summaryrefslogtreecommitdiff
path: root/mk
diff options
context:
space:
mode:
Diffstat (limited to 'mk')
-rw-r--r--mk/bsd.pkg.readme.mk33
-rw-r--r--mk/bulk/pre-build25
-rw-r--r--mk/bulk/sort-packages21
-rw-r--r--mk/bulk/upload21
-rw-r--r--mk/defaults/mk.conf22
-rw-r--r--mk/flavor/pkg/check.mk88
6 files changed, 152 insertions, 58 deletions
diff --git a/mk/bsd.pkg.readme.mk b/mk/bsd.pkg.readme.mk
index 85ab64f6e22..361eabcb754 100644
--- a/mk/bsd.pkg.readme.mk
+++ b/mk/bsd.pkg.readme.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.pkg.readme.mk,v 1.6 2006/10/17 06:28:33 rillig Exp $
+# $NetBSD: bsd.pkg.readme.mk,v 1.7 2007/07/14 17:17:45 adrianp Exp $
#
# This Makefile fragment is included by bsd.pkg.mk and encapsulates the
# code to produce README.html files in each package directory.
@@ -232,16 +232,33 @@ SED_HOMEPAGE_EXPR= -e 's|%%HOMEPAGE%%|<p>This package has a home page at <a HREF
SED_HOMEPAGE_EXPR= -e 's|%%HOMEPAGE%%||'
.endif
+# XXX: The code for the pkg_install<20070714 vulnerability checks are
+# XXX: broken. It will not find vulnerabilities in any packages that
+# XXX: have complex names in the pkg-vulnerabilties file.
+# XXX: e.g. php{4,5}-perl and sun-{jdk,jre}15
+# XXX: Post pkg_install-20070714 only currently known vulnerabilities are
+# XXX: shown in the generated files for packages.
+#
.PHONY: show-vulnerabilities-html
show-vulnerabilities-html:
${_PKG_SILENT}${_PKG_DEBUG} \
- if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then \
- ${AWK} '/^${PKGBASE}[-<>=]+[0-9]/ { gsub("\<", "\\&lt;", $$1); \
- gsub("\>", "\\&gt;", $$1); \
- printf("<LI><STRONG>%s has a %s exploit (see <a href=\"%s\">%s</a> for more details)</STRONG></LI>\n", $$1, $$2, $$3, $$3) }' \
- ${PKGVULNDIR}/pkg-vulnerabilities; \
- fi
-
+ _INFO_VER=`${PKG_INFO} -V`; \
+ if ${PKG_ADMIN} pmatch 'pkg_install<20070714' pkg_install-$$_INFO_VER; then \
+ if [ -f ${PKGVULNDIR}/pkg-vulnerabilities ]; then \
+ ${AWK} '/^${PKGBASE}[-<>=]+[0-9]/ { gsub("\<", "\\&lt;", $$1); \
+ gsub("\>", "\\&gt;", $$1); \
+ printf("<LI><STRONG>%s has a %s exploit (see <a href=\"%s\">%s</a> for more details)</STRONG></LI>\n", $$1, $$2, $$3, $$3) }' \
+ ${PKGVULNDIR}/pkg-vulnerabilities; \
+ fi; \
+ else \
+ _PKGVULNDIR=`audit-packages ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR`; \
+ if [ -f $$_PKGVULNDIR/pkg-vulnerabilities ]; then \
+ audit-packages ${AUDIT_PACKAGES_FLAGS} -n ${PKGNAME} |${AWK} \
+ '{ gsub("\<", "\\&lt;", $$2); \
+ gsub("\>", "\\&gt;", $$2); \
+ printf("<LI><STRONG>%s has a %s exploit (see <a href=\"%s\">%s</a> for more details)</STRONG></LI>\n", $$2, $$5, $$8, $$8) }'; \
+ fi; \
+ fi
# If PACKAGES is set to the default (../../packages), the current
# ${MACHINE_ARCH} and "release" (uname -r) will be used. Otherwise a directory
diff --git a/mk/bulk/pre-build b/mk/bulk/pre-build
index 245084547dc..2a8468d0e52 100644
--- a/mk/bulk/pre-build
+++ b/mk/bulk/pre-build
@@ -1,5 +1,5 @@
#!/bin/sh
-# $NetBSD: pre-build,v 1.68 2007/07/02 14:54:09 joerg Exp $
+# $NetBSD: pre-build,v 1.69 2007/07/14 17:17:45 adrianp Exp $
#
# Clean up system to be ready for bulk pkg build
#
@@ -18,6 +18,7 @@ fi
PRUNEDISTFILES=${PRUNEDISTFILES:-"no"}
PRUNEPACKAGES=${PRUNEPACKAGES:-"yes"}
PRUNELINKS=${PRUNEPACKAGES:-"yes"}
+PKG_ADMIN="pkg_admin"
PKGLINT_PKG_DIR=${USR_PKGSRC}/pkgtools/pkglint
@@ -69,11 +70,20 @@ echo "pre-build> Creating ${BULKFILESDIR} if necessary"
mkdir -p "${BULKFILESDIR}"
# Make sure the pkg-vulnerabilities file is up to date
+_INFO_VER=`${PKG_INFO} -V`;
echo "pre-build> Making sure vulnerability-list is upto date:"
if [ -z "$UPDATE_VULNERABILITY_LIST" -o "$UPDATE_VULNERABILITY_LIST" = yes ]; then
+ if ${PKG_ADMIN} pmatch 'pkg_install<20070714' pkg_install-${_INFO_VER}; then
( cd "${USR_PKGSRC}/security/audit-packages" \
&& ${BMAKE} bulk-install \
&& env PKGVULNDIR="${DISTDIR}" download-vulnerability-list )
+ else
+ _PKGVULNDIR=`audit-packages ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR`
+ download-vulnerability-list ${DOWNLOAD_VULNERABILITY_LIST_FLAGS}
+ if [ "x${_PKGVULNDIR}" != "x${DISTDIR}" ]; then
+ cp ${_PKGVULNDIR}/pkg-vulnerabilities ${DISTDIR}
+ fi
+ fi
echo 'pre-build> done.'
else
echo 'pre-build> (skipped)'
@@ -82,7 +92,8 @@ fi
# On non-NetBSD platforms we need to keep the bootstrap-files!
if [ x"$BMAKE" = x"bmake" ]; then
( cd "$LOCALBASE" && tar cf /tmp/$$.tar \
- sbin/pkg_add sbin/pkg_admin sbin/pkg_create \
+ sbin/audit-packages sbin/download-vulnerability-list \
+ sbin/pkg_add sbin/pkg_admin sbin/pkg_create \
sbin/pkg_delete sbin/pkg_info sbin/pkg_view sbin/linkfarm \
share/mk/sys.mk share/mk/bsd.dep.mk share/mk/bsd.depall.mk \
share/mk/bsd.files.mk share/mk/bsd.hostprog.mk \
@@ -95,17 +106,23 @@ if [ x"$BMAKE" = x"bmake" ]; then
share/mk/bsd.sys.mk share/mk/bsd.own.mk \
bin/bmake bin/ftp bin/digest bin/nawk bin/nbsed \
bin/install-sh bin/pax bin/tar bin/cpio \
+ man/cat1/audit-packages.0 \
+ man/cat1/download-vulnerability-list.0 \
man/cat1/ftp.1 man/cat1/pax.0 \
man/cat1/tar.0 man/cat1/cpio.0 man/cat1/pkg_add.0 \
man/cat1/pkg_admin.0 man/cat1/pkg_create.0 \
man/cat1/pkg_delete.0 man/cat1/pkg_info.0 \
man/cat1/pkg_view.0 man/cat1/linkfarm.0 \
+ man/cat5/audit-packages.conf.0 \
+ man/man1/audit-packages.1 \
+ man/man1/download-vulnerability-list.1 \
man/man1/digest.1 man/man1/pax.1 man/man1/cpio.1 \
man/man1/tar.1 man/man1/nbsed.1 man/man1/pkg_add.1 \
man/man1/pkg_admin.1 man/man1/pkg_create.1 \
man/man1/pkg_delete.1 man/man1/pkg_info.1 \
- man/man1/pkg_view.1 man/man1/linkfarm.1 man/cat7/packages.0 \
- etc/mk.conf )
+ man/man1/pkg_view.1 man/man1/linkfarm.1 \
+ man/man5/audit-packages.conf.5 man/cat7/packages.0 \
+ etc/mk.conf share/examples/pkg_install/audit-packages.conf )
fi
#
diff --git a/mk/bulk/sort-packages b/mk/bulk/sort-packages
index d8d768069cf..a6a6d8c1683 100644
--- a/mk/bulk/sort-packages
+++ b/mk/bulk/sort-packages
@@ -1,5 +1,5 @@
#! /bin/sh
