Subject: pkg/12538: improvements to security/audit-packages
To: None <gnats-bugs@gnats.netbsd.org>
From: None <anne@alcor.concordia.ca>
List: netbsd-bugs
Date: 04/03/2001 10:53:05
>Number: 12538
>Category: pkg
>Synopsis: improvements to security/audit-packages
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: pkg-manager
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Tue Apr 03 10:54:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Anne Bennett
>Release: 1.5
>Organization:
Concordia University
>Environment:
NetBSD eridani.concordia.ca 1.5 NetBSD 1.5 (ERIDANI) #1: Tue Mar 20 15:48:34 EST 2001 anne@eridani.concordia.ca:/big/sources/usr/src/sys/arch/i386/compile/ERIDANI i386
>Description:
(1) Running download-vulnerability-list as it stands from cron will
spam the sysadmin with ftp output. Easy to fix: redirect output
to /dev/null as per the example in pkg/MESSAGE. Problem: now
we lose some error messages as well. Patch: make sure error
complaints in that script are spouted to STDERR, not STDOUT.
(2) ftp failure in download-vulnerability-list is not being detected
properly by the current "${FETCH_CMD} .. || (complain; exit 1)"
test. Patch: test for a non-zero vulnerability file instead.
Don't forget to remove any zero-length droppings, if any.
(3) Minor readability issue: set the source location for the
vulnerability list in a variable at the top of the script.
(4) PR 12457 reported that audit-packages complained spuriously
when the vulnerability list had not been updated in over a
week, and suggested touching it as a solution. This loses
the information of when the file was really last updated.
I'd prefer to always "mv" the new file into place, and use
mtime instead of ctime in the file freshness test.
>How-To-Repeat:
n/a
>Fix:
*** audit-packages.original Sat Oct 28 07:06:47 2000
--- audit-packages Tue Apr 3 13:44:52 2001
***************
*** 6,12 ****
exit 1
fi
! if [ -n "$(find ${DISTDIR}/vulnerabilities -mtime +7)" ]
then
echo "** ${DISTDIR}/vulnerabilities more than a week old" 1>&2
echo "** run download-vulnerability-list" 1>&2
--- 6,12 ----
exit 1
fi
! if [ -n "$(find ${DISTDIR}/vulnerabilities -ctime +7)" ]
then
echo "** ${DISTDIR}/vulnerabilities more than a week old" 1>&2
echo "** run download-vulnerability-list" 1>&2
*** download-vulnerability-list.original Tue Apr 3 07:52:32 2001
--- download-vulnerability-list Tue Apr 3 13:47:26 2001
***************
*** 1,21 ****
#! /bin/sh
NEW_VUL_LIST=${DISTDIR}/vulnerabilities.$$
if [ ! -e ${DISTDIR} ]; then
echo "Creating ${DISTDIR}"
! /bin/mkdir -p ${DISTDIR} || (echo "Can't create ${DISTDIR}"; exit 1)
fi
! ${FETCH_CMD} -o ${NEW_VUL_LIST} ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/vulnerabilities || \
! (echo "Can't download vulnerability list"; exit 1)
!
! if /usr/bin/cmp -s ${NEW_VUL_LIST} ${DISTDIR}/vulnerabilities > /dev/null 2>&1; then
! /bin/rm -f ${NEW_VUL_LIST}
! else
! /bin/mv ${NEW_VUL_LIST} ${DISTDIR}/vulnerabilities
fi
! ${TOUCH} ${DISTDIR}/vulnerabilities
exit 0
--- 1,20 ----
#! /bin/sh
+ VUL_SOURCE="ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/vulnerabilities"
NEW_VUL_LIST=${DISTDIR}/vulnerabilities.$$
if [ ! -e ${DISTDIR} ]; then
echo "Creating ${DISTDIR}"
! /bin/mkdir -p ${DISTDIR} || (echo "Can't create ${DISTDIR}" 1>&2; exit 1)
fi
! ${FETCH_CMD} -o ${NEW_VUL_LIST} ${VUL_SOURCE}
! if [ ! -s ${NEW_VUL_LIST} ]; then
! echo "Can't download vulnerability list" 1>&2
! /bin/rm -f ${NEW_VUL_LIST}
! exit 1
fi
! /bin/mv -f ${NEW_VUL_LIST} ${DISTDIR}/vulnerabilities
exit 0
>Release-Note:
>Audit-Trail:
>Unformatted: