diff options
Diffstat (limited to 'mk')
-rw-r--r-- | mk/bsd.pkg.readme.mk | 33 | ||||
-rw-r--r-- | mk/bulk/pre-build | 25 | ||||
-rw-r--r-- | mk/bulk/sort-packages | 21 | ||||
-rw-r--r-- | mk/bulk/upload | 21 | ||||
-rw-r--r-- | mk/defaults/mk.conf | 22 | ||||
-rw-r--r-- | mk/flavor/pkg/check.mk | 88 |
6 files changed, 152 insertions, 58 deletions
diff --git a/mk/bsd.pkg.readme.mk b/mk/bsd.pkg.readme.mk index 85ab64f6e22..361eabcb754 100644 --- a/mk/bsd.pkg.readme.mk +++ b/mk/bsd.pkg.readme.mk @@ -1,4 +1,4 @@ -# $NetBSD: bsd.pkg.readme.mk,v 1.6 2006/10/17 06:28:33 rillig Exp $ +# $NetBSD: bsd.pkg.readme.mk,v 1.7 2007/07/14 17:17:45 adrianp Exp $ # # This Makefile fragment is included by bsd.pkg.mk and encapsulates the # code to produce README.html files in each package directory. @@ -232,16 +232,33 @@ SED_HOMEPAGE_EXPR= -e 's|%%HOMEPAGE%%|<p>This package has a home page at <a HREF SED_HOMEPAGE_EXPR= -e 's|%%HOMEPAGE%%||' .endif +# XXX: The code for the pkg_install<20070714 vulnerability checks are +# XXX: broken. It will not find vulnerabilities in any packages that +# XXX: have complex names in the pkg-vulnerabilties file. +# XXX: e.g. php{4,5}-perl and sun-{jdk,jre}15 +# XXX: Post pkg_install-20070714 only currently known vulnerabilities are +# XXX: shown in the generated files for packages. +# .PHONY: show-vulnerabilities-html show-vulnerabilities-html: ${_PKG_SILENT}${_PKG_DEBUG} \ - if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then \ - ${AWK} '/^${PKGBASE}[-<>=]+[0-9]/ { gsub("\<", "\\<", $$1); \ - gsub("\>", "\\>", $$1); \ - printf("<LI><STRONG>%s has a %s exploit (see <a href=\"%s\">%s</a> for more details)</STRONG></LI>\n", $$1, $$2, $$3, $$3) }' \ - ${PKGVULNDIR}/pkg-vulnerabilities; \ - fi - + _INFO_VER=`${PKG_INFO} -V`; \ + if ${PKG_ADMIN} pmatch 'pkg_install<20070714' pkg_install-$$_INFO_VER; then \ + if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then \ + ${AWK} '/^${PKGBASE}[-<>=]+[0-9]/ { gsub("\<", "\\<", $$1); \ + gsub("\>", "\\>", $$1); \ + printf("<LI><STRONG>%s has a %s exploit (see <a href=\"%s\">%s</a> for more details)</STRONG></LI>\n", $$1, $$2, $$3, $$3) }' \ + ${PKGVULNDIR}/pkg-vulnerabilities; \ + fi; \ + else \ + _PKGVULNDIR=`audit-packages ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR`; \ + if [ -f $$_PKGVULNDIR/pkg-vulnerabilities ]; then \ + audit-packages ${AUDIT_PACKAGES_FLAGS} -n ${PKGNAME} |${AWK} \ + '{ gsub("\<", "\\<", $$2); \ + gsub("\>", "\\>", $$2); \ + printf("<LI><STRONG>%s has a %s exploit (see <a href=\"%s\">%s</a> for more details)</STRONG></LI>\n", $$2, $$5, $$8, $$8) }'; \ + fi; \ + fi # If PACKAGES is set to the default (../../packages), the current # ${MACHINE_ARCH} and "release" (uname -r) will be used. Otherwise a directory diff --git a/mk/bulk/pre-build b/mk/bulk/pre-build index 245084547dc..2a8468d0e52 100644 --- a/mk/bulk/pre-build +++ b/mk/bulk/pre-build @@ -1,5 +1,5 @@ #!