diff options
author | agc <agc> | 2003-04-17 12:36:54 +0000 |
---|---|---|
committer | agc <agc> | 2003-04-17 12:36:54 +0000 |
commit | b79e05a494d81a3b1ac8c14c5d44f9843420950b (patch) | |
tree | 66eb1c6f8e4deb4d73948dc3c5994b738ee5cf39 /mk | |
parent | ef7061112cf0241b719f85d46c57d4f9684b6e3a (diff) | |
download | pkgsrc-b79e05a494d81a3b1ac8c14c5d44f9843420950b.tar.gz |
Add a check at fetch time to see if there are any known vulnerabilities
in a package - should keep some admins' blood pressure a bit lower.
Inspired by PR 19479.
Output where there is a vulnerability looks like:
[13:30:05] agc@sys1 ...pkgsrc/net/samba 28 > make fetch
===> do-fetch [samba-2.2.8] ===> Checking for vulnerabilities in samba-2.2.8
*** WARNING - remote-root-access vulnerability in samba-2.2.8 - see http://lists.samba.org/pipermail/samba-announce/2003-April/000065.html for more information ***
*** Error code 1
Stop.
make: stopped in /usr/pkgsrc/net/samba
*** Error code 1
Stop.
make: stopped in /usr/pkgsrc/net/samba
whilst output where there is no vulnerability looks like:
[13:30:28] agc@sys1 ...pkgsrc/net/ethereal 30 > make fetch
===> do-fetch [ethereal-0.9.11] ===> Checking for vulnerabilities in ethereal-0.9.11
=> ethereal-0.9.11.tar.gz doesn't seem to exist on this system.
=> Attempting to fetch ethereal-0.9.11.tar.gz from ftp://ftp.sunet.se/pub/network/monitoring/ethereal/.
=> [4457475 bytes]
Trying 194.71.11.40...
Connected to ftp.sunet.se.
220-####################################################################
Diffstat (limited to 'mk')
-rw-r--r-- | mk/bsd.pkg.mk | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/mk/bsd.pkg.mk b/mk/bsd.pkg.mk index ffd379aeb11..dfe5b273bc7 100644 --- a/mk/bsd.pkg.mk +++ b/mk/bsd.pkg.mk @@ -1,4 +1,4 @@ -# $NetBSD: bsd.pkg.mk,v 1.1168 2003/04/15 19:51:21 grant Exp $ +# $NetBSD: bsd.pkg.mk,v 1.1169 2003/04/17 12:36:54 agc Exp $ # # This file is in the public domain. # @@ -1399,8 +1399,24 @@ batch-check-distfiles: ${FALSE} ;; \ esac +# check for any vulnerabilities in the package +# Please do not modify the leading "@" here +check-vulnerable: + @if [ -f ${DISTDIR}/vulnerabilities ]; then \ + ${SETENV} PKGNAME="${PKGNAME}" \ + ${AWK} '/#.*/ { next } \ + { s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ECHO} \"*** WARNING - %s vulnerability in %s - see %s for more information ***\"", $$1, ENVIRON["PKGNAME"], $$2, ENVIRON["PKGNAME"], $$3); system(s); }' < ${DISTDIR}/vulnerabilities || ${FALSE}; \ + fi + .if !target(do-fetch) do-fetch: + @${ECHO_MSG} "${_PKGSRC_IN}> Checking for vulnerabilities in ${PKGNAME}" + ${_PKG_SILENT}${_PKG_DEBUG} \ + vul=`${MAKE} ${MAKEFLAGS} check-vulnerable`; \ + case "$$vul" in \ + "") ;; \ + *) ${ECHO} "$$vul"; ${FALSE} ;; \ + esac . if !empty(_ALLFILES) ${_PKG_SILENT}${_PKG_DEBUG} \ ${TEST} -d ${_DISTDIR} || ${MKDIR} ${_DISTDIR} |