pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc Update audit-packages to 1.18.
details: https://anonhg.NetBSD.org/pkgsrc/rev/e144af14d9ea
branches: trunk
changeset: 460652:e144af14d9ea
user: agc <agc%pkgsrc.org@localhost>
date: Tue Sep 02 10:20:27 2003 +0000
description:
Update audit-packages to 1.18.
Changes from previous version:
+ rely on an embedded sha1 digest to tell whether the vulnerabilities
file has been damaged in transit or received successfully, rather than
trusting that the file will not grow smaller
+ use the new filename "pkg-vulnerabilities"
+ use definitions from defs.${OPSYS}.mk in the download-vulnerability-list
script
+ at installation time, don't rely on "ln -sf" to DTRT - explicitly call
"rm -f" before attempting the symbolc link
With thanks to seb@ for testing.
diffstat:
doc/CHANGES | 3 +-
security/audit-packages/MESSAGE | 5 +-
security/audit-packages/Makefile | 18 ++-
security/audit-packages/files/audit-packages | 22 ++--
security/audit-packages/files/download-vulnerability-list | 67 ++++++++++----
5 files changed, 77 insertions(+), 38 deletions(-)
diffs (203 lines):
diff -r 063898f70464 -r e144af14d9ea doc/CHANGES
--- a/doc/CHANGES Tue Sep 02 09:55:44 2003 +0000
+++ b/doc/CHANGES Tue Sep 02 10:20:27 2003 +0000
@@ -1,4 +1,4 @@
-$NetBSD: CHANGES,v 1.3201 2003/09/02 09:43:07 martti Exp $
+$NetBSD: CHANGES,v 1.3202 2003/09/02 10:21:21 agc Exp $
Changes to the packages collection and infrastructure in 2003:
@@ -3471,3 +3471,4 @@
Updated nessus-plugins to 2.0.7 [frueauf 2003-09-02]
Updated nessus to 2.0.7 [frueauf 2003-09-02]
Updated rcs to 5.7nb2 [martti 2003-09-02]
+ Updated audit-packages to 1.18 [agc 2003-09-02]
diff -r 063898f70464 -r e144af14d9ea security/audit-packages/MESSAGE
--- a/security/audit-packages/MESSAGE Tue Sep 02 09:55:44 2003 +0000
+++ b/security/audit-packages/MESSAGE Tue Sep 02 10:20:27 2003 +0000
@@ -1,5 +1,5 @@
===========================================================================
-$NetBSD: MESSAGE,v 1.2 2002/09/24 12:30:33 wiz Exp $
+$NetBSD: MESSAGE,v 1.3 2003/09/02 10:20:27 agc Exp $
You may wish to have the vulnerabilities file downloaded daily so that
it remains current. This may be done by adding an appropriate entry
@@ -8,7 +8,8 @@
# download vulnerabilities file
0 3 * * * ${PREFIX}/sbin/download-vulnerability-list >/dev/null 2>&1
-will update the vulnerability list every day at 3AM.
+will update the vulnerability list every day at 3AM. You may wish to do
+this more often than once a day.