/bin/sh -# $NetBSD: pre-build,v 1.68 2007/07/02 14:54:09 joerg Exp $ +# $NetBSD: pre-build,v 1.69 2007/07/14 17:17:45 adrianp Exp $ # # Clean up system to be ready for bulk pkg build # @@ -18,6 +18,7 @@ fi PRUNEDISTFILES=${PRUNEDISTFILES:-"no"} PRUNEPACKAGES=${PRUNEPACKAGES:-"yes"} PRUNELINKS=${PRUNEPACKAGES:-"yes"} +PKG_ADMIN="pkg_admin" PKGLINT_PKG_DIR=${USR_PKGSRC}/pkgtools/pkglint @@ -69,11 +70,20 @@ echo "pre-build> Creating ${BULKFILESDIR} if necessary" mkdir -p "${BULKFILESDIR}" # Make sure the pkg-vulnerabilities file is up to date +_INFO_VER=`${PKG_INFO} -V`; echo "pre-build> Making sure vulnerability-list is upto date:" if [ -z "$UPDATE_VULNERABILITY_LIST" -o "$UPDATE_VULNERABILITY_LIST" = yes ]; then + if ${PKG_ADMIN} pmatch 'pkg_install<20070714' pkg_install-${_INFO_VER}; then ( cd "${USR_PKGSRC}/security/audit-packages" \ && ${BMAKE} bulk-install \ && env PKGVULNDIR="${DISTDIR}" download-vulnerability-list ) + else + _PKGVULNDIR=`audit-packages ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR` + download-vulnerability-list ${DOWNLOAD_VULNERABILITY_LIST_FLAGS} + if [ "x${_PKGVULNDIR}" != "x${DISTDIR}" ]; then + cp ${_PKGVULNDIR}/pkg-vulnerabilities ${DISTDIR} + fi + fi echo 'pre-build> done.' else echo 'pre-build> (skipped)' @@ -82,7 +92,8 @@ fi # On non-NetBSD platforms we need to keep the bootstrap-files! if [ x"$BMAKE" = x"bmake" ]; then ( cd "$LOCALBASE" && tar cf /tmp/$$.tar \ - sbin/pkg_add sbin/pkg_admin sbin/pkg_create \ + sbin/audit-packages sbin/download-vulnerability-list \ + sbin/pkg_add sbin/pkg_admin sbin/pkg_create \ sbin/pkg_delete sbin/pkg_info sbin/pkg_view sbin/linkfarm \ share/mk/sys.mk share/mk/bsd.dep.mk share/mk/bsd.depall.mk \ share/mk/bsd.files.mk share/mk/bsd.hostprog.mk \ @@ -95,17 +106,23 @@ if [ x"$BMAKE" = x"bmake" ]; then share/mk/bsd.sys.mk share/mk/bsd.own.mk \ bin/bmake bin/ftp bin/digest bin/nawk bin/nbsed \ bin/install-sh bin/pax bin/tar bin/cpio \ + man/cat1/audit-packages.0 \ + man/cat1/download-vulnerability-list.0 \ man/cat1/ftp.1 man/cat1/pax.0 \ man/cat1/tar.0 man/cat1/cpio.0 man/cat1/pkg_add.0 \ man/cat1/pkg_admin.0 man/cat1/pkg_create.0 \ man/cat1/pkg_delete.0 man/cat1/pkg_info.0 \ man/cat1/pkg_view.0 man/cat1/linkfarm.0 \ + man/cat5/audit-packages.conf.0 \ + man/man1/audit-packages.1 \ + man/man1/download-vulnerability-list.1 \ man/man1/digest.1 man/man1/pax.1 man/man1/cpio.1 \ man/man1/tar.1 man/man1/nbsed.1 man/man1/pkg_add.1 \ man/man1/pkg_admin.1 man/man1/pkg_create.1 \ man/man1/pkg_delete.1 man/man1/pkg_info.1 \ - man/man1/pkg_view.1 man/man1/linkfarm.1 man/cat7/packages.0 \ - etc/mk.conf ) + man/man1/pkg_view.1 man/man1/linkfarm.1 \ + man/man5/audit-packages.conf.5 man/cat7/packages.0 \ + etc/mk.conf share/examples/pkg_install/audit-packages.conf ) fi # diff --git a/mk/bulk/sort-packages