pkg_install-20090108: pkg_add optionally checks for vulnerable packages and bails out.diff -r1.70.4.19 -r1.70.4.20 pkgsrc/pkgtools/pkg_install/files/add/perform.c
(joerg)
@@ -1,4 +1,4 @@
-/* $NetBSD: perform.c,v 1.70.4.19 2008/08/25 19:15:11 joerg Exp $ */
+/* $NetBSD: perform.c,v 1.70.4.20 2009/01/08 00:01:30 joerg Exp $ */
#if HAVE_CONFIG_H
#include "config.h"
#endif
@@ -6,13 +6,13 @@
#if HAVE_SYS_CDEFS_H
#include <sys/cdefs.h>
#endif
-__RCSID("$NetBSD: perform.c,v 1.70.4.19 2008/08/25 19:15:11 joerg Exp $");
+__RCSID("$NetBSD: perform.c,v 1.70.4.20 2009/01/08 00:01:30 joerg Exp $");
/*-
* Copyright (c) 2003 Grant Beattie <grant@NetBSD.org>
* Copyright (c) 2005 Dieter Baron <dillo@NetBSD.org>
* Copyright (c) 2007 Roland Illig <rillig@NetBSD.org>
- * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>
+ * Copyright (c) 2008, 2009 Joerg Sonnenberger <joerg@NetBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -1169,6 +1169,53 @@
return 1;
}
+static int
+check_vulnerable(struct pkg_task *pkg)
+{
+ static struct pkg_vulnerabilities *pv;
+ size_t i;
+ int require_check;
+ char *line;
+ size_t len;
+
+ if (strcasecmp(check_vulnerabilities, "never") == 0)
+ return 0;
+ else if (strcasecmp(check_vulnerabilities, "always"))
+ require_check = 1;
+ else if (strcasecmp(check_vulnerabilities, "interactive"))
+ require_check = 0;
+ else {
+ warnx("Unknown value of the configuration variable"
+ "CHECK_VULNERABILITIES");
+ return 1;
+ }
+
+ if (pv == NULL) {
+ pv = read_pkg_vulnerabilities(pkg_vulnerabilities_file,
+ require_check, 0);
+ if (pv == NULL)
+ return require_check;
+ }
+
+ for (i = 0; i < pv->entries; ++i) {
+ if (!pkg_match(pv->vulnerability[i], pkg->pkgname))
+ continue;
+ if (strcmp("eol", pv->classification[i]) == 0)
+ continue;
+ warnx("Package %s has a %s vulnerability, see %s",
+ pkg->pkgname, pv->classification[i], pv->advisory[i]);
+ fprintf(stderr, "Do you want to proceed with "
+ "the installation of %s [y/n]?\n", pkg->pkgname);
+ line = fgetln(stdin, &len);
+ if (check_input(line, len)) {
+ fprintf(stderr, "Cancelling installation\n");
+ return 1;
+ }
+ return 0;
+ }
+ return 0;
+}
+
/*
* Install a single package.
*/
@@ -1205,6 +1252,9 @@
goto clean_memory;
if (check_signature(pkg, &signature_cookie, invalid_sig))
+ goto clean_memory;
+
+ if (check_vulnerable(pkg))
goto clean_memory;
if (pkg->meta_data.meta_mtree != NULL)
@@ -1,4 +1,4 @@
-/* $NetBSD: lib.h,v 1.42.2.16 2008/12/30 15:55:57 joerg Exp $ */
+/* $NetBSD: lib.h,v 1.42.2.17 2009/01/08 00:01:31 joerg Exp $ */
/* from FreeBSD Id: lib.h,v 1.25 1997/10/08 07:48:03 charnier Exp */
@@ -412,6 +412,7 @@
extern const char *cert_chain_file;
extern const char *certs_packages;
extern const char *certs_pkg_vulnerabilities;
+extern const char *check_vulnerabilities;
extern const char *config_file;
extern const char *verified_installation;
extern const char *gpg_cmd;
@@ -1,4 +1,4 @@
-/* $NetBSD: parse-config.c,v 1.1.2.5 2008/08/21 16:04:39 joerg Exp $ */
+/* $NetBSD: parse-config.c,v 1.1.2.6 2009/01/08 00:01:31 joerg Exp $ */
#if HAVE_CONFIG_H
#include "config.h"
@@ -8,7 +8,7 @@
#include <sys/cdefs.h>
#endif
#ifndef lint
-__RCSID("$NetBSD: parse-config.c,v 1.1.2.5 2008/08/21 16:04:39 joerg Exp $");
+__RCSID("$NetBSD: parse-config.c,v 1.1.2.6 2009/01/08 00:01:31 joerg Exp $");