-# $NetBSD: sort-packages,v 1.7 2007/03/22 11:43:18 rillig Exp $
+# $NetBSD: sort-packages,v 1.8 2007/07/14 17:17:45 adrianp Exp $
# This program scans all binary packages in the current directory and
# creates three lists of files in OUTDIR:
@@ -20,6 +20,7 @@ set -eu
: ${OUTDIR="/tmp"}
: ${PKG_SUFX=".tgz"}
: ${AUDIT_PACKAGES="audit-packages"}
+: ${PKG_ADMIN="pkg_admin"}
: ${PKG_INFO="pkg_info"}
regular_packages="${OUTDIR}/regular_packages"
@@ -67,13 +68,19 @@ for pkg in *${PKG_SUFX}; do
# Check whether the package is vulnerable or not.
pkg_prefix="${pkg%%-*}"
category="regular"
- # XXX: The egrep command is only needed here because
- # audit-packages is so awfully slow.
- if egrep "^({.*${pkg_prefix}.*}|${pkg_prefix}|{.*}${pkg_prefix})" ${PKGVULNDIR}/pkg-vulnerabilities >/dev/null 4>&1; then
- vuln=`${AUDIT_PACKAGES} -p "${pkg}"`
- if [ -n "${vuln}" ]; then
- category="vulnerable"
+ _INFO_VER=`${PKG_INFO} -V`;
+ if ${PKG_ADMIN} pmatch 'pkg_install<20070714' pkg_install-${_INFO_VER}; then
+ # XXX: The egrep command is only needed here because
+ # audit-packages before pkg_install-20070714 is so
+ # awfully slow.
+ if egrep "^({.*${pkg_prefix}.*}|${pkg_prefix}|{.*}${pkg_prefix})" ${PKGVULNDIR}/pkg-vulnerabilities >/dev/null 4>&1; then
+ vuln=`${AUDIT_PACKAGES} -p "${pkg}"`
fi
+ else
+ vuln=`${AUDIT_PACKAGES} ${AUDIT_PACKAGES_FLAGS} -p "${pkg}"`
+ fi
+ if [ -n "${vuln}" ]; then
+ category="vulnerable"
fi
elif [ "${restricted}" != "unknown" ] && [ "${no_bin_on_ftp}" != "unknown" ]; then
category="restricted"
diff --git a/mk/bulk/upload b/mk/bulk/upload
index f11eb95ad63..3d0f1f0eff0 100644
--- a/mk/bulk/upload
+++ b/mk/bulk/upload
@@ -1,11 +1,12 @@
#!/bin/sh
-# $NetBSD: upload,v 1.37 2006/12/15 13:15:06 martti Exp $
+# $NetBSD: upload,v 1.38 2007/07/14 17:17:45 adrianp Exp $
#
# Upload non-restricted binary pkgs to ftp server
#
AWK=${AWK:-/usr/bin/awk}
+PKG_ADMIN="pkg_admin"
set -eu
@@ -129,7 +130,12 @@ install_required()
MD5="digest md5";
SHA1="digest sha1";
-REQUIRED_PACKAGES="pkgtools/pkglint net/rsync security/audit-packages"
+_INFO_VER=`${PKG_INFO} -V`;
+if ${PKG_ADMIN} pmatch 'pkg_install<20070714' pkg_install-${_INFO_VER}; then
+ REQUIRED_PACKAGES="pkgtools/pkglint net/rsync security/audit-packages"
+else
+ REQUIRED_PACKAGES="pkgtools/pkglint net/rsync"
+fi
opsys=`uname -s`
case "$opsys" in
@@ -208,7 +214,16 @@ done
echo "upload> Making sure vulnerability-list is up-to-date:"
if [ -z "$UPDATE_VULNERABILITY_LIST" -o "$UPDATE_VULNERABILITY_LIST" = "yes" ]
then
- env PKGVULNDIR=${distdir} download-vulnerability-list
+ if ${PKG_ADMIN} pmatch 'pkg_install<20070714' pkg_install-${_INFO_VER}
+ then
+ env PKGVULNDIR=${distdir} download-vulnerability-list
+ else
+ _PKGVULNDIR=`audit-packages ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR`
+ download-vulnerability-list ${DOWNLOAD_VULNERABILITY_LIST_FLAGS}
+ if [ "x${_PKGVULNDIR}" != "x${distdir}" ]; then
+ cp ${_PKGVULNDIR}/pkg-vulnerabilities ${distdir}
+ fi
+ fi
echo " done."