b/mk/bulk/sort-packages index d8d768069cf..a6a6d8c1683 100644 --- a/mk/bulk/sort-packages +++ b/mk/bulk/sort-packages @@ -1,5 +1,5 @@ #! /bin/sh -# $NetBSD: sort-packages,v 1.7 2007/03/22 11:43:18 rillig Exp $ +# $NetBSD: sort-packages,v 1.8 2007/07/14 17:17:45 adrianp Exp $ # This program scans all binary packages in the current directory and # creates three lists of files in OUTDIR: @@ -20,6 +20,7 @@ set -eu : ${OUTDIR="/tmp"} : ${PKG_SUFX=".tgz"} : ${AUDIT_PACKAGES="audit-packages"} +: ${PKG_ADMIN="pkg_admin"} : ${PKG_INFO="pkg_info"} regular_packages="${OUTDIR}/regular_packages" @@ -67,13 +68,19 @@ for pkg in *${PKG_SUFX}; do # Check whether the package is vulnerable or not. pkg_prefix="${pkg%%-*}" category="regular" - # XXX: The egrep command is only needed here because - # audit-packages is so awfully slow. - if egrep "^({.*${pkg_prefix}.*}|${pkg_prefix}|{.*}${pkg_prefix})" ${PKGVULNDIR}/pkg-vulnerabilities >/dev/null 4>&1; then - vuln=`${AUDIT_PACKAGES} -p "${pkg}"` - if [ -n "${vuln}" ]; then - category="vulnerable" + _INFO_VER=`${PKG_INFO} -V`; + if ${PKG_ADMIN} pmatch 'pkg_install<20070714' pkg_install-${_INFO_VER}; then + # XXX: The egrep command is only needed here because + # audit-packages before pkg_install-20070714 is so + # awfully slow. + if egrep "^({.*${pkg_prefix}.*}|${pkg_prefix}|{.*}${pkg_prefix})" ${PKGVULNDIR}/pkg-vulnerabilities >/dev/null 4>&1; then + vuln=`${AUDIT_PACKAGES} -p "${pkg}"` fi + else + vuln=`${AUDIT_PACKAGES} ${AUDIT_PACKAGES_FLAGS} -p "${pkg}"` + fi + if [ -n "${vuln}" ]; then + category="vulnerable" fi elif [ "${restricted}" != "unknown" ] && [ "${no_bin_on_ftp}" != "unknown" ]; then category="restricted" diff --git a/mk/bulk/upload b/mk/bulk/upload index f11eb95ad63..3d0f1f0eff0 100644 --- a/mk/bulk/upload +++ b/mk/bulk/upload @@ -1,11 +1,12 @@ #!/bin/sh -# $NetBSD: upload,v 1.37 2006/12/15 13:15:06 martti Exp $ +# $NetBSD: upload,v 1.38 2007/07/14 17:17:45 adrianp Exp $ # # Upload non-restricted binary pkgs to ftp server # AWK=${AWK:-/usr/bin/awk} +PKG_ADMIN="pkg_admin" set -eu @@ -129,7 +130,12 @@ install_required() MD5="digest md5"; SHA1="digest sha1"; -REQUIRED_PACKAGES="pkgtools/pkglint net/rsync security/audit-packages" +_INFO_VER=`${PKG_INFO} -V`; +if ${PKG_ADMIN} pmatch 'pkg_install<20070714' pkg_install-${_INFO_VER}; then + REQUIRED_PACKAGES="pkgtools/pkglint net/rsync security/audit-packages" +else + REQUIRED_PACKAGES="pkgtools/pkglint net/rsync" +fi opsys=`uname -s` case "$opsys" in @@ -208,7 +214,16 @@ done echo "upload> Making sure vulnerability-list is up-to-date:" if [ -z "$UPDATE_VULNERABILITY_LIST" -o "$UPDATE_VULNERABILITY_LIST" = "yes" ] then - env PKGVULNDIR=${distdir} download-vulnerability-list + if ${PKG_ADMIN} pmatch 'pkg_install<20070714' pkg_install-${_INFO_VER} + then + env PKGVULNDIR=${distdir} download-vulnerability-list + else + _PKGVULNDIR=`audit-packages ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR` + download-vulnerability-list ${DOWNLOAD_VULNERABILITY_LIST_FLAGS} + if [ "x${_PKGVULNDIR}" != "x${distdir}" ]; then + cp ${_PKGVULNDIR}/pkg-vulnerabilities ${distdir} + fi + fi echo " done." else echo " (skipped)" diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf index 80d621deb34..2f15081f185 100644 --- a/mk/defaults/mk.conf +++ b/mk/defaults/mk.conf @@ -1,4 +1,4 @@ -# $NetBSD: mk.conf,v 1.155 2007/07/02 14:02:06 joerg Exp $ +# $NetBSD: mk.conf,v 1.156 2007/07/14 17:17:45 adrianp Exp $ # # This file provides default values for variables that may be overridden @@ -21,6 +21,22 @@ # Possible: defined, not defined # Default: not defined +#AUDIT_PACKAGES_FLAGS= +# List of flags passed to audit-packages(1). +# +# NOTE: If you have pkg_install<20070714 then this variable is not referenced. +# +# Possible: -e, -s, etc. See audit-packages(1) +# Default: (no option) + +#DOWNLOAD_VULNERABILITY_LIST_FLAGS= +# List of flags passed to download-vulnerability-list(1). +# +# NOTE: If you have pkg_install<20070714 then this variable is not referenced. +# +# Possible: -s, -c, etc. See download-vulnerability-list(1) +# Default: (no option) + MANINSTALL?= maninstall catinstall # Specify manpage installation types. # Possible: maninstall, catinstall, both types or empty @@ -371,6 +387,10 @@ PKGVULNDIR?= ${DISTDIR} # Specifies where the `vulnerabilities' file is located. This variable # is used by the audit-packages program and by pkgsrc itself to do security # checks before building/installing programs. +# +# NOTE: If you have pkg_install>=20070714 then this variable is not referenced. +# See audit-packages.conf(5) +# # Possible: any path you like # Default: /usr/pkgsrc/distfiles diff --git a/mk/flavor/pkg/check.mk b/mk/flavor/pkg/check.mk index f78515f44ff..ca24b87f0b4 100644 --- a/mk/flavor/pkg/check.mk +++ b/mk/flavor/pkg/check.mk @@ -1,4 +1,4 @@ -# $NetBSD: check.mk,v 1.3 2007/03/09 00:39:54 rillig Exp $ +# $NetBSD: check.mk,v 1.4 2007/07/14 17:17:46 adrianp Exp $ # # _flavor-check-vulnerable: @@ -11,38 +11,56 @@ # _flavor-check-vulnerable: .PHONY ${_PKG_SILENT}${_PKG_DEBUG} \ - vulnfile=${PKGVULNDIR:Q}/pkg-vulnerabilities; \ - if ${TEST} ! -f "$$vulnfile"; then \ - ${PHASE_MSG} "Skipping vulnerability checks."; \ - ${WARNING_MSG} "No $$vulnfile file found."; \ - ${WARNING_MSG} "To fix, install the pkgsrc/security/audit-packages"; \ - ${WARNING_MSG} "package and run: \`\`${LOCALBASE}/sbin/download-vulnerability-list''."; \ - exit 0; \ - fi; \ - ${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"; \ - conffile=; \ - for dir in \ - __dummy \ - ${PKG_SYSCONFDIR.audit-packages:Q}"" \ - ${PKG_SYSCONFDIR:Q}""; \ - do \ - case $$dir in \ - /*) conffile="$$dir/audit-packages.conf"; break ;; \ - *) continue ;; \ - esac; \ - done; \ - if ${TEST} -z "$$conffile" -a -f "$$conffile"; then \ - . $$conffile; \ - fi; \ - ${SETENV} PKGNAME=${PKGNAME} \ - PKGBASE=${PKGBASE} \ - ${AWK} 'BEGIN { exitcode = 0 } \ - /^$$/ { next } \ - /^#.