#endif
/*-
@@ -58,6 +58,7 @@
const char *cert_chain_file;
const char *certs_packages;
const char *certs_pkg_vulnerabilities;
+const char *check_vulnerabilities;
const char *verified_installation;
const char *gpg_cmd;
const char *pkg_vulnerabilities_dir;
@@ -75,6 +76,7 @@
{ "CERTIFICATE_ANCHOR_PKGS", &certs_packages },
{ "CERTIFICATE_ANCHOR_PKGVULN", &certs_pkg_vulnerabilities },
{ "CERTIFICATE_CHAIN", &cert_chain_file },
+ { "CHECK_VULNERABILITIES", &check_vulnerabilities },
{ "GPG", &gpg_cmd },
{ "IGNORE_PROXY", &ignore_proxy },
{ "IGNORE_URL", &ignore_advisories },
@@ -107,6 +109,9 @@
}
if (verified_installation == NULL)
verified_installation = "never";
+
+ if (check_vulnerabilities == NULL)
+ check_vulnerabilities = "never";
snprintf(fetch_flags, sizeof(fetch_flags), "%s%s%s",
(verbose_netio && *verbose_netio) ? "v" : "",
@@ -1,6 +1,6 @@
-.\" $NetBSD: pkg_install.conf.5,v 1.1.2.3 2008/08/21 16:10:01 joerg Exp $
+.\" $NetBSD: pkg_install.conf.5,v 1.1.2.4 2009/01/08 00:01:31 joerg Exp $
.\"
-.\" Copyright (c) 2008 The NetBSD Foundation, Inc.
+.\" Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" This code is derived from software contributed to The NetBSD Foundation
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd August 21, 2008
+.Dd January 8, 2009
.Dt PKG_INSTALL.CONF 5
.Os
.Sh NAME
@@ -67,6 +67,18 @@
Path to a file containing additional certificates that can be used
for completing certicate chains when validating binary packages or
pkg-vulnerabilities files.
+.Dv CHECK_VULNERABILITIES
+Check for vulnerabilities when installating packages.
+Supported values are:
+.Bl -tag -width interactiveXX
+.It Dv never
+No check is performed.
+.It Dv always
+Passing the vulnerability check is required.
+A missing pkg-vulnerabilities file is considered an error.
+.It Dv interactive
+The user is always asked to confirm installation of vulnerable packages.
+.El
.It Dv GPG
Deprecated.
Path to
@@ -31,8 +31,19 @@
CERTIFICATE_CHAIN
Path to a file containing additional certificates that can be
used for completing certicate chains when validating binary pack-
- ages or pkg-vulnerabilities files.
+ ages or pkg-vulnerabilities files. CHECK_VULNERABILITIES Check
+ for vulnerabilities when installating packages. Supported values
+ are:
+ never No check is performed.
+
+ always Passing the vulnerability check is required. A
+ missing pkg-vulnerabilities file is considered an
+ error.
+
+ interactive The user is always asked to confirm installation
+ of vulnerable packages.
+
GPG Deprecated. Path to gpg(1), which can be used to verify the sig-
nature in the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file when running
ppkkgg__aaddmmiinn cchheecckk--ppkkgg--vvuullnneerraabbiilliittiieess --ss
@@ -88,4 +99,4 @@
SSEEEE AALLSSOO
pkg_add(1), pkg_admin(1)
-NetBSD 4.0 August 21, 2008 NetBSD 4.0
+NetBSD 5.0 January 8, 2009 NetBSD 5.0
@@ -1,4 +1,4 @@
-/* $NetBSD: version.h,v 1.102.2.19 2008/12/30 15:55:57 joerg Exp $ */
+/* $NetBSD: version.h,v 1.102.2.20 2009/01/08 00:01:31 joerg Exp $ */
/*
* Copyright (c) 2001 Thomas Klausner. All rights reserved.
@@ -27,6 +27,6 @@
#ifndef _INST_LIB_VERSION_H_
#define _INST_LIB_VERSION_H_
-#define PKGTOOLS_VERSION "20081230"
+#define PKGTOOLS_VERSION "20090108"
#endif /* _INST_LIB_VERSION_H_ */