The overall idea is to have something like NetBSD's security/audit-packages http://www.netbsd.org/Documentation/pkgsrc/features.html#id2980060 it uses commands like pkg_info -E 'apache>=2.0<2.0.45 && echo " vulnurable: see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132" to test for installed vulnurable packages. The following features have been added: * patterns can have relational operators (<, >, <=, >=, ==, !=) with a version number appended, if they do the pattern matches only the base name, and the versions will be compared according to the relational operator. Multiple operator can be used, they have to match all (logical and). i.e. a glob pattern 'openldap-*>2.0<2.1' matches: openldap-server-2.0.27_2 openldap-client-2.0.27 it does not match: openldap-server-2.1.22 (version number mismatch) openldap-2.0.27 (glob pattern does not match) * flag -E (pkg_info): list matching package names only (mainly for scripts), return 0 if any packages match, 1 otherwise. pkg_info -E 'openssh<3.6.1_2' && echo " vulnurable: http://www.openssh.com/txt/buffer.adv" * flag -T (pkg_version) test if a given name matches a given pattern (mainly for scripts) pkg_version -T 'unzip-5.50' 'unzip<5.50_3' && \ echo "before installing, please upgrade your port collection: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0282" * flag -X (pkg_info, pkg_delete, pkg_version): interpret arguments as extended regular expressions (instead of regular expressions): pkg_info -Ix '^openldap-\(client\)\{0,1\}\(server\)\{0,1\}-' => pkg_info -IX '^openldap-(client|server)-' * to get a more robust version number sorting, the version compare routines have been completely rewritten. The follwing structure of FreeBSD version numbers is assumed: - FreeBSD version numbers are composed of components separated by dots. A component consists of a version number, a letter and a patchlevel number (number letter number), where the either the version number or the letter is optional, the patchlevel may only be present if it is preceeded by a letter. This does not conform to the porter's handbook, but let us formulate rules that fit the current practice and are far simpler than to make decisions based on the order of nutters and lembers. Besides, people use versions like 10b2 in the ports... - characters !~ [a-zA-z0-9.] are treated as separators (1.0+2003.09.16 = 1.0.2003.09.16) this may not be what you expect: 1.0.1+2003.09.16 < 1.0+2003.09.16 - consecutive separators are collapsed (10..1 = 10.1) - missing separators are inserted, letter number letter => letter number . letter (10a1b2 = 10a1.b2) - only the first letter is significant (except for the special string "pl"), and case is ignored (1.a2 = 1.alpha2 = 1.Anything2) - the letter sort order is: pl, a, b, ..., z - missing letters sort like "pl" (5 = 5pl0, 10 < 10a) - missing version numbers sort as -1 (a2 < 0.1, 10.a2 < 10.0) - missing components are assumed to be 0 (10 = 10.0 = 10.0.0) In case anybody is interested, this gives the following sort orders: 10.a = 10.a.0 = 10.a0 < 10 = 10.0 < 10a = 10a.0 = 10a0 11.b < 11.b.1 < 11.b1 < 11 < 11.1 < 11b < 11b.1 < 11b1 6.r2b3 < 6.0r2b3 < 6r.3b.2 < 6r.3b2 < 6r3.b2 = 6r3b2 < 6r3 8.pl3 < 8.0 < 8.0pl3 < 8pl3 2.a+1.15 < 2.a+10.3 < 2.a2+1.15 < 2.a2+10.3 the perl pkg_version on 4.x is nearly identical: 10.a < 10.a.0 < 10.a0 < 10 < 10.0 < 10a < 10a.0 < 10a0 11.b < 11.b.1 < 11.b1 < 11 < 11.1 < 11b < 11b.1 < 11b1 6.r2b3 < 6.0r2b3 < 6r.3b.2 < 6r.3b2 < 6r3.b2 < 6r3 < 6r3b2 8.pl3 < 8.0 < 8.0pl3 < 8pl3 2.a+1.15 < 2.a+10.3 < 2.a2+1.15 < 2.a2+10.3 whereas pkg_version