else
echo " (skipped)"
diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
index 80d621deb34..2f15081f185 100644
--- a/mk/defaults/mk.conf
+++ b/mk/defaults/mk.conf
@@ -1,4 +1,4 @@
-# $NetBSD: mk.conf,v 1.155 2007/07/02 14:02:06 joerg Exp $
+# $NetBSD: mk.conf,v 1.156 2007/07/14 17:17:45 adrianp Exp $
#
# This file provides default values for variables that may be overridden
@@ -21,6 +21,22 @@
# Possible: defined, not defined
# Default: not defined
+#AUDIT_PACKAGES_FLAGS=
+# List of flags passed to audit-packages(1).
+#
+# NOTE: If you have pkg_install<20070714 then this variable is not referenced.
+#
+# Possible: -e, -s, etc. See audit-packages(1)
+# Default: (no option)
+
+#DOWNLOAD_VULNERABILITY_LIST_FLAGS=
+# List of flags passed to download-vulnerability-list(1).
+#
+# NOTE: If you have pkg_install<20070714 then this variable is not referenced.
+#
+# Possible: -s, -c, etc. See download-vulnerability-list(1)
+# Default: (no option)
+
MANINSTALL?= maninstall catinstall
# Specify manpage installation types.
# Possible: maninstall, catinstall, both types or empty
@@ -371,6 +387,10 @@ PKGVULNDIR?= ${DISTDIR}
# Specifies where the `vulnerabilities' file is located. This variable
# is used by the audit-packages program and by pkgsrc itself to do security
# checks before building/installing programs.
+#
+# NOTE: If you have pkg_install>=20070714 then this variable is not referenced.
+# See audit-packages.conf(5)
+#
# Possible: any path you like
# Default: /usr/pkgsrc/distfiles
diff --git a/mk/flavor/pkg/check.mk b/mk/flavor/pkg/check.mk
index f78515f44ff..ca24b87f0b4 100644
--- a/mk/flavor/pkg/check.mk
+++ b/mk/flavor/pkg/check.mk
@@ -1,4 +1,4 @@
-# $NetBSD: check.mk,v 1.3 2007/03/09 00:39:54 rillig Exp $
+# $NetBSD: check.mk,v 1.4 2007/07/14 17:17:46 adrianp Exp $
#
# _flavor-check-vulnerable:
@@ -11,38 +11,56 @@
#
_flavor-check-vulnerable: .PHONY
${_PKG_SILENT}${_PKG_DEBUG} \
- vulnfile=${PKGVULNDIR:Q}/pkg-vulnerabilities; \
- if ${TEST} ! -f "$$vulnfile"; then \
- ${PHASE_MSG} "Skipping vulnerability checks."; \
- ${WARNING_MSG} "No $$vulnfile file found."; \
- ${WARNING_MSG} "To fix, install the pkgsrc/security/audit-packages"; \
- ${WARNING_MSG} "package and run: \`\`${LOCALBASE}/sbin/download-vulnerability-list''."; \
- exit 0; \
- fi; \
- ${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"; \
- conffile=; \
- for dir in \
- __dummy \
- ${PKG_SYSCONFDIR.audit-packages:Q}"" \
- ${PKG_SYSCONFDIR:Q}""; \
- do \
- case $$dir in \
- /*) conffile="$$dir/audit-packages.conf"; break ;; \
- *) continue ;; \
- esac; \
- done; \
- if ${TEST} -z "$$conffile" -a -f "$$conffile"; then \
- . $$conffile; \
- fi; \
- ${SETENV} PKGNAME=${PKGNAME} \
- PKGBASE=${PKGBASE} \
