Home/IT/OpenBSD/Patching OpenBSD  

 

 

Patches

Patches for OpenBSD are applied to the source code, there are no binary patches available. Recompilation of the kernel or other parts of the operating system is necessary. Paches may be downloaded from the OpenBSD errata page. The following example shows patching of OpenBSD 4.4 i386 as of 03/28/2009.

To get the the system ready to be patched the OpenBSD source code must be unpacked. You can find it on the third CD-Rom or in the Internet:

# mkdir -p /home/openbsd/src
# cd /home/openbsd/
# ftp -4 -V ftp://openbsd.informatik.uni-erlangen.de/pub/OpenBSD/4.4/src.tar.gz
# ftp -4 -V ftp://openbsd.informatik.uni-erlangen.de/pub/OpenBSD/4.4/sys.tar.gz
# ftp -4 -V ftp://openbsd.informatik.uni-erlangen.de/pub/OpenBSD/4.4/xenocara.tar.gz

# cd src
# tar xfz ../src.tar.gz
# tar xfz ../sys.tar.gz
# tar xfz ../xenocara.tar.gz

# rm -rf /usr/src
# ln -s /home/openbsd/src /usr/src

As of today there are 11 patches available: 4 security fixes and 7 reliablity fixes.

# cd /home/openbsd
# ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/001_ndp.patch
# ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/002_vr.patch
# ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/003_tcpinput.patch
# ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/004_httpd.patch
# ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/005_pglistalloc.patch
# ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/006_dhcpd.patch
# ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/007_openssl.patch
# ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/008_bind.patch
# ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/009_bgpd.patch
# ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/010_bgpd.patch
# ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/011_sudo.patch

It is important to read the patch instructions carefully. There are three types of patches: kernel, userland and X11. But special instructions may occur in any patch.

# cd /home/openbsd
# head -6 001*
Apply by doing:
        cd /usr/src
        patch -p0 < 001_ndp.patch

Then build and install a new kernel.

# head -6 002* 
Apply by doing:
        cd /usr/src
        patch -p0 < 002_vr.patch

Then build and install a new kernel.

# head -6 003*
Apply by doing:
        cd /usr/src
        patch -p0 < 003_tcpinput.patch

Then build and install a new kernel.

# head -18 004*
Apply by doing:
        cd /usr/src
        patch -p0 < 004_httpd.patch

And then rebuild and install httpd and its modules:
        cd usr.sbin/httpd
        make -f Makefile.bsd-wrapper obj
        make -f Makefile.bsd-wrapper cleandir
        make -f Makefile.bsd-wrapper depend
        make -f Makefile.bsd-wrapper
        make -f Makefile.bsd-wrapper install

If httpd had been started, you might want to run
        apachectl stop
before running "make install", and
        apachectl start
afterwards.

# head -6 005*
Apply by doing:
        cd /usr/src
        patch -p0 < 005_pglistalloc.patch

Then build and install a new kernel.

# head -9 006*
Apply by doing:
        cd /usr/src
        patch -p0 < 006_dhcpd.patch

And then rebuild and install file:
        cd usr.sbin/dhcpd
        make
        make install

# head -9 007*
Apply by doing:
        cd /usr/src
        patch -p0 < 007_openssl.patch

And then rebuild and install the library:
        cd lib/libssl
        make
        make install

# head -9 008*
Apply by doing:
        cd /usr/src
        patch -p0 < 008_bind.patch

And then rebuild and install bind:
        cd usr.sbin/bind
        make -f Makefile.bsd-wrapper 
        make -f Makefile.bsd-wrapper install

# head -10 009*
Apply by doing:
        cd /usr/src
        patch -p0 < 009_bgpd.patch

And then rebuild and install bgpd:
        cd usr.sbin/bgpd
        make depend
        make
        make install

# head -10 010*
Apply by doing:
        cd /usr/src
        patch -p0 < 010_bgpd.patch

And then rebuild and install bgpd:
        cd usr.sbin/bgpd
        make depend
        make
        make install

# head -10 011*
Apply by doing:
        cd /usr/src
        patch -p0 < 011_sudo.patch

And then rebuild and install sudo:
        cd usr.bin/sudo
        make depend
        make
        make install

Patches are being applied all in one go:

# cd /usr/src
# patch -p0 < /home/openbsd/001*
# patch -p0 < /home/openbsd/002*
# patch -p0 < /home/openbsd/003*
# patch -p0 < /home/openbsd/004*
# patch -p0 < /home/openbsd/005*
# patch -p0 < /home/openbsd/006*
# patch -p0 < /home/openbsd/007*
# patch -p0 < /home/openbsd/008*
# patch -p0 < /home/openbsd/009*
# patch -p0 < /home/openbsd/010*
# patch -p0 < /home/openbsd/011*

A new kernel is made and installed:

# cd /usr/src/sys/arch/i386/conf
# config GENERIC
Don't forget to run "make depend"
# cd ../compile/GENERIC
# make clean && make depend && make
...
# make install
rm -f /obsd
ln /bsd /obsd
cp bsd /nbsd
mv /nbsd /bsd

Some OS components and userland programs are recompiled:

# cd /usr/src/usr.sbin/httpd
# make -f Makefile.bsd-wrapper obj
# make -f Makefile.bsd-wrapper cleandir
# make -f Makefile.bsd-wrapper depend
# make -f Makefile.bsd-wrapper
# make -f Makefile.bsd-wrapper install

# cd /usr/src/usr.sbin/dhcpd
# make
# make install

# cd /usr/src/lib/libssl
# make
# make install

# cd /usr/src/usr.sbin/bind
# make -f Makefile.bsd-wrapper 
# make -f Makefile.bsd-wrapper install

# cd /usr/src/usr.sbin/bgpd
# make depend
# make
# make install

# cd /usr/src/usr.bin/sudo
# make depend
# make
# make install

Finally the system is restarted to load the new kernel:

# reboot