) +{ + fprintf(stderr, "Usage: %s [-desVv] [-c config_file] [-g file] [-h file] [-K pkg_dbdir] [-n package] [-p package] [-Q varname ] [-t type]\n", program_name); + fprintf(stderr, "\t-d : Run the download-vulnerability-list script before anything else.\n"); + fprintf(stderr, "\t-e : Check for end-of-life (eol) packages.\n"); + fprintf(stderr, "\t-s : Verify the signature of the pkg-vulnerabilities file.\n"); + fprintf(stderr, "\t-V : Display version and exit.\n"); + fprintf(stderr, "\t-v : Be more verbose. Specify multiple -v flags to increase verbosity.\n"); + fprintf(stderr, "\t-c : Specify a custom configuration file to use.\n"); + fprintf(stderr, "\t-g : Compute the hash of a file.\n"); + fprintf(stderr, "\t-h : Check the hash of a file against the internally stored value.\n"); + fprintf(stderr, "\t-K : Use pkg_dbdir as PKG_DBDIR.\n"); + fprintf(stderr, "\t-n : Check a specific package for vulnerabilities.\n"); + fprintf(stderr, "\t-p : Check a specific installed package for vulnerabilities.\n"); + fprintf(stderr, "\t-Q : Display the current value of varname and exit.\n"); + fprintf(stderr, "\t-t : Only check for a specific type of vulnerability.\n"); + exit(EXIT_SUCCESS); +} + +/* we need to download the file first */ +int +dvl(void) +{ + int retval = -1; + + /* execute download-vulnerability-list */ + retval = fexec(DVL_BIN, NULL); + + if (retval != 0) { + errx(EXIT_FAILURE, "Failure running: %s", DVL_BIN); + } + + return retval; +} + +/* check for an old vulnerabilities file if we're being verbose */ +void +old_pvfile(void) +{ + float t_diff; + int long t_current, t_pvfile; + struct stat pvstat; + struct timeval now_time = {0, 0}; + + /* we already know it exists */ + stat(pvfile, &pvstat); + + if ((gettimeofday(&now_time, NULL)) != 0) { + warnx("Unable to get current time. You pkg-vulnerabilities file may be out of date."); + } else { + /* difference between the file and now */ + t_current = now_time.tv_sec; + t_pvfile = pvstat.st_ctimespec.tv_sec; + t_diff = (((((float) t_current - (float) t_pvfile) / 60) / 60) / 24); + + if (t_diff >= 7) + fprintf(stderr, "%s more than a week old, continuing...\n", pvfile); + + if (verbose >= 2) + fprintf(stderr, "debug2: pkg-vulnerabilities file %.2f day(s) old.\n", t_diff); + } +} + +/* get the #FORMAT from the pkg-vulnerabilities file */ +void +pv_format(FILE * pv) +{ + char *line = NULL; + char *line_ptr; + + int major = 0; + int minor = 0; + int teeny = 0; + int format_found = 0; + + if (verbose >= 3) + fprintf(stderr, "debug3: File format required: #FORMAT %i.%i.%i\n", FORMAT[0], FORMAT[1], FORMAT[2]); + + line = safe_calloc(MAXLINELEN, sizeof(char)); + + while ((line_ptr = fgets(line, MAXLINELEN, pv)) != NULL) { + + /* this time round this is all we're interested in */ + if (strncmp(line, "#FORMAT", 6) == 0) { + + sscanf(line, "#FORMAT %i.%i.%i", + &major, &minor, &teeny); + + if (line[strlen(line) - 1] == '\n') + line[strlen(line) - 1] = '\0'; + + format_found = 1; + + if (verbose >= 3) + fprintf(stdout, "debug3: File format detected: %s\n", line); + + break; + } + } + + /* compare the #FORMAT with what we expect to see */ + if (format_found == 1) { + if ((major < FORMAT[0]) || + (minor < FORMAT[1]) || + (teeny < FORMAT[2])) { + errx(EXIT_FAILURE, "Your pkg-vulnerabilites file is out of date.\nPlease update audit-packages and run download-vulnerability-list again."); + } + } else { + errx(EXIT_FAILURE, "No file format version found in: %s.\nPlease update audit-packages and run download-vulnerability-list again.", pvfile); + } + + free(line); +} + +/* extract the stored hash in the pkg-vulnerabilities file */ +char * +get_hash(char *hash_input) +{ + char *line = NULL; + char *hash = NULL; + char *line_ptr = NULL; + + int hash_found = 0; + + FILE *hash_in; + + if ((hash_in = fopen(hash_input, "r")) == NULL) { + errx(EXIT_FAILURE, "Unable to open: %s", hash_input); + } + + line = safe_calloc(MAXLINELEN, sizeof(char)); + + while ((line_ptr = fgets(line, MAXLINELEN, hash_in)) != NULL) { + if (strncmp(line, "#CHECKSUM SHA512", 16) == 0) { + + hash = safe_calloc(SHA512_DIGEST_STRING_LENGTH, sizeof(char)); + sscanf(line, "#CHECKSUM SHA512 %129s", hash); + hash_found = 1; + + break; + } + } + + if (hash_found == 0) { + errx(EXIT_FAILURE, "No hash found in: %s\nPlease update audit-packages and run download-vulnerability-list again.", pvfile); + } + + fclose(hash_in); + free(line); + + return hash; +} + +/* check the internally stored hash against the computed hash (-h <file>) */ +int +check_hash(char *hash_input) +{ + int retval = -1; + char *hash_stored = NULL; + char *hash_generated = NULL; + + hash_generated = gen_hash(hash_input); + + /* if gen_hash() failed then return now */ + if (hash_generated == NULL) + return retval; + + if (verbose >= 2) + fprintf(stderr, "debug2: Hash generated: %s\n", hash_generated); + + hash_stored = get_hash(hash_input); + + /* if get_hash() failed then return now */ + if (hash_stored == NULL) + return retval; + + if (verbose >= 2) + fprintf(stderr, "debug2: Hash stored: %s\n", hash_stored); + + /* do the hash comparison */ + if (strncmp(hash_generated, hash_stored, SHA512_DIGEST_STRING_LENGTH) == 0) { + retval = 0; + } else { + retval = -1; + } + + return retval; +} + +/* do the hash calculation on specified input */ +char * +gen_hash(char *hash_input) +{ + char *hash_result = NULL; + char *hash_calc = NULL; + char *line = NULL; + char *line_ptr; + + int j = 0; + int i = 0; + + FILE *hash_in; + + if ((hash_in = fopen(hash_input, "r")) == NULL) { + errx(EXIT_FAILURE, "Unable to open: %s", hash_input); + } + + SHA512_CTX hash_ctx; + SHA512_Init(&hash_ctx); + + line = safe_calloc(MAXLINELEN, sizeof(char)); + + while ((line_ptr = fgets(line, MAXLINELEN, hash_in)) != NULL) { + + /* what we're not interested in */ + if ((strncmp(line, "# $NetBSD:", 10) == 0) || + (line[0] == '\n') || + (strncmp(line, "-----BEGIN", 10) == 0) || + (strncmp(line, "Hash:", 5) == 0) || + (strncmp(line, "#CHECKSUM", 9) == 0 )) + continue; + + /* effective EOF */ + if (strncmp(line, "Version:", 8) == 0) + break; + + SHA512_Update(&hash_ctx, (unsigned char *)line, strlen(line)); + } + + /* get the hash_result into a human readable string */ + hash_calc = safe_calloc(SHA512_DIGEST_STRING_LENGTH, sizeof(char)); + hash_result = safe_calloc(SHA512_DIGEST_LENGTH, sizeof(char)); + + SHA512_Final((unsigned char *)hash_result, &hash_ctx); + + for (i = 0; i < SHA512_DIGEST_LENGTH; ++i) { + sprintf(&hash_calc[j], "%02x", hash_result[i] & 0xFF); + j = j + 2; + } + + fclose(hash_in); + free(hash_result); + free(line); + + return hash_calc; +} + +/* do signature checking - if required */ +int +check_sig(char *sig_input) +{ + int retval = -1; + + if (verbose >= 3) + fprintf(stderr, "debug3: Attempting to verify signature.