#! @SH@ # # $NetBSD: audit-packages,v 1.17 2004/06/06 08:28:54 agc Exp $ # # Copyright (c) 2000-2003 Alistair Crooks. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # 3. All advertising materials mentioning features or use of this software # must display the following acknowledgement: # This product includes software developed by Alistair Crooks # for the NetBSD project. # 4. The name of the author may not be used to endorse or promote # products derived from this software without specific prior written # permission. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS # OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE # GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # : ${PKGVULNDIR=@PKGVULNDIR@} if [ -r @PKG_SYSCONFDIR@/audit-packages.conf ]; then echo "Reading settings from @PKG_SYSCONFDIR@/audit-packages.conf" . @PKG_SYSCONFDIR@/audit-packages.conf fi vuls=${PKGVULNDIR}/pkg-vulnerabilities verbose=no while [ $# -gt 0 ]; do case "$1" in -v) verbose=yes ;; esac shift done errmsg="" # check for missing vulnerabilities file [ ! -f $vuls ] && errmsg="** Missing $vuls" case "$errmsg" in "") # check for old vulnerabilities file if we're being verbose case "$verbose" in yes) [ -n "$(find $vuls -ctime +7)" ] && echo "*** WARNING - $vuls more than a week old, continuing..." ;; esac ;; esac case "$errmsg" in "") # check integrity of vulnerabilities file recordedsum=`@AWK@ '$1 == "#CHECKSUM" { print $3 }' $vuls` recordedalg=`@AWK@ '$1 == "#CHECKSUM" { print $2 }' $vuls` case "$recordedsum" in "") errmsg="***WARNING*** No checksum found in $vuls" ;; *) case "$recordedalg" in "") errmsg="***WARNING*** No checksum algorithm found in $vuls file" ;; *) calcsum=`@AWK@ '$1 == "#CHECKSUM" || /\$NetBSD.*/ { next } { print }' $vuls | @DIGEST@ $recordedalg` if [ "$recordedsum" != "$calcsum" ]; then errmsg="***WARNING*** Checksum mismatch - recorded $recordedalg checksum \"$recordedsum\", calculated checksum \"$calcsum\"" fi ;; esac ;; esac ;; esac # if we have found an error, then complain and exit case "$errmsg" in "") ;; *) echo "$errmsg" 1>&2 echo "** Please run download-vulnerability-list" 1>&2 exit 1 ;; esac # check for vulnerabilities while read pat type url; do case "$pat" in \#*|'') continue;; esac if @PKG_TOOLS_BIN@/pkg_info -qe "$pat"; then echo Package `@PKG_TOOLS_BIN@/pkg_info -e "$pat"` has a \ $type vulnerability, see $url fi done < $vuls exit 0