1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
#! @SH@
#
# $NetBSD: audit-packages,v 1.16 2004/01/01 23:35:28 agc Exp $
#
# Copyright (c) 2000-2003 Alistair Crooks. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
# must display the following acknowledgement:
# This product includes software developed by Alistair Crooks
# for the NetBSD project.
# 4. The name of the author may not be used to endorse or promote
# products derived from this software without specific prior written
# permission.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS
# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
: ${PKGVULNDIR=@PKGVULNDIR@}
vuls=${PKGVULNDIR}/pkg-vulnerabilities
verbose=no
while [ $# -gt 0 ]; do
case "$1" in
-v) verbose=yes ;;
esac
shift
done
errmsg=""
# check for missing vulnerabilities file
[ ! -f $vuls ] && errmsg="** Missing $vuls"
case "$errmsg" in
"") # check for old vulnerabilities file if we're being verbose
case "$verbose" in
yes) [ -n "$(find $vuls -ctime +7)" ] && echo "*** WARNING - $vuls more than a week old, continuing..." ;;
esac
;;
esac
case "$errmsg" in
"") # check integrity of vulnerabilities file
recordedsum=`@AWK@ '$1 == "#CHECKSUM" { print $3 }' $vuls`
recordedalg=`@AWK@ '$1 == "#CHECKSUM" { print $2 }' $vuls`
case "$recordedsum" in
"") errmsg="***WARNING*** No checksum found in $vuls"
;;
*) case "$recordedalg" in
"") errmsg="***WARNING*** No checksum algorithm found in $vuls file"
;;
*) calcsum=`@AWK@ '$1 == "#CHECKSUM" || /\$NetBSD.*/ { next } { print }' $vuls | @DIGEST@ $recordedalg`
if [ "$recordedsum" != "$calcsum" ]; then
errmsg="***WARNING*** Checksum mismatch - recorded $recordedalg checksum \"$recordedsum\", calculated checksum \"$calcsum\""
fi
;;
esac
;;
esac
;;
esac
# if we have found an error, then complain and exit
case "$errmsg" in
"") ;;
*) echo "$errmsg" 1>&2
echo "** Please run download-vulnerability-list" 1>&2
exit 1
;;
esac
# check for vulnerabilities
while read pat type url; do
case "$pat" in
\#*|'') continue;;
esac
if @PKG_TOOLS_BIN@/pkg_info -qe "$pat"; then
echo Package `@PKG_TOOLS_BIN@/pkg_info -e "$pat"` has a \
$type vulnerability, see $url
fi
done < $vuls
exit 0
|