\n"); + + /* execute our verification tool */ + retval = fexec(verify_bin, "--verify", "--batch", "--no-options", sig_input, NULL); + + return retval; +} + +/* print the messages for eol and vulnerable packages */ +int +pv_message(char *pv_entry[]) +{ + int retval = 0; + + /* deal with eol'ed packages */ + if (strcmp(pv_entry[1], "eol") == 0) { + if (eol == TRUE) { + fprintf(stderr, "Package %s has reached end-of-life (eol), see %s/eol-packages\n", pv_entry[0], EOL_URL); + } + } else { + /* return that we found a vulnerable package */ + retval = 1; + + /* Just make sure we display _something_ useful here */ + if (pkgname == NULL) + pkgname = pv_entry[0]; + + fprintf(stderr, "Package %s has a %s vulnerability, see %s\n", pkgname, pv_entry[1], pv_entry[2]); + } + + return retval; +} + +/* deal with URLs that we're ignorning */ +int +ap_ignore(char *pv_entry[]) +{ + char *ignore_tmp = NULL; + char *ig_token = NULL; + + int retval = 0; + int ignore_hit = 0; + + ignore_tmp = safe_strdup(ignore); + + while ((ig_token = strsep(&ignore_tmp, " ")) != NULL) { + + /* ignore empty tokens as well */ + if (ig_token[0] != '\0') { + /* see we have an IGNORE_URLS hit */ + if (strcmp(pv_entry[2], ig_token) == 0) { + ignore_hit = 1; + break; + } + } + } + + /* if we're seen an IGNORE_URLS then don't bother going on */ + if (ignore_hit == 1) { + if (verbose >= 1) { + fprintf(stderr, "Ignoring vulnerability for %s with pattern: %s\n", pv_entry[2], pv_entry[0]); + } + + /* return that we got an ignore hit */ + retval = 1; + } + + return retval; +} + +/* at the moment we really don't need to clean anything up */ +void +cleanup(int signo) +{ +} + +/* print what the current settings are */ +void +show_info(char *varname) +{ + if (strncmp(varname, "GPG", 3) == 0) { + fprintf(stdout, "%s\n", verify_bin); + } + else if (strncmp(varname, "PKGVULNDIR", 9) == 0) { + fprintf(stdout, "%s\n", pvdir); + } + else if (strncmp(varname, "IGNORE_URLS", 11) == 0) { + fprintf(stdout, "%s\n", ignore); + } +} + +/* set the location for the pkg-vulnerabilities file */ +void +set_pvfile(char *vuln_dir) +{ + char *pvloc = NULL; + size_t retval; + const char pvname[] = "/pkg-vulnerabilities"; + + pvloc = safe_calloc(MAXPATHLEN, sizeof(char)); + retval = strlcpy(pvloc, vuln_dir, MAXPATHLEN); + retval = strlcat(pvloc, pvname, MAXPATHLEN); + + pvdir = safe_strdup(vuln_dir); + pvfile = safe_strdup(pvloc); + + free(pvloc); +} + +/* duplicate a string and check the return value */ +char * +safe_strdup(char *dupe) +{ + char *retval; + + if ((retval = strdup(dupe)) == NULL) { + errx(EXIT_FAILURE, "Unable to allocate memory at line: %d.", __LINE__); + } + + return retval; +} diff --git a/pkgtools/pkg_install/files/audit-packages/audit-packages.cat1.in b/pkgtools/pkg_install/files/audit-packages/audit-packages.cat1.in new file mode 100644 index 00000000000..2a84417e27c --- /dev/null +++ b/pkgtools/pkg_install/files/audit-packages/audit-packages.cat1.in @@ -0,0 +1,183 @@ +AUDIT-PACKAGES(1) NetBSD General Commands Manual AUDIT-PACKAGES(1) + +NNAAMMEE + aauuddiitt--ppaacckkaaggeess, ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt -- show vulnerabilities in + installed packages + +SSYYNNOOPPSSIISS + aauuddiitt--ppaacckkaaggeess [--ddeessVVvv] [--cc _c_o_n_f_i_g___f_i_l_e] [--gg _f_i_l_e] [--hh _f_i_l_e] + [--KK _p_k_g___d_b_d_i_r] [--nn _p_a_c_k_a_g_e] [--pp _p_a_c_k_a_g_e] [--QQ _v_a_r_n_a_m_e] + [--tt _t_y_p_e] + ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt [--hhss] [--cc _c_o_n_f_i_g___f_i_l_e] + +DDEESSCCRRIIPPTTIIOONN + The aauuddiitt--ppaacckkaaggeess program compares the installed packages with the + _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file and reports any known security issues to stan- + dard output. This output contains the name and version of the package, + the type of vulnerability, and an URL for further information for each + vulnerable package. + + The following flags are supported: + + --dd Attempt to download the vulnerabilities file using the + _d_o_w_n_l_o_a_d_-_v_u_l_n_e_r_a_b_i_l_i_t_y_-_l_i_s_t script before scanning the + installed packages for vulnerabilities. + + --ee Check for end-of-life (eol) packages. + + --ss Verify the signature of the current _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s + file. The key used to sign the file is available from: + _f_t_p_._n_e_t_b_s_d_._o_r_g_/_p_u_b_/_N_e_t_B_S_D_/_s_e_c_u_r_i_t_y_/_P_G_P_/_p_k_g_s_r_c_-_s_e_c_u_r_i_t_y_@_N_e_t_B_S_D_._o_r_g_._a_s_c + + In order for this to function correctly the above key must + be added to the gpg keyring of the user who runs + _a_u_d_i_t_-_p_a_c_k_a_g_e_s _-_s and/or _d_o_w_n_l_o_a_d_-_v_u_l_n_e_r_a_b_i_l_i_t_y_-_l_i_s_t _-_s. + In addition to this the gpg binary must be installed on + your system. The path to the gpg binary can be set in + audit-packages.conf(5). + + The requirement for GnuPG may go away in the future when a + suitable replacement is implemented. + + --VV Display the version number and exit. + + --vv Be more verbose. Specify multiple -v flags to increase ver- + bosity. Currently a maximum level of three is supported. + + --cc _c_o_n_f___f_i_l_e Specify a custom _c_o_n_f___f_i_l_e configuration file to use. + + --gg _f_i_l_e Compute the SHA512 hash on _f_i_l_e. + + --hh _f_i_l_e Check the SHA512 hash of a _f_i_l_e against the internally + stored value. + + --KK _p_k_g___d_b_d_i_r Use package database directory _p_k_g___d_b_d_i_r. + + --nn _p_a_c_k_a_g_e Check only the package _p_a_c_k_a_g_e for vulnerabilities. + + --pp _p_a_c_k_a_g_e Check only the installed package _p_a_c_k_a_g_e for vulnerabili- + ties. + + --QQ _v_a_r_n_a_m_e Display the current value of _v_a_r_n_a_m_e and exit. Currently + supported _v_a_r_n_a_m_e are GPG, PKGVULNDIR and IGNORE_URLS. + + --tt _t_y_p_e Only check for the specified _t_y_p_e of vulnerability. + + The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt program downloads the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s + file from _f_t_p_._N_e_t_B_S_D_._o_r_g using ftp(1) by default. This vulnerabilities + file documents all known security issues in pkgsrc packages and is kept + up-to-date by the NetBSD pkgsrc-security team. + + The following flags are supported: + + --hh Display program usage. + + --ss Verify the signature of the current _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s + file. In order for this to function correctly you will + need to add the pkgsrc Security Team key to your gpg + keyring and trust it. The key is available from: + _f_t_p_._n_e_t_b_s_d_._o_r_g_/_p_u_b_/_N_e_t_B_S_D_/_s_e_c_u_r_i_t_y_/_P_G_P_/_p_k_g_s_r_c_-_s_e_c_u_r_i_t_y_@_N_e_t_B_S_D_._o_r_g_._a_s_c + In addition to this the gpg binary must be installed on + your system. The path to the gpg binary can be set in + audit-packages.conf(5). + + --cc _c_o_n_f___f_i_l_e Specify a custom _c_o_n_f___f_i_l_e configuration file to use. + + By default ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt will download a compressed version + of _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s from ftp.netbsd.org. The default file downloaded + is compressed using gzip(1). The compression tool used can set in + audit-packages.conf(5). Currently only gzcat(1) and bzcat(1) are sup- + ported. + + Each line lists the package and vulnerable versions, the type of exploit, + and an Internet address for further information: + + <package pattern> <type> <url> + + The type of exploit can be any text, although some common types of + exploits listed are: + ++oo cross-site-html + ++oo cross-site-scripting + ++oo denial-of-service + ++oo eol + ++oo file-permissions + ++oo local-access + ++oo local-code-execution + ++oo local-file-read + ++oo local-file-removal + ++oo local-file-write + ++oo local-root-file-view + ++oo local-root-shell + ++oo local-symlink-race + ++oo local-user-file-view + ++oo local-user-shell + ++oo privacy-leak + ++oo remote-code-execution + ++oo remote-command-inject + ++oo remote-file-creation + ++oo remote-file-read + ++oo remote-file-view + ++oo remote-file-write + ++oo remote-key-theft + ++oo remote-root-access + ++oo remote-root-shell + ++oo remote-script-inject + ++oo remote-server-admin + ++oo remote-use-of-secret + ++oo remote-user-access + ++oo remote-user-file-view + ++oo remote-user-shell + ++oo unknown + ++oo weak-authentication + ++oo weak-encryption + ++oo weak-ssl-authentication + + The type _e_o_l implies that the package is no longer maintained by the + software vendor but is provided by the pkgsrc team for your convenience + only. It may contain any number of the above mentioned vulnerabilities. + Any packages of type eol are not reported by default. Run aauuddiitt--ppaacckkaaggeess + --ee to also report on eol packages. + + By default, the vulnerabilities file is stored in the PKG_DBDIR direc- + tory. On a standard installation this will be set to @pkgdbdir@. If you + have installed pkgsrc on a supported platform this will be what ever you + specifed when bootstrapping pkgsrc i.e. --pkgdbdir <pkgdbdir>. The path + to the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file can be set in audit-packages.conf(5). + +EEXXIITT SSTTAATTUUSS + The aauuddiitt--ppaacckkaaggeess utility exits 0 on success, and >0 if an error occurs. + +FFIILLEESS + @pkgdbdir@/pkg-vulnerabilities + + @sysconfdir@/audit-packages.conf + +EEXXAAMMPPLLEESS + The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be run via cron(8) to update + the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file daily. And aauuddiitt--ppaacckkaaggeess can be run via + cron(8) (or with NetBSD's _/_e_t_c_/_s_e_c_u_r_i_t_y_._l_o_c_a_l daily security script). + + The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be forced to use IPv4 with + the following setting in @sysconfdir@/audit-packages.conf: + + FETCH_ARGS="-4" + + The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be forced to use http to + download the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file with the following setting in + @sysconfdir@/audit-packages.conf: + + FETCH_PROTO="http" + +SSEEEE AALLSSOO + pkg_info(1), audit-packages.conf(5), mk.conf(5), packages(7), + _D_o_c_u_m_e_n_t_a_t_i_o_n _o_n _t_h_e _N_e_t_B_S_D _P_a_c_k_a_g_e _S_y_s_t_e_m + +HHIISSTTOORRYY + The aauuddiitt--ppaacckkaaggeess and ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt commands were origi- + nally implemented and added to NetBSD's pkgsrc by Alistair Crooks on + September 19, 2000. During April 2007 aauuddiitt--ppaacckkaaggeess was re-written by + Adrian Portelli and support was added for compressed files and checking + signatures on downloaded files. The original idea came from Roland + Dowdeswell and Bill Sommerfeld. + +NetBSD 3.1 July 07, 2007 NetBSD 3.1 diff --git a/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.5.in b/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.5.in new file mode 100644 index 00000000000..e3e405b6802 --- /dev/null +++ b/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.5.in @@ -0,0 +1,123 @@ +.\" $NetBSD: audit-packages.conf.5.in,v 1.1 2007/07/14 20:17:09 adrianp Exp $ +.\" +.\" Copyright (c) 2007 Adrian Portelli. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by Adrian Portelli +.\" for the NetBSD project. +.\" 4. The name of the author may not be used to endorse or promote +.\" products derived from this software without specific prior written +.\" permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS +.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY +.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE +.\" GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +.\" NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +.\" SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd July 07, 2007 +.Os +.Dt audit-packages.conf 5 +.Sh NAME +.Nm audit-packages.conf +.Nd audit-packages and download-vulnerability-list configuration file. +.Sh DESCRIPTION +The +.Nm +file contains the configuration information for +.Xr download-vulnerability-list 8 +and +.Xr audit-packages 8 . +.Pp +These variables can be defined in the +.Xr audit-packages.conf 8 +file. +.Pp +.Bl -tag -width COMPRESS_TYPE +.It Ev GPG +The full path to the location of the binary used to verify the signature +on the downloaded +.Pa pkg-vulnerabilities +file. Currently only GnuPG is supported. +.Pp +The default is "@prefix@/bin/gpg". +.It Ev PKGVULNDIR +Specifies the directory containing the +.Pa pkg-vulnerabilities +file. +.Pp +The default is "@pkgdbdir@". +.It Ev COMPRESS_TYPE +Specifies which type of compressed +.Pa pkg-vulnerabilities +file to download. You can also specify COMPRESS_TYPE="" to use +and uncompressed version of the file. If you change this from the +default you must specify a COMPRESS_TOOL. The +currently accepted options are gzip and bzip2. +.It Ev COMPRESS_TOOL +The full path to the location of the binary used to +decompress the downloaded +.Pa pkg-vulnerabilities +file. +.Pp +The default is "@gzcat@". +.It Ev FETCH_CMD +Specifies the client used to download the +.Pa pkg-vulnerabilities +file. Currently known tools include curl, ftp, wget and fetch. +.Pp +The default is @ftp@. +.It Ev FETCH_ARGS +Specifies optional arguments for the client used to download the +.Pa pkg-vulnerabilities +file. +.It Ev FETCH_PROTO +Specifies the protocol to use when fetching the +.Pa pkg-vulnerabilities +file. +Currently supports only http and ftp. +.Pp +The default is "ftp". +.It Ev IGNORE_URLS +A list of vulnerability URLs to be ignored. +This allows for ignoring certain URLs that are attached to a +vulnerability. +.El +.Sh FILES +@sysconfdir@/audit-packages.conf +.Sh SEE ALSO +.Xr pkg_info 1 , +.Xr mk.conf 5 , +.Xr packages 7 , +.Xr audit-packages 8 and +.%T "Documentation on the NetBSD Package System" +.Sh HISTORY +The +.Nm +and +.Nm download-vulnerability-list +commands were originally implemented and added to +.Nx Ap s +pkgsrc by +.An Alistair Crooks +on September 19, 2000. During April 2007 +.Nm +was re-written by Adrian Portelli +and support was added for compressed files and checking signatures on downloaded +files. +The original idea came from Roland Dowdeswell and Bill Sommerfeld. diff --git a/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.cat5.in b/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.cat5.in new file mode 100644 index 00000000000..767176797e8 --- /dev/null +++ b/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.cat5.in @@ -0,0 +1,70 @@ +audit-packages.conf(5) NetBSD File Formats Manual audit-packages.conf(5) + +NNAAMMEE + aauuddiitt--ppaacckkaaggeess..ccoonnff -- audit-packages and download-vulnerability-list + configuration file. + +DDEESSCCRRIIPPTTIIOONN + The aauuddiitt--ppaacckkaaggeess..ccoonnff file contains the configuration information for + download-vulnerability-list(8) and audit-packages(8). + + These variables can be defined in the audit-packages.conf(8) file. + + GPG The full path to the location of the binary used to verify + the signature on the downloaded _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file. + Currently only GnuPG is supported. + + The default is "@prefix@/bin/gpg". + + PKGVULNDIR Specifies the directory containing the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s + file. + + The default is "@pkgdbdir@". + + COMPRESS_TYPE Specifies which type of compressed _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s + file to download. You can also specify COMPRESS_TYPE="" + to use and uncompressed version of the file. If you + change this from the default you must specify a COM- + PRESS_TOOL. The currently accepted options are gzip and + bzip2. + + COMPRESS_TOOL The full path to the location of the binary used to decom- + press the downloaded _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file. + + The default is "@gzcat@". + + FETCH_CMD Specifies the client used to download the + _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file. Currently known tools include + curl, ftp, wget and fetch. + + The default is @ftp@. + + FETCH_ARGS Specifies optional arguments for the client used to down- + load the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file. + + FETCH_PROTO Specifies the protocol to use when fetching the + _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file. Currently supports only http + and ftp. + + The default is "ftp". + + IGNORE_URLS A list of vulnerability URLs to be ignored. This allows + for ignoring certain URLs that are attached to a vulnera- + bility. + +FFIILLEESS + @sysconfdir@/audit-packages.conf + +SSEEEE AALLSSOO + pkg_info(1), mk.conf(5), packages(7), audit-packages(8) and _D_o_c_u_m_e_n_t_a_t_i_o_n + _o_n _t_h_e _N_e_t_B_S_D _P_a_c_k_a_g_e _S_y_s_t_e_m + +HHIISSTTOORRYY + The aauuddiitt--ppaacckkaaggeess..ccoonnff and ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt commands were + originally implemented and added to NetBSD's pkgsrc by Alistair Crooks on + September 19, 2000. During April 2007 aauuddiitt--ppaacckkaaggeess..ccoonnff was re-written + by Adrian Portelli and support was added for compressed files and check- + ing signatures on downloaded files. The original idea came from Roland + Dowdeswell and Bill Sommerfeld. + +NetBSD 3.1 July 07, 2007 NetBSD 3.1 diff --git a/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.in b/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.in new file mode 100644 index 00000000000..8eb4a159b40 --- /dev/null +++ b/pkgtools/pkg_install/files/audit-packages/audit-packages.conf.in @@ -0,0 +1,78 @@ +# $NetBSD: audit-packages.conf.in,v 1.1 2007/07/14 20:17:09 adrianp Exp $ + +# +# sample configuration file for audit-packages(8) and +# download-vulnerability-list(8) +# + +# GPG +# +# Specifies the full path to the gpg tool that will be used for verifying +# the signature on the downloaded pkg-vulnerabilities file. +# +# Used by: audit-packages download-vulnerability-list +# Supported: /path/to/gpg +# Default: GPG="@prefix@/bin/gpg" + +# PKGVULNDIR +# +# Specifies the directory the pkg-vulnerabilities file is located in. +# +# Used by: audit-packages download-vulnerability-list +# Supported: /path/to/pkg-vulnerabilities/ +# Default: PKGVULNDIR="@pkgdbdir@" + +# COMPRESS_TYPE +# +# Specifies which type of compressed pkg-vulnerabilities file to +# download. You can also specify COMPRESS_TYPE="" to use +# and uncompressed version of the file. +# +# If you change this from the default you must specify a COMPRESS_TOOL. +# +# Used by: download-vulnerability-list +# Supported: gzip bzip2 (none) +# Default: COMPRESS_TYPE="gzip" + +# COMPRESS_TOOL +# +# Specifies which tool will be used when dealing with the compressed +# pkg-vulnerabilities file. +# +# Used by: download-vulnerability-list +# Supported: Any local binary that can decompress the +# pkg-vulnerabilities file to stdout +# Default: COMPRESS_TOOL="@gzcat@" + +# FETCH_CMD +# +# Specifies the tool that will be used to fetch the pkg-vulnerabilities +# file. +# +# Used by: download-vulnerability-list +# Supported: /path/to/curl /path/to/ftp /path/to/wget /path/to/fetch +# Default: FETCH_CMD=@ftp@ + +# FETCH_ARGS +# +# Specifies optional arguments for the download-vulnerability-list client. +# +# Used by: download-vulnerability-list +# Supported: Any valid arguments for FETCH_CMD +# Default: FETCH_ARGS= + +# FETCH_PROTO +# +# Specifies the protocol to use when fetching the pkg-vulnerabilities file. +# +# Used by: download-vulnerability-list +# Supported: ftp http +# Default: FETCH_PROTO="ftp" + +# IGNORE_URLS +# +# A list of vulnerability URLs to be ignored. +# +# Used by: audit-packages +# Supported: Valid URL(s) from pkg-vulnerabilities +# Default: IGNORE_URLS= diff --git a/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.1.in b/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.1.in new file mode 100644 index 00000000000..22ffeb00dbf --- /dev/null +++ b/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.1.in @@ -0,0 +1,336 @@ +.\" $NetBSD: download-vulnerability-list.1.in,v 1.1 2007/07/14 20:17:10 adrianp Exp $ +.\" +.\" Copyright (c) 2003 Jeremy C. Reed. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by Jeremy C. Reed +.\" for the NetBSD project. +.\" 4. The name of the author may not be used to endorse or promote +.\" products derived from this software without specific prior written +.\" permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS +.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY +.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE +.\" GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +.\" NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +.\" SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd July 07, 2007 +.Os +.Dt AUDIT-PACKAGES 1 +.Sh NAME +.Nm audit-packages , +.Nm download-vulnerability-list +.Nd show vulnerabilities in installed packages +.Sh SYNOPSIS +.Nm +.Op Fl desVv +.Op Fl c Ar config_file +.Op Fl g Ar file +.Op Fl h Ar file +.Op Fl K Ar pkg_dbdir +.Op Fl n Ar package +.Op Fl p Ar package +.Op Fl Q Ar varname +.Op Fl t Ar type +.Nm download-vulnerability-list +.Op Fl hs +.Op Fl c Ar config_file +.Sh DESCRIPTION +The +.Nm +program compares the installed packages with the +.Pa pkg-vulnerabilities +file and reports any known security issues to standard output. +This output contains the name and version of the package, the +type of vulnerability, and an URL for further information for each +vulnerable package. +.Pp +The following flags are supported: +.Bl -tag -width Ar +.It Fl d +Attempt to download the vulnerabilities +file using the +.Pa download-vulnerability-list +script before scanning the installed packages for vulnerabilities. +.It Fl e +Check for end-of-life (eol) packages. +.It Fl s +Verify the signature of the current +.Pa pkg-vulnerabilities +file. The key used to sign the file is available from: +.Pa ftp.netbsd.org/pub/NetBSD/security/PGP/pkgsrc-security@NetBSD.org.asc +.Pp +In order for this to function correctly the above key must be +added to the gpg keyring of the user who runs +.Pa audit-packages -s +and/or +.Pa download-vulnerability-list -s . +In addition to this the gpg binary must be installed on your system. +The path to the gpg binary can be set in +.Xr audit-packages.conf 5 . +.Pp +The requirement for GnuPG may go away in the future when a suitable +replacement is implemented. +.It Fl V +Display the version number and exit. +.It Fl v +Be more verbose. Specify multiple -v flags to increase verbosity. +Currently a maximum level of three is supported. +.It Fl c Ar conf_file +Specify a custom +.Ar conf_file +configuration file to use. +.It Fl g Ar file +Compute the SHA512 hash on +.Ar file . +.It Fl h Ar file +Check the SHA512 hash of a +.Ar file +against the internally stored value. +.It Fl K Ar pkg_dbdir +Use package database directory +.Ar pkg_dbdir . +.It Fl n Ar package +Check only the package +.Ar package +for vulnerabilities. +.It Fl p Ar package +Check only the installed package +.Ar package +for vulnerabilities. +.It Fl Q Ar varname +Display the current value of +.Ar varname +and exit. Currently supported +.Ar varname +are GPG, PKGVULNDIR and IGNORE_URLS. +.It Fl t Ar type +Only check for the specified +.Ar type +of vulnerability. +.El +.Pp +The +.Nm download-vulnerability-list +program downloads the +.Pa pkg-vulnerabilities +file from +.Pa ftp.NetBSD.org +using +.Xr ftp 1 +by default. This vulnerabilities file documents all known security issues in +pkgsrc packages and is kept up-to-date by the +.Nx +pkgsrc-security team. +.Pp +The following flags are supported: +.Bl -tag -width Ar +.It Fl h +Display program usage. +.It Fl s +Verify the signature of the current +.Pa pkg-vulnerabilities +file. In order for this to function correctly you will need to add the +pkgsrc Security Team key to your gpg keyring and trust it. The key is +available from: +.Pa ftp.netbsd.org/pub/NetBSD/security/PGP/pkgsrc-security@NetBSD.org.asc +In addition to this the gpg binary must be installed on your system. +The path to the gpg binary can be set in +.Xr audit-packages.conf 5 . +.It Fl c Ar conf_file +Specify a custom +.Ar conf_file +configuration file to use. +.El +.Pp +By default +.Nm download-vulnerability-list +will download a compressed version of +.Pa pkg-vulnerabilities +from ftp.netbsd.org. The default file downloaded is compressed using +.Xr gzip 1 . +The compression tool used can set in +.Xr audit-packages.conf 5 . +Currently only +.Xr gzcat 1 +and +.Xr bzcat 1 +are supported. +.Pp +Each line lists the package and vulnerable versions, the type of exploit, +and an Internet address for further information: +.Bl -item +.It +.Aq package pattern +.Aq type +.Aq url +.El +.Pp +The type of exploit can be any text, although +some common types of exploits listed are: +.Bl -bullet -compact -offset indent +.It +cross-site-html +.It +cross-site-scripting +.It +denial-of-service +.It +eol +.It +file-permissions +.It +local-access +.It +local-code-execution +.It +local-file-read +.It +local-file-removal +.It +local-file-write +.It +local-root-file-view +.It +local-root-shell +.It +local-symlink-race +.It +local-user-file-view +.It +local-user-shell +.It +privacy-leak +.It +remote-code-execution +.It +remote-command-inject +.It +remote-file-creation +.It +remote-file-read +.It +remote-file-view +.It +remote-file-write +.It +remote-key-theft +.It +remote-root-access +.It +remote-root-shell +.It +remote-script-inject +.It +remote-server-admin +.It +remote-use-of-secret +.It +remote-user-access +.It +remote-user-file-view +.It +remote-user-shell +.It +unknown +.It +weak-authentication +.It +weak-encryption +.It +weak-ssl-authentication +.El +.Pp +The type +.Pa eol +implies that the package is no longer maintained by the software vendor but +is provided by the pkgsrc team for your convenience only. It may contain any +number of the above mentioned vulnerabilities. Any packages of type eol +are not reported by default. Run +.Nm Fl e +to also report on eol packages. +.Pp +By default, the vulnerabilities file is stored in the +PKG_DBDIR +directory. On a standard installation this will be set to @pkgdbdir@. +If you have installed pkgsrc on a supported platform this will be what +ever you specifed when bootstrapping pkgsrc i.e. --pkgdbdir <pkgdbdir>. +The path to the +.Pa pkg-vulnerabilities +file can be set in +.Xr audit-packages.conf 5 . +.Sh EXIT STATUS +.Ex -std audit-packages +.Sh FILES +@pkgdbdir@/pkg-vulnerabilities +.Pp +@sysconfdir@/audit-packages.conf +.Sh EXAMPLES +The +.Nm download-vulnerability-list +command can be run via +.Xr cron 8 +to update the +.Pa pkg-vulnerabilities +file daily. +And +.Nm +can be run via +.Xr cron 8 +(or with +.Nx Ap s +.Pa /etc/security.local +daily security script). +.Pp +The +.Nm download-vulnerability-list +command can be forced to use IPv4 with the following setting in +@sysconfdir@/audit-packages.conf: +.Pp +FETCH_ARGS="-4" +.Pp +The +.Nm download-vulnerability-list +command can be forced to use http to download the +.Pa pkg-vulnerabilities +file with the following setting in +@sysconfdir@/audit-packages.conf: +.Pp +FETCH_PROTO="http" +.Sh SEE ALSO +.Xr pkg_info 1 , +.Xr audit-packages.conf 5 , +.Xr mk.conf 5 , +.Xr packages 7 , +.%T "Documentation on the NetBSD Package System" +.Sh HISTORY +The +.Nm +and +.Nm download-vulnerability-list +commands were originally implemented and added to +.Nx Ap s +pkgsrc by +.An Alistair Crooks +on September 19, 2000. During April 2007 +.Nm +was re-written by Adrian Portelli +and support was added for compressed files and checking signatures on downloaded +files. +The original idea came from Roland Dowdeswell and Bill Sommerfeld. diff --git a/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.cat1.in b/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.cat1.in new file mode 100644 index 00000000000..2a84417e27c --- /dev/null +++ b/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.cat1.in @@ -0,0 +1,183 @@ +AUDIT-PACKAGES(1) NetBSD General Commands Manual AUDIT-PACKAGES(1) + +NNAAMMEE + aauuddiitt--ppaacckkaaggeess, ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt -- show vulnerabilities in + installed packages + +SSYYNNOOPPSSIISS + aauuddiitt--ppaacckkaaggeess [--ddeessVVvv] [--cc _c_o_n_f_i_g___f_i_l_e] [--gg _f_i_l_e] [--hh _f_i_l_e] + [--KK _p_k_g___d_b_d_i_r] [--nn _p_a_c_k_a_g_e] [--pp _p_a_c_k_a_g_e] [--QQ _v_a_r_n_a_m_e] + [--tt _t_y_p_e] + ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt [--hhss] [--cc _c_o_n_f_i_g___f_i_l_e] + +DDEESSCCRRIIPPTTIIOONN + The aauuddiitt--ppaacckkaaggeess program compares the installed packages with the + _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file and reports any known security issues to stan- + dard output. This output contains the name and version of the package, + the type of vulnerability, and an URL for further information for each + vulnerable package. + + The following flags are supported: + + --dd Attempt to download the vulnerabilities file using the + _d_o_w_n_l_o_a_d_-_v_u_l_n_e_r_a_b_i_l_i_t_y_-_l_i_s_t script before scanning the + installed packages for vulnerabilities. + + --ee Check for end-of-life (eol) packages. + + --ss Verify the signature of the current _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s + file. The key used to sign the file is available from: + _f_t_p_._n_e_t_b_s_d_._o_r_g_/_p_u_b_/_N_e_t_B_S_D_/_s_e_c_u_r_i_t_y_/_P_G_P_/_p_k_g_s_r_c_-_s_e_c_u_r_i_t_y_@_N_e_t_B_S_D_._o_r_g_._a_s_c + + In order for this to function correctly the above key must + be added to the gpg keyring of the user who runs + _a_u_d_i_t_-_p_a_c_k_a_g_e_s _-_s and/or _d_o_w_n_l_o_a_d_-_v_u_l_n_e_r_a_b_i_l_i_t_y_-_l_i_s_t _-_s. + In addition to this the gpg binary must be installed on + your system. The path to the gpg binary can be set in + audit-packages.conf(5). + + The requirement for GnuPG may go away in the future when a + suitable replacement is implemented. + + --VV Display the version number and exit. + + --vv Be more verbose. Specify multiple -v flags to increase ver- + bosity. Currently a maximum level of three is supported. + + --cc _c_o_n_f___f_i_l_e Specify a custom _c_o_n_f___f_i_l_e configuration file to use. + + --gg _f_i_l_e Compute the SHA512 hash on _f_i_l_e. + + --hh _f_i_l_e Check the SHA512 hash of a _f_i_l_e against the internally + stored value. + + --KK _p_k_g___d_b_d_i_r Use package database directory _p_k_g___d_b_d_i_r. + + --nn _p_a_c_k_a_g_e Check only the package _p_a_c_k_a_g_e for vulnerabilities. + + --pp _p_a_c_k_a_g_e Check only the installed package _p_a_c_k_a_g_e for vulnerabili- + ties. + + --QQ _v_a_r_n_a_m_e Display the current value of _v_a_r_n_a_m_e and exit. Currently + supported _v_a_r_n_a_m_e are GPG, PKGVULNDIR and IGNORE_URLS. + + --tt _t_y_p_e Only check for the specified _t_y_p_e of vulnerability. + + The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt program downloads the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s + file from _f_t_p_._N_e_t_B_S_D_._o_r_g using ftp(1) by default. This vulnerabilities + file documents all known security issues in pkgsrc packages and is kept + up-to-date by the NetBSD pkgsrc-security team. + + The following flags are supported: + + --hh Display program usage. + + --ss Verify the signature of the current _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s + file. In order for this to function correctly you will + need to add the pkgsrc Security Team key to your gpg + keyring and trust it. The key is available from: + _f_t_p_._n_e_t_b_s_d_._o_r_g_/_p_u_b_/_N_e_t_B_S_D_/_s_e_c_u_r_i_t_y_/_P_G_P_/_p_k_g_s_r_c_-_s_e_c_u_r_i_t_y_@_N_e_t_B_S_D_._o_r_g_._a_s_c + In addition to this the gpg binary must be installed on + your system. The path to the gpg binary can be set in + audit-packages.conf(5). + + --cc _c_o_n_f___f_i_l_e Specify a custom _c_o_n_f___f_i_l_e configuration file to use. + + By default ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt will download a compressed version + of _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s from ftp.netbsd.org. The default file downloaded + is compressed using gzip(1). The compression tool used can set in + audit-packages.conf(5). Currently only gzcat(1) and bzcat(1) are sup- + ported. + + Each line lists the package and vulnerable versions, the type of exploit, + and an Internet address for further information: + + <package pattern> <type> <url> + + The type of exploit can be any text, although some common types of + exploits listed are: + ++oo cross-site-html + ++oo cross-site-scripting + ++oo denial-of-service + ++oo eol + ++oo file-permissions + ++oo local-access + ++oo local-code-execution + ++oo local-file-read + ++oo local-file-removal + ++oo local-file-write + ++oo local-root-file-view + ++oo local-root-shell + ++oo local-symlink-race + ++oo local-user-file-view + ++oo local-user-shell + ++oo privacy-leak + ++oo remote-code-execution + ++oo remote-command-inject + ++oo remote-file-creation + ++oo remote-file-read + ++oo remote-file-view + ++oo remote-file-write + ++oo remote-key-theft + ++oo remote-root-access + ++oo remote-root-shell + ++oo remote-script-inject + ++oo remote-server-admin + ++oo remote-use-of-secret + ++oo remote-user-access + ++oo remote-user-file-view + ++oo remote-user-shell + ++oo unknown + ++oo weak-authentication + ++oo weak-encryption + ++oo weak-ssl-authentication + + The type _e_o_l implies that the package is no longer maintained by the + software vendor but is provided by the pkgsrc team for your convenience + only. It may contain any number of the above mentioned vulnerabilities. + Any packages of type eol are not reported by default. Run aauuddiitt--ppaacckkaaggeess + --ee to also report on eol packages. + + By default, the vulnerabilities file is stored in the PKG_DBDIR direc- + tory. On a standard installation this will be set to @pkgdbdir@. If you + have installed pkgsrc on a supported platform this will be what ever you + specifed when bootstrapping pkgsrc i.e. --pkgdbdir <pkgdbdir>. The path + to the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file can be set in audit-packages.conf(5). + +EEXXIITT SSTTAATTUUSS + The aauuddiitt--ppaacckkaaggeess utility exits 0 on success, and >0 if an error occurs. + +FFIILLEESS + @pkgdbdir@/pkg-vulnerabilities + + @sysconfdir@/audit-packages.conf + +EEXXAAMMPPLLEESS + The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be run via cron(8) to update + the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file daily. And aauuddiitt--ppaacckkaaggeess can be run via + cron(8) (or with NetBSD's _/_e_t_c_/_s_e_c_u_r_i_t_y_._l_o_c_a_l daily security script). + + The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be forced to use IPv4 with + the following setting in @sysconfdir@/audit-packages.conf: + + FETCH_ARGS="-4" + + The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be forced to use http to + download the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file with the following setting in + @sysconfdir@/audit-packages.conf: + + FETCH_PROTO="http" + +SSEEEE AALLSSOO + pkg_info(1), audit-packages.conf(5), mk.conf(5), packages(7), + _D_o_c_u_m_e_n_t_a_t_i_o_n _o_n _t_h_e _N_e_t_B_S_D _P_a_c_k_a_g_e _S_y_s_t_e_m + +HHIISSTTOORRYY + The aauuddiitt--ppaacckkaaggeess and ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt commands were origi- + nally implemented and added to NetBSD's pkgsrc by Alistair Crooks on + September 19, 2000. During April 2007 aauuddiitt--ppaacckkaaggeess was re-written by + Adrian Portelli and support was added for compressed files and checking + signatures on downloaded files. The original idea came from Roland + Dowdeswell and Bill Sommerfeld. + +NetBSD 3.1 July 07, 2007 NetBSD 3.1 diff --git a/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.sh.in b/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.sh.in new file mode 100644 index 00000000000..949af37c337 --- /dev/null +++ b/pkgtools/pkg_install/files/audit-packages/download-vulnerability-list.sh.in @@ -0,0 +1,205 @@ +#!/bin/sh + +# $NetBSD: download-vulnerability-list.sh.in,v 1.1 2007/07/14 20:17:10 adrianp Exp $ +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# 3. All advertising materials mentioning features or use of this software +# must display the following acknowledgement: +# This product includes software developed by Alistair Crooks +# for the NetBSD project. +# 4. The name of the author may not be used to endorse or promote +# products derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS +# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY +# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE +# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +: ${PKGVULNDIR="@pkgdbdir@"} +: ${COMPRESS_TYPE="gzip"} +: ${FETCH_CMD=@ftp@} +: ${FETCH_ARGS=""} +: ${FETCH_PROTO=ftp} + +AP=@prefix@/sbin/audit-packages +NEW_VUL_LIST=pkg-vulnerabilities.$$ +EXIST_VUL_LIST=pkg-vulnerabilities +FETCH_PATH="ftp.NetBSD.org/pub/NetBSD/packages/vulns" +_CONF_FILE="@sysconfdir@/audit-packages.conf" +COMPRESS_TOOL="" + +usage() +{ + argv0="${1##*/}" + cat <<EOF +$2 +Usage: $argv0 [-s] [-c config-file] + -s : Verify the signature on the downloaded file. + -c : Specify a custom configuration file to use. +EOF + exit 1 +} + +verify=no +custom_conf=no +conf_found=no +neednew=no + +while [ $# -gt 0 ]; do + case "$1" in + -s) + verify=yes + ;; + -c) + custom_conf=yes + local_conf="$2" + ;; + *) + usage "$0" "Unknown option $1" + esac + shift +done + +# generic conf file handler +if [ -r ${_CONF_FILE} ]; then + conf_found=yes +fi + +# see if the user wants us to use a custom config file +if [ "x${custom_conf}" = "xyes" ]; then + if [ -r ${local_conf} ]; then + conf_found=yes + _CONF_FILE=${local_conf} + fi +fi + +# only do the following if we have found a config file to use +if [ "x${conf_found}" = "xyes" ]; then + if [ -r ${_CONF_FILE} ]; then + echo "Reading settings from ${_CONF_FILE}" + . ${_CONF_FILE} + fi +fi + +# setup the