- ${AWK} 'BEGIN { exitcode = 0 } \
- /^$$/ { next } \
- /^#.*/ { next } \
- $$1 !~ ENVIRON["PKGBASE"] && $$1 !~ /\{/ { next } \
- { s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ERROR_MSG:S/"/\"/g} \"%s vulnerability in %s - see %s for more information\"", $$1, ENVIRON["PKGNAME"], $$2, ENVIRON["PKGNAME"], $$3); if (system(s) == 0) { print $$1; exitcode += 1 }; } \
- END { exit exitcode }' < $$vulnfile || ${FALSE}; \
- if ${TEST} "$$?" -ne 0; then \
- ${ERROR_MSG} "Define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential"; \
- ${FALSE}; \
+ _INFO_VER=`${PKG_INFO} -V`; \
+ if ${PKG_ADMIN} pmatch 'pkg_install<20070714' pkg_install-$$_INFO_VER; then \
+ vulnfile=${PKGVULNDIR:Q}/pkg-vulnerabilities; \
+ if ${TEST} ! -f "$$vulnfile"; then \
+ ${PHASE_MSG} "Skipping vulnerability checks."; \
+ ${WARNING_MSG} "No $$vulnfile file found."; \
+ ${WARNING_MSG} "To fix, install the pkgsrc/security/audit-packages"; \
+ ${WARNING_MSG} "package and run: \`\`${LOCALBASE}/sbin/download-vulnerability-list''."; \
+ exit 0; \
+ fi; \
+ ${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"; \
+ conffile=; \
+ for dir in \
+ __dummy \
+ ${PKG_SYSCONFDIR.audit-packages:Q}"" \
+ ${PKG_SYSCONFDIR:Q}""; \
+ do \
+ case $$dir in \
+ /*) conffile="$$dir/audit-packages.conf"; break ;; \
+ *) continue ;; \
+ esac; \
+ done; \
+ if ${TEST} -z "$$conffile" -a -f "$$conffile"; then \
+ . $$conffile; \
+ fi; \
+ ${SETENV} PKGNAME=${PKGNAME} \
+ PKGBASE=${PKGBASE} \
+ ${AWK} 'BEGIN { exitcode = 0 } \
+ /^$$/ { next } \
+ /^#.*/ { next } \
+ $$1 !~ ENVIRON["PKGBASE"] && $$1 !~ /\{/ { next } \
+ { s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ERROR_MSG:S/"/\"/g} \"%s vulnerability in %s - see %s for more information\"", $$1, ENVIRON["PKGNAME"], $$2, ENVIRON["PKGNAME"], $$3); if (system(s) == 0) { print $$1; exitcode += 1 }; } \
+ END { exit exitcode }' < $$vulnfile || ${FALSE}; \
+ if ${TEST} "$$?" -ne 0; then \
+ ${ERROR_MSG} "Define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential"; \
+ ${FALSE}; \
+ fi; \
+ else \
+ _PKGVULNDIR=`audit-packages ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR`; \
+ vulnfile=$$_PKGVULNDIR/pkg-vulnerabilities; \
+ if ${TEST} ! -f "$$vulnfile"; then \
+ ${PHASE_MSG} "Skipping vulnerability checks."; \
+ ${WARNING_MSG} "No $$vulnfile file found."; \
+ ${WARNING_MSG} "To fix run: \`download-vulnerability-list'."; \
+ exit 0; \
+ fi; \
+ ${PHASE_MSG} "Checking for vulnerabilities in ${PKGNAME}"; \
+ audit-packages ${AUDIT_PACKAGES_FLAGS} -n ${PKGNAME}; \
+ if ${TEST} "$$?" -ne 0; then \
+ ${ERROR_MSG} "Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URLS in audit-packages.conf(5) if this package is absolutely essential."; \
+ ${FALSE}; \
+ fi; \
fi