Add a file format version to pkg-vulnerabilities, and check for

its compatiblity. Bump version to 1.35 Done during the freeze to have the support on the branch. Okayed by wiz.
author: dillo <dillo> 2005-06-07 19:17:01 +0000
committer: dillo <dillo> 2005-06-07 19:17:01 +0000
commit: c5ff0eca47a9f9e0a328a2522d673af0f5a3c8b9 (patch)
tree: 2449b9685e962f6bca80eaf54d69ce419ed23013 /security
parent: 75c1d6a1db622825e8cf49ac157951fba85ba6ff (diff)
download: pkgsrc-c5ff0eca47a9f9e0a328a2522d673af0f5a3c8b9.tar.gz
4 files changed, 145 insertions, 48 deletions
diff --git a/security/audit-packages/Makefile b/security/audit-packages/Makefile
index 883436aba9a..6b0aacaacd0 100644
--- a/security/audit-packages/Makefile
+++ b/security/audit-packages/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.54 2005/05/21 16:36:37 dillo Exp $
+# $NetBSD: Makefile,v 1.55 2005/06/07 19:17:01 dillo Exp $
 
-DISTNAME=	audit-packages-1.34
+DISTNAME=	audit-packages-1.35
 CATEGORIES=	security pkgtools
 MASTER_SITES=	# empty
 DISTFILES=	# empty
diff --git a/security/audit-packages/files/audit-packages b/security/audit-packages/files/audit-packages
index 8010ff1ace1..297eec73fd4 100755
--- a/security/audit-packages/files/audit-packages
+++ b/security/audit-packages/files/audit-packages
@@ -1,6 +1,6 @@
 #! @SH@
 #
-# $NetBSD: audit-packages,v 1.18 2005/05/21 16:36:37 dillo Exp $
+# $NetBSD: audit-packages,v 1.19 2005/06/07 19:17:01 dillo Exp $
 #
 # Copyright (c) 2000-2003 Alistair Crooks.  All rights reserved.
 #
@@ -33,8 +33,14 @@
 # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #
 
+ERR_DOWNLOAD="Please run download-vulnerability-list"
+ERR_UPGRADE="Please upgrade audit-packages to the newest version"
+
 : ${PKGVULNDIR=@PKGVULNDIR@}
 
+FORMAT_MAJOR=1
+FORMAT_MINOR=0
+
 if [ -r @PKG_SYSCONFDIR@/audit-packages.conf ]; then
 	echo "Reading settings from @PKG_SYSCONFDIR@/audit-packages.conf"
 	. @PKG_SYSCONFDIR@/audit-packages.conf
@@ -53,7 +59,11 @@ done
 errmsg=""
 
 # check for missing vulnerabilities file
-[ ! -f "$vuls" ] && errmsg="** Missing $vuls"
+if [ ! -f "$vuls" ]
+then
+	errmsg="Missing vulnerabilities file $vuls"
+	errsolution="$ERR_DOWNLOAD"
+fi
 
 case "$errmsg" in
 "")	# check for old vulnerabilities file if we're being verbose
@@ -65,18 +75,42 @@ case "$errmsg" in
 esac
 