compression type +case "${COMPRESS_TYPE}" in +bzip2) COMPRESS_EXTN=.bz2 + compressed=yes + ;; +gzip) COMPRESS_EXTN=.gz + compressed=yes + ;; +none) COMPRESS_EXTN="" + compressed=no + ;; +*) echo "***ERROR*** Unknown COMPRESS_TYPE specified - Only bzip2 and gzip are currently supported." + exit 1 + ;; +esac + +# setup the compression tool and arguments +if [ "x${compressed}" = "xyes" ]; then + if [ "x${COMPRESS_TYPE}" = "xgzip" -a "x${COMPRESS_TOOL}" = "x" ]; then + COMPRESS_TOOL="@gzcat@" + fi + + if [ "x${COMPRESS_TYPE}" != "xgzip" -a "x${COMPRESS_TOOL}" = "x" ]; then + echo "***ERROR*** A non-default COMPRESS_TYPE has been specified without a COMPRESS_TOOL" + exit 1 + fi +fi + +VUL_SOURCE="${FETCH_PROTO}://${FETCH_PATH}/pkg-vulnerabilities${COMPRESS_EXTN}" + +if [ ! -d ${PKGVULNDIR}/. ]; then + echo "Creating ${PKGVULNDIR}" + + /bin/mkdir ${PKGVULNDIR} + if [ ! -d ${PKGVULNDIR} ]; then + echo "***ERROR*** Can't create: ${PKGVULNDIR}" + exit 1 + fi +fi + +if [ ! "x${FETCH_PROTO}" = "xhttp" -a ! "x${FETCH_PROTO}" = "xftp" ]; then + echo "***ERROR*** Unknown FETCH_PROTO specified - Only http and ftp are currently supported." + exit 1 +fi + +cd ${PKGVULNDIR} +utility=`basename "${FETCH_CMD}"` +case "${utility}" in +curl|fetch|ftp) ${FETCH_CMD} ${FETCH_ARGS} \ + -o ${NEW_VUL_LIST}${COMPRESS_EXTN} ${VUL_SOURCE} ;; +wget) ${FETCH_CMD} ${FETCH_ARGS} \ + -O ${NEW_VUL_LIST}${COMPRESS_EXTN} ${VUL_SOURCE} ;; +*) echo "Unknown fetch command - please use send-pr to send in support for your fetch command" 1>&2 + exit 1 + ;; +esac + +# see if we got a file +if [ ! -f "${NEW_VUL_LIST}${COMPRESS_EXTN}" ]; then + echo "***ERROR*** Download of vulnerabilities file failed" 1>&2 + exit 1 +fi + +# decompress the downloaded file and delete the download +if [ "x${compressed}" = "xyes" ]; then + ${COMPRESS_TOOL} ${NEW_VUL_LIST}${COMPRESS_EXTN} > ${NEW_VUL_LIST} + /bin/rm -f ${NEW_VUL_LIST}${COMPRESS_EXTN} +fi + +# compare the old and new files to see if there's a difference +if [ -f ${EXIST_VUL_LIST} ]; then + exist_hash=`${AP} -g ${EXIST_VUL_LIST}` + new_hash=`${AP} -g ${NEW_VUL_LIST}` + + if [ "x${exist_hash}" != "x${new_hash}" ]; then + neednew=yes + else + echo "No change from existing package vulnerabilities file" + /bin/rm -f ${NEW_VUL_LIST} + exit 0 + fi +else + neednew=yes +fi + +# check the hash and/or sig on the new file +if [ "x${verify}" = "xyes" ]; then + ${AP} -s -h ${NEW_VUL_LIST} +else + ${AP} -h ${NEW_VUL_LIST} +fi + +ec=$?; + +if [ $ec -ne 0 ]; then + echo "***ERROR*** Failed to verify the newly downloaded vulnerabilities file" 1>&2 + /bin/rm -f ${NEW_VUL_LIST} + exit 1 +fi + +# move the new file into position +echo "Package vulnerabilities file has been updated" +/bin/chmod a+r ${NEW_VUL_LIST} +/bin/mv -f ${NEW_VUL_LIST} ${EXIST_VUL_LIST} + +exit 0 diff --git a/pkgtools/pkg_install/files/configure b/pkgtools/pkg_install/files/configure index a8236b21331..2bef0e030b7 100755 --- a/pkgtools/pkg_install/files/configure +++ b/pkgtools/pkg_install/files/configure @@ -269,7 +269,7 @@ SHELL=${CONFIG_SHELL-/bin/sh} # Identity of this package. PACKAGE_NAME='pkg_install' PACKAGE_TARNAME='pkg_install' -PACKAGE_VERSION='20070414' +PACKAGE_VERSION='20070416' PACKAGE_STRING='pkg_install 20070416' PACKAGE_BUGREPORT='grant@NetBSD.org' @@ -6004,7 +6004,7 @@ esac - ac_config_files="$ac_config_files Makefile add/Makefile admin/Makefile bpm/bpm.sh create/Makefile delete/Makefile info/Makefile lib/Makefile view/Makefile view/linkfarm.sh view/pkg_view.sh" + ac_config_files="$ac_config_files Makefile add/Makefile admin/Makefile audit-packages/Makefile audit-packages/audit-packages.1 audit-packages/audit-packages.cat1 audit-packages/audit-packages.conf audit-packages/audit-packages.conf.5 audit-packages/audit-packages.conf.cat5 audit-packages/download-vulnerability-list.1 audit-packages/download-vulnerability-list.cat1 audit-packages/download-vulnerability-list.sh bpm/bpm.sh create/Makefile delete/Makefile info/Makefile lib/Makefile view/Makefile view/linkfarm.sh view/pkg_view.sh" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -6534,6 +6534,15 @@ do "Makefile" ) CONFIG_FILES="$CONFIG_FILES Makefile" ;; "add/Makefile" ) CONFIG_FILES="$CONFIG_FILES add/Makefile" ;; "admin/Makefile" ) CONFIG_FILES="$CONFIG_FILES admin/Makefile" ;; + "audit-packages/Makefile" ) CONFIG_FILES="$CONFIG_FILES audit-packages/Makefile" ;; + "audit-packages/audit-packages.1" ) CONFIG_FILES="$CONFIG_FILES audit-packages/audit-packages.1" ;; + "audit-packages/audit-packages.cat1" ) CONFIG_FILES="$CONFIG_FILES audit-packages/audit-packages.cat1" ;; + "audit-packages/audit-packages.conf" ) CONFIG_FILES="$CONFIG_FILES audit-packages/audit-packages.conf" ;; + "audit-packages/audit-packages.conf.5" ) CONFIG_FILES="$CONFIG_FILES audit-packages/audit-packages.conf.5" ;; + "audit-packages/audit-packages.conf.cat5" ) CONFIG_FILES="$CONFIG_FILES audit-packages/audit-packages.conf.cat5" ;; + "audit-packages/download-vulnerability-list.1" ) CONFIG_FILES="$CONFIG_FILES audit-packages/download-vulnerability-list.1" ;; + "audit-packages/download-vulnerability-list.cat1" ) CONFIG_FILES="$CONFIG_FILES audit-packages/download-vulnerability-list.cat1" ;; + "audit-packages/download-vulnerability-list.sh" ) CONFIG_FILES="$CONFIG_FILES audit-packages/download-vulnerability-list.sh" ;; "bpm/bpm.sh" ) CONFIG_FILES="$CONFIG_FILES bpm/bpm.sh" ;; "create/Makefile" ) CONFIG_FILES="$CONFIG_FILES create/Makefile" ;; "delete/Makefile" ) CONFIG_FILES="$CONFIG_FILES delete/Makefile" ;; diff --git a/pkgtools/pkg_install/files/configure.ac b/pkgtools/pkg_install/files/configure.ac index 85338224cd2..0de6c502928 100644 --- a/pkgtools/pkg_install/files/configure.ac +++ b/pkgtools/pkg_install/files/configure.ac @@ -142,7 +142,14 @@ AH_BOTTOM( #endif ) -AC_CONFIG_FILES([Makefile add/Makefile admin/Makefile bpm/bpm.sh \ +AC_CONFIG_FILES([Makefile add/Makefile admin/Makefile + audit-packages/Makefile audit-packages/audit-packages.1 \ + audit-packages/audit-packages.cat1 audit-packages/audit-packages.conf \ + audit-packages/audit-packages.conf.5 \ + audit-packages/audit-packages.conf.cat5 \ + audit-packages/download-vulnerability-list.1 \ + audit-packages/download-vulnerability-list.cat1 \ + audit-packages/download-vulnerability-list.sh bpm/bpm.sh \ create/Makefile delete/Makefile info/Makefile lib/Makefile \ view/Makefile view/linkfarm.sh view/pkg_view.sh]) AC_OUTPUT |