Update audit-packages to 1.18.

Changes from previous version:

+ rely on an embedded sha1 digest to tell whether the vulnerabilities
  file has been damaged in transit or received successfully, rather than
  trusting that the file will not grow smaller

+ use the new filename "pkg-vulnerabilities"

+ use definitions from defs.${OPSYS}.mk in the download-vulnerability-list
  script

+ at installation time, don't rely on "ln -sf" to DTRT - explicitly call
  "rm -f" before attempting the symbolc link

With thanks to seb@ for testing.

4 files changed, 75 insertions, 37 deletions

diff --git a/security/audit-packages/MESSAGE b/security/audit-packages/MESSAGE
index aeb6179539c..d4f12dbf3fe 100644
--- a/security/audit-packages/MESSAGE
+++ b/security/audit-packages/MESSAGE
@@ -1,5 +1,5 @@
 ===========================================================================
-$NetBSD: MESSAGE,v 1.2 2002/09/24 12:30:33 wiz Exp $
+$NetBSD: MESSAGE,v 1.3 2003/09/02 10:20:27 agc Exp $
 
 You may wish to have the vulnerabilities file downloaded daily so that
 it remains current.  This may be done by adding an appropriate entry
@@ -8,7 +8,8 @@ to the root users crontab(5) entry.  For example the entry
 # download vulnerabilities file
 0 3 * * * ${PREFIX}/sbin/download-vulnerability-list >/dev/null 2>&1
 
-will update the vulnerability list every day at 3AM.
+will update the vulnerability list every day at 3AM. You may wish to do
+this more often than once a day.
 
 In addition, you may wish to run the package audit from the daily
 security script.  This may be accomplished by adding the following
diff --git a/security/audit-packages/Makefile b/security/audit-packages/Makefile
index 893a2170fcd..238171baf9c 100644
--- a/security/audit-packages/Makefile
+++ b/security/audit-packages/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.26 2003/08/22 10:11:57 agc Exp $
+# $NetBSD: Makefile,v 1.27 2003/09/02 10:20:27 agc Exp $
 
-DISTNAME=	audit-packages-1.17
+DISTNAME=	audit-packages-1.18
 WRKSRC=		${WRKDIR}
 CATEGORIES=	security pkgtools
 MASTER_SITES=	# empty
@@ -31,18 +31,24 @@ do-build:
 			-e 's|@PKGSRCDIR@|${_PKGSRCDIR}|g'		\
 			-e 's|@PKG_TOOLS_BIN@|${PKG_TOOLS_BIN}|g'	\
 			-e 's|@SH@|${SH}|g'				\
-			-e 's|@WC@|${WC}|g'				\
+			-e 's|@DIGEST@|${DIGEST}|g'			\
+			-e 's|@CHMOD@|${CHMOD}|g'			\
+			-e 's|@MV@|${MV}|g'				\
+			-e 's|@RM@|${RM}|g'				\
+			-e 's|@MKDIR@|${MKDIR}|g'			\
 			${FILESDIR}/$$f > ${WRKSRC}/$$f;		\
 	done
 	${NROFF} ${WRKSRC}/audit-packages.8 >${WRKSRC}/audit-packages.0
 
 do-install:
 	@for f in audit-packages download-vulnerability-list; do	\
-		${INSTALL_SCRIPT} ${WRKSRC}/$$f ${PREFIX}/sbin;	\
+		${INSTALL_SCRIPT} ${WRKSRC}/$$f ${PREFIX}/sbin;		\
 	done
 	${INSTALL_MAN} ${WRKSRC}/audit-packages.0 ${PREFIX}/man/cat8
 	${INSTALL_MAN} ${WRKSRC}/audit-packages.8 ${PREFIX}/man/man8
-	${LN} -sf audit-packages.0 ${PREFIX}/man/cat8/download-vulnerability-list.0
-	${LN} -sf audit-packages.8 ${PREFIX}/man/man8/download-vulnerability-list.8
+	${RM} -f ${PREFIX}/man/cat8/download-vulnerability-list.0
+	${LN} -s audit-packages.0 ${PREFIX}/man/cat8/download-vulnerability-list.0
+	${RM} -f ${PREFIX}/man/man8/download-vulnerability-list.8
+	${LN} -s audit-packages.8 ${PREFIX}/man/man8/download-vulnerability-list.8
 
 .include "../../mk/bsd.pkg.mk"
diff --git a/security/audit-packages/files/audit-packages b/security/audit-packages/files/audit-packages
index 701f5311940..893ce36620d 100755
--- a/security/audit-packages/files/audit-packages
+++ b/security/audit-packages/files/audit-packages
@@ -1,19 +1,19 @@
 #! @SH@
-# $NetBSD: audit-packages,v 1.10 2003/05/21 14:07:45 seb Exp $
+
+# $NetBSD: audit-packages,v 1.11 2003/09/02 10:20:28 agc Exp $
 
 : ${PKGVULNDIR=@PKGVULNDIR@}
 
-if [ ! -f ${PKGVULNDIR}/vulnerabilities ] ;then
-    echo "** Missing ${PKGVULNDIR}/vulnerabilities" 1>&2
-    echo "** run download-vulnerability-list" 1>&2
-    exit 1
+if [ ! -f ${PKGVULNDIR}/vulnerabilities ]; then
+	echo "** Missing ${PKGVULNDIR}/pkg-vulnerabilities" 1>&2
+	echo "** run download-vulnerability-list" 1>&2
+	exit 1
 fi
 