In addition, you may wish to run the package audit from the daily
security script. This may be accomplished by adding the following
diff -r 063898f70464 -r e144af14d9ea security/audit-packages/Makefile
--- a/security/audit-packages/Makefile Tue Sep 02 09:55:44 2003 +0000
+++ b/security/audit-packages/Makefile Tue Sep 02 10:20:27 2003 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.26 2003/08/22 10:11:57 agc Exp $
+# $NetBSD: Makefile,v 1.27 2003/09/02 10:20:27 agc Exp $
-DISTNAME= audit-packages-1.17
+DISTNAME= audit-packages-1.18
WRKSRC= ${WRKDIR}
CATEGORIES= security pkgtools
MASTER_SITES= # empty
@@ -31,18 +31,24 @@
-e 's|@PKGSRCDIR@|${_PKGSRCDIR}|g' \
-e 's|@PKG_TOOLS_BIN@|${PKG_TOOLS_BIN}|g' \
-e 's|@SH@|${SH}|g' \
- -e 's|@WC@|${WC}|g' \
+ -e 's|@DIGEST@|${DIGEST}|g' \
+ -e 's|@CHMOD@|${CHMOD}|g' \
+ -e 's|@MV@|${MV}|g' \
+ -e 's|@RM@|${RM}|g' \
+ -e 's|@MKDIR@|${MKDIR}|g' \
${FILESDIR}/$$f > ${WRKSRC}/$$f; \
done
${NROFF} ${WRKSRC}/audit-packages.8 >${WRKSRC}/audit-packages.0
do-install:
@for f in audit-packages download-vulnerability-list; do \
- ${INSTALL_SCRIPT} ${WRKSRC}/$$f ${PREFIX}/sbin; \
+ ${INSTALL_SCRIPT} ${WRKSRC}/$$f ${PREFIX}/sbin; \
done
${INSTALL_MAN} ${WRKSRC}/audit-packages.0 ${PREFIX}/man/cat8
${INSTALL_MAN} ${WRKSRC}/audit-packages.8 ${PREFIX}/man/man8
- ${LN} -sf audit-packages.0 ${PREFIX}/man/cat8/download-vulnerability-list.0
- ${LN} -sf audit-packages.8 ${PREFIX}/man/man8/download-vulnerability-list.8
+ ${RM} -f ${PREFIX}/man/cat8/download-vulnerability-list.0
+ ${LN} -s audit-packages.0 ${PREFIX}/man/cat8/download-vulnerability-list.0
+ ${RM} -f ${PREFIX}/man/man8/download-vulnerability-list.8
+ ${LN} -s audit-packages.8 ${PREFIX}/man/man8/download-vulnerability-list.8
.include "../../mk/bsd.pkg.mk"
diff -r 063898f70464 -r e144af14d9ea security/audit-packages/files/audit-packages
--- a/security/audit-packages/files/audit-packages Tue Sep 02 09:55:44 2003 +0000
+++ b/security/audit-packages/files/audit-packages Tue Sep 02 10:20:27 2003 +0000
@@ -1,19 +1,19 @@
#! @SH@
-# $NetBSD: audit-packages,v 1.10 2003/05/21 14:07:45 seb Exp $
+
+# $NetBSD: audit-packages,v 1.11 2003/09/02 10:20:28 agc Exp $
: ${PKGVULNDIR=@PKGVULNDIR@}
-if [ ! -f ${PKGVULNDIR}/vulnerabilities ] ;then
- echo "** Missing ${PKGVULNDIR}/vulnerabilities" 1>&2
- echo "** run download-vulnerability-list" 1>&2
- exit 1
+if [ ! -f ${PKGVULNDIR}/vulnerabilities ]; then
+ echo "** Missing ${PKGVULNDIR}/pkg-vulnerabilities" 1>&2
+ echo "** run download-vulnerability-list" 1>&2
+ exit 1
fi
-if [ -n "$(find ${PKGVULNDIR}/vulnerabilities -ctime +7)" ]
-then
- echo "** ${PKGVULNDIR}/vulnerabilities more than a week old" 1>&2
- echo "** run download-vulnerability-list" 1>&2
- exit 1
+if [ -n "$(find ${PKGVULNDIR}/pkg-vulnerabilities -ctime +7)" ]; then
+ echo "** ${PKGVULNDIR}/pkg-vulnerabilities more than a week old" 1>&2
+ echo "** run download-vulnerability-list" 1>&2
+ exit 1
fi
@AWK@ '
@@ -21,6 +21,6 @@
NF == 0 { next }
{ cmd = sprintf("@PKG_TOOLS_BIN@/pkg_info -qe \"%s\" && echo Package \"`@PKG_TOOLS_BIN@/pkg_info -e '\''%s\'\''`\" has a %s vulnerability, see %s ; wait", $1, $1, $2, $3);
system(cmd); }
-' ${PKGVULNDIR}/vulnerabilities
+' ${PKGVULNDIR}/pkg-vulnerabilities
exit 0
diff -r 063898f70464 -r e144af14d9ea security/audit-packages/files/download-vulnerability-list
--- a/security/audit-packages/files/download-vulnerability-list Tue Sep 02 09:55:44 2003 +0000
+++ b/security/audit-packages/files/download-vulnerability-list Tue Sep 02 10:20:27 2003 +0000
@@ -1,34 +1,65 @@
#! @SH@
-# $NetBSD: download-vulnerability-list,v 1.15 2003/08/22 10:11:58 agc Exp $
+
+# $NetBSD: download-vulnerability-list,v 1.16 2003/09/02 10:20:29 agc Exp $
: ${PKGVULNDIR=@PKGVULNDIR@}
if [ ! -e ${PKGVULNDIR} ]; then
echo "Creating ${PKGVULNDIR}"
- /bin/mkdir -p ${PKGVULNDIR} || (echo "Can't create ${PKGVULNDIR}" 1>&2; exit 1)
+ @MKDIR@ ${PKGVULNDIR} || (echo "Can't create ${PKGVULNDIR}" 1>&2; exit 1)
fi
-VUL_SOURCE="ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/vulnerabilities";
-NEW_VUL_LIST=vulnerabilities.$$
-EXIST_VUL_LIST=vulnerabilities
+VUL_SOURCE="ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities";
+NEW_VUL_LIST=pkg-vulnerabilities.$$
+EXIST_VUL_LIST=pkg-vulnerabilities
cd ${PKGVULNDIR}
@FETCH_CMD@ -o ${NEW_VUL_LIST} ${VUL_SOURCE}
-existsize=0
-newsize=0
+
+# see if the file got damaged while it was being downloaded
+errmsg=""
+recordedsum=`@AWK@ '$1 == "#CHECKSUM" { print $3 }' ${NEW_VUL_LIST}`
+recordedalg=`@AWK@ '$1 == "#CHECKSUM" { print $2 }' ${NEW_VUL_LIST}`
+case "$recordedsum" in
+"") errmsg="***WARNING*** No checksum found in the downloaded vulnerabilities file"
+ ;;
+*) case "$recordedalg" in
+ "") errmsg="***WARNING*** No checksum algorithm found in the downloaded vulnerabilities file"
+ ;;
+ *) calcsum=`@AWK@ '$1 == "#CHECKSUM" || /\$NetBSD.*/ { next } { print }' ${NEW_VUL_LIST} | @DIGEST@ $recordedalg`
+ if [ "$recordedsum" != "$calcsum" ]; then
+ errmsg="***WARNING*** Checksum mismatch - recorded $recordedalg checksum \"$recordedsum\", calculated checksum \"$calcsum\""
+ fi
+ ;;
+ esac
+esac
+case "$errmsg" in
+"") ;;
+*) echo "$errmsg" 1>&2
+ @RM@ -f ${NEW_VUL_LIST}
+ exit 1
+ ;;
+esac
+
+# test to see if file has been changed
+neednew=false
if [ -f ${EXIST_VUL_LIST} ]; then
- existsize=`@WC@ -l ${EXIST_VUL_LIST} | @AWK@ '{ print $1 }'`
-fi
-if [ -f ${NEW_VUL_LIST} ]; then
- newsize=`@WC@ -l ${NEW_VUL_LIST} | @AWK@ '{ print $1 }'`
-fi
-if [ $newsize -lt $existsize ]; then
- echo "New vulnerability list ($newsize lines) is smaller than existing list ($existsize lines)" 1>&2
- /bin/rm -f ${NEW_VUL_LIST}
- exit 1
+ oldsum=`@AWK@ '$1 == "#CHECKSUM" { print $3 }' ${EXIST_VUL_LIST}`
+ if [ "$oldsum" != "$calcsum" ]; then
+ neednew=true
+ fi
+else
+ neednew=true
fi
-chmod a+r ${NEW_VUL_LIST}
-/bin/mv -f ${NEW_VUL_LIST} ${EXIST_VUL_LIST}
+# if we need the new file, move it into position
+if $neednew; then
+ echo "Package vulnerabilities file has been modified"
+ @CHMOD@ a+r ${NEW_VUL_LIST}
+ @MV@ -f ${NEW_VUL_LIST} ${EXIST_VUL_LIST}
+else
+ echo "No change from existing package vulnerabilities file"
+ @RM@ -f ${NEW_VUL_LIST}
+fi
exit 0
Home |
Main Index |
Thread Index |
Old Index