*/ { next } \ - $$1 !~ ENVIRON["PKGBASE"] && $$1 !~ /\{/ { next } \ - { s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ERROR_MSG:S/"/\"/g} \"%s vulnerability in %s - see %s for more information\"", $$1, ENVIRON["PKGNAME"], $$2, ENVIRON["PKGNAME"], $$3); if (system(s) == 0) { print $$1; exitcode += 1 }; } \ - END { exit exitcode }' < $$vulnfile || ${FALSE}; \ - if ${TEST} "$$?" -ne 0; then \ - ${ERROR_MSG} "Define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential"; \ - ${FALSE}; \ + _INFO_VER=`${PKG_INFO} -V`; \ + if ${PKG_ADMIN} pmatch 'pkg_install<20070714' pkg_install-$$_INFO_VER; then \ + vulnfile=${PKGVULNDIR:Q}/pkg-vulnerabilities; \ + if ${TEST} ! -f "$$vulnfile"; then \ + ${PHASE_MSG} "Skipping vulnerability checks."; \ + ${WARNING_MSG} "No $$vulnfile file found."; \ + ${WARNING_MSG} "To fix, install the pkgsrc/security/audit-packages"; \ + ${WARNING_MSG} "package and run: \`\`${LOCALBASE}/sbin/download-vulnerability-list''."; \ + exit 0; \ + fi; \ + ${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"; \ + conffile=; \ + for dir in \ + __dummy \ + ${PKG_SYSCONFDIR.audit-packages:Q}"" \ + ${PKG_SYSCONFDIR:Q}""; \ + do \ + case $$dir in \ + /*) conffile="$$dir/audit-packages.conf"; break ;; \ + *) continue ;; \ + esac; \ + done; \ + if ${TEST} -z "$$conffile" -a -f "$$conffile"; then \ + . $$conffile; \ + fi; \ + ${SETENV} PKGNAME=${PKGNAME} \ + PKGBASE=${PKGBASE} \ + ${AWK} 'BEGIN { exitcode = 0 } \ + /^$$/ { next } \ + /^#.*/ { next } \ + $$1 !~ ENVIRON["PKGBASE"] && $$1 !~ /\{/ { next } \ + { s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ERROR_MSG:S/"/\"/g} \"%s vulnerability in %s - see %s for more information\"", $$1, ENVIRON["PKGNAME"], $$2, ENVIRON["PKGNAME"], $$3); if (system(s) == 0) { print $$1; exitcode += 1 }; } \ + END { exit exitcode }' < $$vulnfile || ${FALSE}; \ + if ${TEST} "$$?" -ne 0; then \ + ${ERROR_MSG} "Define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential"; \ + ${FALSE}; \ + fi; \ + else \ + _PKGVULNDIR=`audit-packages ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR`; \ + vulnfile=$$_PKGVULNDIR/pkg-vulnerabilities; \ + if ${TEST} ! -f "$$vulnfile"; then \ + ${PHASE_MSG} "Skipping vulnerability checks."; \ + ${WARNING_MSG} "No $$vulnfile file found."; \ + ${WARNING_MSG} "To fix run: \`download-vulnerability-list'."; \ + exit 0; \ + fi; \ + ${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"; \ + audit-packages ${AUDIT_PACKAGES_FLAGS} -n ${PKGNAME}; \ + if ${TEST} "$$?" -ne 0; then \ + ${ERROR_MSG} "Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URLS in audit-packages.conf(5) if this package is absolutely essential."; \ + ${FALSE}; \ + fi; \ fi |