 case "$errmsg" in
+"")	# check format version of vulnerabilities file
+	file_major=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\."); print a[1] }' "$vuls"`
+	file_minor=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\."); print a[2] }' "$vuls"`
+	if [ "x$file_major" = "x" -o "x$file_minor" = "x" ]
+	then
+		errmsg="No file format version found in $vuls"
+		errsolution="$ERR_DOWNLOAD"
+	elif [ "$file_major" -ne "$FORMAT_MAJOR" -o "$file_minor" -gt "$FORMAT_MINOR" ]
+	then
+		errmsg="Unsupported file format version $file_major.$file_minor in $vuls (supported version: $FORMAT_MAJOR.$FORMAT_MINOR)."
+		if [ "$file_major" -le "$FORMAT_MAJOR" ]
+		then
+			errsolution="$ERR_DOWNLOAD"
+		else
+			errsolution="$ERR_UPGRADE"
+		fi
+	fi
+	;;
+esac
+
+case "$errmsg" in
 "")	# check integrity of vulnerabilities file
 	recordedsum=`@AWK@ '$1 == "#CHECKSUM" { print $3 }' "$vuls"`
 	recordedalg=`@AWK@ '$1 == "#CHECKSUM" { print $2 }' "$vuls"`
 	case "$recordedsum" in
-	"")	errmsg="***WARNING*** No checksum found in $vuls"
+	"")	errmsg="No checksum found in $vuls"
+		errsolution="$ERR_DOWNLOAD"
 		;;
 	*)	case "$recordedalg" in
-		"")	errmsg="***WARNING*** No checksum algorithm found in $vuls file"
+		"")	errmsg="No checksum algorithm found in $vuls file"
+			errsolution="$ERR_DOWNLOAD"
 			;;
 		*)	calcsum=`@AWK@ '$1 == "#CHECKSUM" || /\$NetBSD.*/ { next } { print }' "$vuls" | @DIGEST@ "$recordedalg"`
 			if [ "$recordedsum" != "$calcsum" ]; then
-				errmsg="***WARNING*** Checksum mismatch - recorded $recordedalg checksum \"$recordedsum\", calculated checksum \"$calcsum\""
+				errmsg="Checksum mismatch - recorded $recordedalg checksum \"$recordedsum\", calculated checksum \"$calcsum\""
+				errsolution="$ERR_DOWNLOAD"
 			fi
 			;;
 		esac
@@ -88,8 +122,8 @@ esac
 # if we have found an error, then complain and exit
 case "$errmsg" in
 "")	;;
-*)	echo "$errmsg" 1>&2
-	echo "** Please run download-vulnerability-list" 1>&2
+*)	echo "***ERROR*** $errmsg" 1>&2
+	echo "** $errsolution" 1>&2
 	exit 1
 	;;
 esac
diff --git a/security/audit-packages/files/audit-packages.0 b/security/audit-packages/files/audit-packages.0
index 7e035259687..025782aa1b6 100644
--- a/security/audit-packages/files/audit-packages.0
+++ b/security/audit-packages/files/audit-packages.0
@@ -1,7 +1,7 @@
 AUDIT-PACKAGES(8)       NetBSD System Manager's Manual       AUDIT-PACKAGES(8)
 
 NNAAMMEE
-     aauuddiitt--ppaacckkaaggeess, ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt - show vulnerabilities in
+     aauuddiitt--ppaacckkaaggeess, ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt -- show vulnerabilities in
      installed packages
 
 SSYYNNOOPPSSIISS
@@ -25,40 +25,40 @@ DDEESSCCRRIIPPTTIIOONN
      Each line lists the package and vulnerable versions, the type of exploit,
      and an Internet address for further information.  The type of exploit can
      be any text, although some common types of exploits listed are:
-           ++oo   cross-site-html
-           ++oo   cross-site-scripting
-           ++oo   denial-of-service
-           ++oo   file-permissions
-           ++oo   local-access
-           ++oo   local-code-execution
-           ++oo   local-file-read
-           ++oo   local-file-removal
-           ++oo   local-file-write
-           ++oo   local-root-file-view
-           ++oo   local-root-shell
-           ++oo   local-symlink-race
-           ++oo   local-user-file-view
-           ++oo   local-user-shell
-           ++oo   privacy-leak
-           ++oo   remote-code-execution
-           ++oo   remote-command-inject
-           ++oo   remote-file-creation
-           ++oo   remote-file-read
-           ++oo   remote-file-view
-           ++oo   remote-file-write
-           ++oo   remote-key-theft
-           ++oo   remote-root-access
-           ++oo   remote-root-shell
-           ++oo   remote-script-inject
-           ++oo   remote-server-admin
-           ++oo   remote-use-of-secret
-           ++oo   remote-user-access
-           ++oo   remote-user-file-view
-           ++oo   remote-user-shell
-           ++oo   unknown
-           ++oo   weak-authentication
-           ++oo   weak-encryption
-           ++oo   weak-ssl-authentication
+           ��   cross-site-html
+           ��   cross-site-scripting
+           ��   denial-of-service
+           ��   file-permissions
+           ��   local-access
+           ��   local-code-execution
+           ��   local-file-read
+           ��   local-file-removal
+           ��   local-file-write
+           ��   local-root-file-view
+           ��   local-root-shell
+           ��   local-symlink-race
+           ��   local-user-file-view
+           ��   local-user-shell
+           ��   privacy-leak
+           ��   remote-code-execution
+           ��   remote-command-inject
+           ��   remote-file-creation
+           ��   remote-file-read
+           ��   remote-file-view
+           ��   remote-file-write
+           ��   remote-key-theft
+           ��   remote-root-access
+           ��   remote-root-shell
+           ��   remote-script-inject
+           ��   remote-server-admin
+           ��   remote-use-of-secret
+           ��   remote-user-access
+           ��   remote-user-file-view
+           ��   remote-user-shell
+           ��   unknown
+           ��   weak-authentication
+           ��   weak-encryption
+           ��   weak-ssl-authentication
 
      By default, the vulnerabilities file is stored in the @PKGVULNDIR@ direc-
      tory.  This can be changed by defining the environment variable
@@ -88,6 +88,36 @@ EEXXAAMMPPLLEESS
 
      export FETCH_ARGS="-4"
 
+DDIIAAGGNNOOSSTTIICCSS
+     The aauuddiitt--ppaacckkaaggeess utility exits 0 on success, and >0 if an error occurs.
+
+     The following errors can occur:
+
+     Checksum mismatch
+                 The vulnerabilities file is corrupted.  Run
+                 ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt.
+
+     Missing vulnerabilities file
+                 The vulnerabilities file could not be found.  Run
+                 ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt.
+
+     No checksum algorithm found
+                 The vulnerabilities file is too old or incomplete.  Run
+                 ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt.
+
+     No checksum found
+                 The vulnerabilities file is too old or incomplete.  Run
+                 ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt.
+
+     No file format version found
+                 The vulnerabilities file is too old or incomplete.  Run
+                 ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt.
+
+     Unsupported file format version
+                 The vulnerabilities file is too old or too new.  If it's too
+                 old, run ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt.  If it's too new,
+                 update the aauuddiitt--ppaacckkaaggeess package.
+
 SSEEEE AALLSSOO
      pkg_info(1), mk.conf(5), packages(7), @PKGSRCDIR@/mk/bsd.pkg.defaults.mk
      and
@@ -100,4 +130,4 @@ HHIISSTTOORRYY
      September 19, 2000.  The original idea came from Roland Dowdeswell and
      Bill Sommerfeld.
 
-NetBSD 2.0                       May 12, 2004                       NetBSD 2.0
+NetBSD 3.0                       May 27, 2005                       NetBSD 3.0
diff --git a/security/audit-packages/files/audit-packages.8 b/security/audit-packages/files/audit-packages.8
index 5a9c31c344f..17c8477a403 100644
--- a/security/audit-packages/files/audit-packages.8
+++ b/security/audit-packages/files/audit-packages.8
@@ -1,5 +1,6 @@
-.\" $NetBSD: audit-packages.8,v 1.9 2005/05/07 22:15:25 wiz Exp $
-.Dd May 12, 2004
+.\" $NetBSD: audit-packages.8,v 1.10 2005/06/07 19:17:01 dillo Exp $
+.\" XXX: License?
+.Dd May 27, 2005
 .Os
 .Dt AUDIT-PACKAGES 8
 .Sh NAME
@@ -135,7 +136,6 @@ Specifies optional arguments for the ftp client.
 @PKGVULNDIR@/pkg-vulnerabilities
 .Pp
 @PKG_SYSCONFDIR@/audit-packages.conf
-.\" .Sh EXAMPLES
 .Sh EXAMPLES
 The
 .Nm download-vulnerability-list
@@ -159,6 +159,39 @@ command can be forced to use IPv4 with the following setting in
 @PKG_SYSCONFDIR@/audit-packages.conf :
 .Pp
 export FETCH_ARGS="-4"
+.Sh DIAGNOSTICS
+.Ex -std audit-packages
+.Pp
+The following errors can occur: 
+.Bl -tag -width 10n
+.It Checksum mismatch
+The vulnerabilities file is corrupted.
+Run
+.Nm download-vulnerability-list .
+.It Missing vulnerabilities file
+The vulnerabilities file could not be found.
+Run
+.Nm download-vulnerability-list .
+.It \&No checksum algorithm found
+The vulnerabilities file is too old or incomplete.
+Run
+.Nm download-vulnerability-list .
+.It \&No checksum found
+The vulnerabilities file is too old or incomplete.
+Run
+.Nm download-vulnerability-list .
+.It \&No file format version found
+The vulnerabilities file is too old or incomplete.
+Run
+.Nm download-vulnerability-list .
+.It Unsupported file format version
+The vulnerabilities file is too old or too new.
+If it's too old, run
+.Nm download-vulnerability-list .
+If it's too new, update the
+.Nm audit-packages
+package.
+.El
 .Sh SEE ALSO
 .Xr pkg_info 1 ,
 .Xr mk.conf 5 ,
author	dillo <dillo>	2005-06-07 19:17:01 +0000
committer	dillo <dillo>	2005-06-07 19:17:01 +0000
commit	c5ff0eca47a9f9e0a328a2522d673af0f5a3c8b9 (patch)
tree	2449b9685e962f6bca80eaf54d69ce419ed23013 /security
parent	75c1d6a1db622825e8cf49ac157951fba85ba6ff (diff)
download	pkgsrc-c5ff0eca47a9f9e0a328a2522d673af0f5a3c8b9.tar.gz