Re: Important OpenBSD errata

Mon, 19 Mar 2007 14:10:13 -0800 

On Sat, 17 Mar 2007, Karel Kulhavy wrote:


What about Charlie Root testing something remotely through cron and then



Ok, I'll bite.  This is not hard.  Here's something I did real quick. 
Use at your own risk.  Replace XXX with your closest ftp mirror from 
http://www.openbsd.org/ftp.html.  Read the comments.


As root:

patch -p0 < [extract patch from below my sig]
mkdir -m 755 /var/errata
chown root:wheel /etc/errata
chmod 644 /etc/errata


sh /etc/errata to test as non-root.  You can forego the patch to 
/etc/daily and run as needed standalone, otherwise root will get daily 
errata output emails.


--
Kyle George

--- /usr/src/etc/daily  Tue Dec  6 15:18:56 2005
+++ /etc/daily  Sun Mar 18 00:52:35 2007
@@ -20,8 +20,13 @@
        rm -f ${TMP}
        exit 1
 }
+OUT2=`mktemp /tmp/_errata.XXXXXXXXXX` || {
+    rm -f ${TMP}
+    rm -f ${OUT}
+    exit 1
+}

-trap 'rm -f $TMP $OUT' 0 1 15
+trap 'rm -f $TMP $OUT $OUT2' 0 1 15

 echo ""
 echo "Removing scratch and junk files:"
@@ -174,3 +179,9 @@
 if [ -s $OUT ]; then
     mail -s "`hostname` daily insecurity output" root < $OUT
 fi
+
+sh /etc/errata 2>&1 > $OUT2
+if [ -s $OUT2 ]; then
+    mail -s "`hostname` daily errata output" root < $OUT2
+fi
+
--- /usr/src/etc/changelist     Tue Dec 27 23:57:28 2005
+++ /etc/changelist     Mon Mar 19 13:58:18 2007
@@ -27,6 +27,7 @@
 /etc/dhcpd.interfaces
 /etc/disktab
 /etc/distfile
+/etc/errata
 /etc/ethers
 /etc/exports
 /etc/fbtab
--- /dev/null   Mon Mar 19 15:33:55 2007
+++ /etc/errata Mon Mar 19 15:20:10 2007
@@ -0,0 +1,146 @@
+#!/bin/sh -
+#
+# Check for available/changed OpenBSD errata.
+#
+# Description and Usage:
+#
+#   Replace ftp.openbsd.org/pub/OpenBSD with your favorite mirror from
+#   the list: http://www.openbsd.org/ftp.html.
+#
+#   Check for available errata by looking at the errata X.Y.tar.gz from
+#   the OpenBSD ftp site (or preferrably, a mirror).  Also check for
+#   errata that may have been revised since first issued or applied.
+#   This works by comparing the listing of /var/errata and the contents

+#   of non-empty patch files in /var/errata to the available errata in 
+#   the errata archive.

+#
+#   Let ${PNNN} be the three digit patch number and ${PNAME} be the
+#   patch filename:  After applying a patch or to ignore a particular
+#   erratum, cp the patch to /var/errata, cp the patch to
+#   /var/errata/${PNNN}, touch /var/errata/${PNAME}, or touch
+#   /var/errata/${PNNN}.
+#
+#   Example: After applying erratum 010 for 4.0, cp 010_m_dup1.patch
+#   to /var/errata, cp 010_m_dup1.patch to /var/errata/010, touch
+#   /var/errata/010_m_dup1.patch, or touch /var/errata/010 to indicate
+#   that erratum 010 has been applied.

+# 
+#   It's strongly recommended to copy the full patch so this script can

+#   detect future patch revisions.
+#
+# Caveats:
+#
+#   Dependent on the structure and location of X.Y.tar.gz.
+#   Does not check for errata from the ports collection.
+#   Does not handle errata that do not have associated .patch files.
+#   Remember to remove /var/errata/* after upgrading.
+#
+# Copyright (c) 2007 Kyle George <[EMAIL PROTECTED]>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+# Cleanup temporaries
+cleanup()
+{
+  test -f ${ERRATA_TGZ_TMP_FILE} && \
+    rm -f ${ERRATA_TGZ_TMP_FILE}
+  test -d ${ERRATA_TGZ_TMP_DIR} && \
+    test $(dirname ${ERRATA_TGZ_TMP_DIR}) = "/tmp" && \
+      rm -Rf ${ERRATA_TGZ_TMP_DIR}
+}
+
+# Terminate from error
+error()
+{
+  if [ X"$1" != X"" ] ; then
+    echo error: $1
+  else
+    echo error: unexpected error
+  fi
+  exit 1
+}
+
+# Setup: Build file/path names/URLs and make temporary files/directories
+
+trap cleanup 0 1 2 3 13 15
+
+ERRATA_DIR=/var/errata
+ERRATA_TGZ_URL=ftp://XXX/pub/OpenBSD/patches/$(uname -r).tar.gz
+ERRATA_TGZ_TMP_DIR=$(mktemp -d /tmp/_errata_tgz_tmp_dir.XXXXXXXXXX) || error
+ERRATA_TGZ_TMP_FILE=$(mktemp /tmp/_errata_tgz_tmp_file.XXXXXXXXXX) || error
+
+# Make ERRATA_DIR if it doesn't exist
+
+if [ ! -d ${ERRATA_DIR} ] ; then
+  mkdir -m 755 ${ERRATA_DIR} || \
+    error "could not make errata directory"
+fi
+
+# Download X.Y.tar.gz and extract
+
+lynx -source ${ERRATA_TGZ_URL} > ${ERRATA_TGZ_TMP_FILE} 2> /dev/null
+
+if [ $? -ne 0 ] ; then
+  # Failed; maybe X.Y.tar.gz doesn't exist; let's check
+  ERRATA_TGZ_COUNT=$(($(
+    lynx -source $(dirname ${ERRATA_TGZ_URL}) 2> /dev/null |
+    grep '[0-9]\.[0-9]\.tar\.gz' |
+    wc -l
+  )))
+  if [ ${ERRATA_TGZ_COUNT} -gt 0 ] ; then
+    # Other X.Y.tar.gz's are there, so ...

+    error "could not retrieve errata archive; not available or no errata" 
+  else

+    error "could not retrieve errata archive"
+  fi
+fi
+
+tar -C ${ERRATA_TGZ_TMP_DIR} -xzf ${ERRATA_TGZ_TMP_FILE} > /dev/null \
+  2>&1 || \
+    error "could not unarchive errata archive"
+
+# Build list of errata from X.Y.tar.gz for the current arch, making sure
+# to sanitize the names just in case
+
+ERRATA_LIST=$(
+  find ${ERRATA_TGZ_TMP_DIR} \
+    \( -type f -name '[0-9][0-9][0-9][A-Za-z0-9_.-]*\.patch' \
+      \( -path "*$(uname -r)/common/*" -or \
+         -path "*$(uname -r)/$(machine)/*" \) \) |
+  sort -u -t / -k 6
+)
+
+# For each erratum, extract the erratum name/number and try to find the
+# local patch file.  Echo to stdout if we think a new erratum is
+# available or if we think a previously applied erratum has changed.
+
+for ERRATUM_TGZ_FILE in ${ERRATA_LIST} ; do
+  ERRATUM_NAME=$(basename ${ERRATUM_TGZ_FILE})
+  ERRATUM_NUM=$(echo ${ERRATUM_NAME} | cut -b 1-3)
+
+  if [ -f ${ERRATA_DIR}/${ERRATUM_NAME} ] ; then
+    ERRATUM_LOCAL_FILE=${ERRATA_DIR}/${ERRATUM_NAME}
+  else
+    ERRATUM_LOCAL_FILE=${ERRATA_DIR}/${ERRATUM_NUM}
+  fi
+
+  if [ ! -f ${ERRATUM_LOCAL_FILE} ] ; then
+    echo possible erratum not applied: ${ERRATUM_NUM}: ${ERRATUM_NAME}
+  elif [ -s ${ERRATUM_LOCAL_FILE} ] ; then
+    diff ${ERRATUM_LOCAL_FILE} ${ERRATUM_TGZ_FILE} > /dev/null 2>&1 || \
+      echo possible erratum changed: ${ERRATUM_NUM}: ${ERRATUM_NAME}
+  fi
+done
+















    











					Reply via email to