-if [ -n "$(find ${PKGVULNDIR}/vulnerabilities -ctime +7)" ]
-then
-    echo "** ${PKGVULNDIR}/vulnerabilities more than a week old" 1>&2
-    echo "** run download-vulnerability-list" 1>&2
-    exit 1
+if [ -n "$(find ${PKGVULNDIR}/pkg-vulnerabilities -ctime +7)" ]; then
+	echo "** ${PKGVULNDIR}/pkg-vulnerabilities more than a week old" 1>&2
+	echo "** run download-vulnerability-list" 1>&2
+	exit 1
 fi
 
 @AWK@ '
@@ -21,6 +21,6 @@ fi
 	NF == 0 { next }
 	{ cmd = sprintf("@PKG_TOOLS_BIN@/pkg_info -qe \"%s\" && echo Package \"`@PKG_TOOLS_BIN@/pkg_info -e '\''%s\'\''`\" has a %s vulnerability, see %s ; wait", $1, $1, $2, $3);
 	  system(cmd); }
-' ${PKGVULNDIR}/vulnerabilities
+' ${PKGVULNDIR}/pkg-vulnerabilities
 
 exit 0
diff --git a/security/audit-packages/files/download-vulnerability-list b/security/audit-packages/files/download-vulnerability-list
index 5cb6e83b057..fe4a2108e28 100644
--- a/security/audit-packages/files/download-vulnerability-list
+++ b/security/audit-packages/files/download-vulnerability-list
@@ -1,34 +1,65 @@
 #! @SH@
-# $NetBSD: download-vulnerability-list,v 1.15 2003/08/22 10:11:58 agc Exp $
+
+# $NetBSD: download-vulnerability-list,v 1.16 2003/09/02 10:20:29 agc Exp $
 
 : ${PKGVULNDIR=@PKGVULNDIR@}
 
 if [ ! -e ${PKGVULNDIR} ]; then
 	echo "Creating ${PKGVULNDIR}"
-	/bin/mkdir -p ${PKGVULNDIR} || (echo "Can't create ${PKGVULNDIR}" 1>&2; exit 1)
+	@MKDIR@ ${PKGVULNDIR} || (echo "Can't create ${PKGVULNDIR}" 1>&2; exit 1)
 fi
 
-VUL_SOURCE="ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/vulnerabilities"
-NEW_VUL_LIST=vulnerabilities.$$
-EXIST_VUL_LIST=vulnerabilities
+VUL_SOURCE="ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities"
+NEW_VUL_LIST=pkg-vulnerabilities.$$
+EXIST_VUL_LIST=pkg-vulnerabilities
 
 cd ${PKGVULNDIR}
 @FETCH_CMD@ -o ${NEW_VUL_LIST} ${VUL_SOURCE}
-existsize=0
-newsize=0
-if [ -f ${EXIST_VUL_LIST} ]; then
-	existsize=`@WC@ -l ${EXIST_VUL_LIST} | @AWK@ '{ print $1 }'`
-fi
-if [ -f ${NEW_VUL_LIST} ]; then
-	newsize=`@WC@ -l ${NEW_VUL_LIST} | @AWK@ '{ print $1 }'`
-fi
-if [ $newsize -lt $existsize ]; then
-	echo "New vulnerability list ($newsize lines) is smaller than existing list ($existsize lines)" 1>&2
-	/bin/rm -f ${NEW_VUL_LIST}
+
+# see if the file got damaged while it was being downloaded
+errmsg=""
+recordedsum=`@AWK@ '$1 == "#CHECKSUM" { print $3 }' ${NEW_VUL_LIST}`
+recordedalg=`@AWK@ '$1 == "#CHECKSUM" { print $2 }' ${NEW_VUL_LIST}`
+case "$recordedsum" in
+"")	errmsg="***WARNING*** No checksum found in the downloaded vulnerabilities file"
+	;;
+*)	case "$recordedalg" in
+	"")	errmsg="***WARNING*** No checksum algorithm found in the downloaded vulnerabilities file"
+		;;
+	*)	calcsum=`@AWK@ '$1 == "#CHECKSUM" || /\$NetBSD.*/ { next } { print }' ${NEW_VUL_LIST} | @DIGEST@ $recordedalg`
+		if [ "$recordedsum" != "$calcsum" ]; then
+			errmsg="***WARNING*** Checksum mismatch - recorded $recordedalg checksum \"$recordedsum\", calculated checksum \"$calcsum\""
+		fi
+		;;
+	esac
+esac
+case "$errmsg" in
+"")	;;
+*)	echo "$errmsg" 1>&2
+	@RM@ -f ${NEW_VUL_LIST}
 	exit 1
+	;;
+esac
+
+# test to see if file has been changed
+neednew=false
+if [ -f ${EXIST_VUL_LIST} ]; then
+	oldsum=`@AWK@ '$1 == "#CHECKSUM" { print $3 }' ${EXIST_VUL_LIST}`
+	if [ "$oldsum" != "$calcsum" ]; then
+		neednew=true
+	fi
+else
+	neednew=true
 fi
 
-chmod a+r ${NEW_VUL_LIST}
-/bin/mv -f ${NEW_VUL_LIST} ${EXIST_VUL_LIST}
+# if we need the new file, move it into position
+if $neednew; then
+	echo "Package vulnerabilities file has been modified"
+	@CHMOD@ a+r ${NEW_VUL_LIST}
+	@MV@ -f ${NEW_VUL_LIST} ${EXIST_VUL_LIST}
+else
+	echo "No change from existing package vulnerabilities file"
+	@RM@ -f ${NEW_VUL_LIST}
+fi
 
 exit 0