on 5.x has: 10.a.0 < 10.a < 10.a0 < 10 < 10.0 < 10a0 < 10a.0 < 10a 11.b.1 < 11.b < 11.b1 < 11 < 11.1 < 11b.1 < 11b < 11b1 6.r2b3 = 6.0r2b3 < 6r.3b.2 < 6r.3b2 < 6r3.b2 < 6r3 < 6r3b2 8.pl3 < 8.0 < 8.0pl3 < 8pl3 2.a+1.15 < 2.a2+1.15 < 2.a2+10.3 < 2.a+10.3 and is not transitive: 10.a.0 < 10.a < 10.a0, but 10.a.0 > 10.a0 10a0 < 10a.0 < 10a, but 10a0 > 10a 8.pl3 < 8.0 < 8.0pl3, but 8.0pl3 == 8.pl3 portsversion from portupgrade follows the 4.x perl script with the exception of: 2.a2+1.15 < 2.a2+10.3 < 2.a+1.15 < 2.a+10.3 besides, a bug has been fixed that allows to parse version numbers on ports with a number following an underscore (currently thx_1138, pips750_2000 and ruby-cast_256) ruby-cast_256-1.0 < ruby-cast_256-1.0_1 (its ruby-cast_256-1.0 > ruby-cast_256-1.0_1 on 5.x and ruby-cast_256-1.0 = ruby-cast_256-1.0_1 on 4.x) * pkg_version uses /usr/ports/INDEX-5 on 5.x and /usr/ports/INDEX on 4.x (important for the port sysutils/pkg_install and a MFC) Fix: A patch is on ftp://ftp.fillmore-labs.com/pub/FreeBSD/patches/patch-pkg_install-20030917.gz MD5 (patch-pkg_install-20030917.gz) = 82ddd00ae3f48e4cb2f186363820cd43 *** FreeBSD 5.X *** Apply it to your source tree (replaces base tools): # fetch ftp://ftp.fillmore-labs.com/pub/FreeBSD/patches/patch-pkg_install-20030917.gz # md5 patch-pkg_install-20030917.gz # gzcat patch-pkg_install-20030917.gz | patch -p0 -d /usr/src/usr.sbin/pkg_install # cd /usr/src/usr.sbin/pkg_install; make clean all install Test with: # pkg_info -P Package tools revision: 20030917 *** FreeBSD 4.X *** Apply the following patch to port sysutils/pkg_install: Test with: # /usr/local/sbin/pkg_info -P Package tools revision: 20030917--FrjfecS0X1T5nNd0P6tHVPfdOaXgCyzNwtOGgPTeRXd28RhS Content-Type: text/plain; name="pkg_install.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="pkg_install.patch" diff -Nur pkg_install/Makefile.orig pkg_install/Makefile --- pkg_install/Makefile.orig Thu Sep 4 18:40:45 2003 +++ pkg_install/Makefile Wed Sep 17 16:43:46 2003 @@ -12,6 +12,10 @@ MASTER_SITES= ${MASTER_SITE_LOCAL} MASTER_SITE_SUBDIR= marcus +PATCH_SITES= ftp://ftp.fillmore-labs.com/pub/FreeBSD/%SUBDIR%/ +PATCH_SITE_SUBDIR= patches +PATCHFILES= patch-pkg_install-20030917.gz + MAINTAINER= portmgr@freebsd.org COMMENT= FreeBSD 5.x version of the package tools for older system releases diff -Nur pkg_install/distinfo.orig pkg_install/distinfo --- pkg_install/distinfo.orig Wed Sep 3 18:11:20 2003 +++ pkg_install/distinfo Wed Sep 17 17:00:56 2003 @@ -1 +1,2 @@ MD5 (pkg_install-20030714.tar.gz) = 183bed34c5427aeaf2025d9e2176e9ed +MD5 (patch-pkg_install-20030917.gz) = 82ddd00ae3f48e4cb2f186363820cd43
Patch is unfetchable. Host unresolved. Fix please. -- Sem.
Just for the record: This and other features have been integrated into port sysutils/pkg_install-devel, which is used to compare version numbers in portaudit. The version number sort and matching rules have silghtly changed from those cited above (as of pkg_install-devel version 20040512): - version numbers using `+' now sort as expected - a missing patchlevel number now sorts as -1 for consistency with missing version numbers, giving 10.a < 10.a0, which is in line with the existing tools - a component `*' has been introduced, which is guaranteed to sort *before* every other number, so that >=2.* <3.* will match *all* 2.x releases (Even 2.alpha) - csh style {} glob pattern can be used -Oliver
State Changed From-To: open->patched Awaiting MFC
Responsible Changed From-To: freebsd-bugs->eik Handle my own PRs
State Changed From-To: patched->closed MFCed