topic Re: Corrupt security catalog in Operating System - HP-UX

Corrupt security catalog

Anders Blomkvist — Thu, 14 Nov 2002 09:26:56 GMT

I am trying to use the security patch check utility and I manually download the security catalog from ftp.itrc.hp.com before running the tool with the -c option. But every time the tool complains about corrupt catalog:
Corrupt catalog. Invalid format version at line 3.

Line 3 in the catalog looks like this:
0.91 # catalog format version

What is wrong? My SPC version is B.01.01

Re: Corrupt security catalog

Alex Glennie — Thu, 14 Nov 2002 10:13:33 GMT

I think you may have some form of corruption, try downloading the patch catalog again from :

ftp://ftp.itrc.hp.com/export/patches/

I've just tried and it works for me or post if you can, your copy of security_catalog ...what it's size ?

Re: Corrupt security catalog

Stefan Farrelly — Thu, 14 Nov 2002 10:26:22 GMT

Ive just run SPC and it downloaded the latest catalog and worked fine. Size of the security_catalog was 1064202.

Re: Corrupt security catalog

Anders Blomkvist — Thu, 14 Nov 2002 11:58:59 GMT

My size is 1064202 bytes, just like yours. I've tried to download this file numerous times using both binary and ascii transfer without success. I've downloaded the gzipped version as well as the unzipped one, I've downloaded it from a HP-UX system and from a Windows system and then transferred it to the HP-UX machine. No luck. I'm starting to think that Im missing some patch required for this tool to run.

Re: Corrupt security catalog

Anders Blomkvist — Thu, 14 Nov 2002 12:07:26 GMT

I do get the following warnings when running spc:
Use of uninitialized value in split at /opt/sec_mgmt/spc/bin/security_patch_check.pl line 482, chunk 1.
Use of uninitialized value in pattern match (m//) at /opt/sec_mgmt/spc/bin/security_patch_check.pl line 488, chunk 1.
Use of uninitialized value in numeric gt (>) at /opt/sec_mgmt/spc/bin/security_patch_check.pl line 488, chunk 1.
Use of uninitialized value in split at /opt/sec_mgmt/spc/bin/security_patch_check.pl line 493, chunk 1.
Use of uninitialized value in pattern match (m//) at /opt/sec_mgmt/spc/bin/security_patch_check.pl line 499, chunk 1.

Could this be related? I found a similar case in the SPC FAQ/releasenote and there it was patch related.

Re: Corrupt security catalog

Darrell Allen — Thu, 14 Nov 2002 13:48:20 GMT

Have you tried running security_patch_check with the "-r" option so that it will do the retrieval itself?

Darrell

Re: Corrupt security catalog

Alex Glennie — Thu, 14 Nov 2002 14:09:10 GMT

Note the error relates to the file security_patch_check.pl , what size is yours mine = 59741 .... I'm pretty certain this is available on the ftp site to .... just a thought ......

Re: Corrupt security catalog

Stefan Farrelly — Thu, 14 Nov 2002 14:15:36 GMT

I think SPC requires a certain version of perl. Were using 5.6.1.E - make sure in your path it is searching for this perl binary not another one as HP-UX often comes with perl (older version) in /usr/contrib/bin which is not the one you want (you want the one in /opt/perl/bin)

Re: Corrupt security catalog

Anders Blomkvist — Thu, 14 Nov 2002 14:21:23 GMT

Yes I've tried to run it with the -r option but that doesn't work because of our firewall.
The size of the .pl file is correct - the same as yours and yes,
I have made sure that the perl version found is the latest (5.6.1). I will try to install SPC on another system to check how it behaves there.

Re: Corrupt security catalog

Keith Buck — Thu, 14 Nov 2002 17:44:36 GMT

Anders,

Yes, those warnings are related to the problem. Some things to try to debug:

1. as you suggested, try running on a different machine. You can also try using the -h option to analyze this machine from the remote machine (if you get it running on the other one)

2. swlist | grep -i perl
to see exactly which version of Perl is installed. SPC should only require 5.00503, but it's only been tested with the official versions from software.hp.com.

3. line 479 of security_patch_check.pl reads
my $read_input = ;

insert another line right after that like so:

print "$read_input\n";

It appears that the data is not being properly read in from the catalog. If you can also post the first 4 lines of your catalog, that would be helpful.

4. In case you have multiple versions of perl, you can try

/opt/perl/bin/perl -wT /opt/sec_mgmt/spc/bin/security_patch_chec.pl

directly.

I have seen a problem somewhat similar to this, but it magically went away one day and we never found the cause. In that case, running once with -r and then again with -c seemed to workaround the problem.

Let us know how it goes. Thanks

-Keith

Re: Corrupt security catalog

Keith Buck — Thu, 14 Nov 2002 17:50:49 GMT

Also, as far as your firewall is concerned, security patch check has a few ways to get through firewalls.

If you set

export PASSIVE_FTP=1

then it will get through most stateful firewalls that allow outgoing traffic.

If you have a web proxy, you can set

export ftp_proxy=http://myproxy.corp.com:8088

and possibly (untested, as I don't have access to such a firewall):

export ftp_proxy=http://username:password@myproxy.corp.com:8088

If none of these work, then how did you get the catalog on the PC? (separate network?)

-Keith

Re: Corrupt security catalog

Anders Blomkvist — Fri, 15 Nov 2002 09:11:53 GMT

Solved it. SPC does not like using the -c parameter to use a catalog in another directory than the current one. My original command was:
/opt/sec_mgmt/spc/bin/security_patch_check -c /var/opt/sec_mgmt/spc

This fails. When I copied the catalog from /var/opt/sec_mgmt/spc to /opt/sec_mgmt/spc/bin and ran the tool it worked. I then made a softlink from the catalog under /var/opt.. to /opt/sec_mgmt/spc/bin/security_catalog and this works as well.

Re: Corrupt security catalog

Keith Buck — Fri, 15 Nov 2002 16:29:32 GMT

Ahh...now I see the problem. There are two minor bugs in Security Patch Check (thanks for finding them), but they're not what you think.

The -c option is meant to take the filename. If you specify a directory (like /var/opt/sec_mgmt/spc), you get the errors about a corrupt catalog. (the catalog is supposed to be a file...a directory looks like a corrupt catalog.)

So, Security Patch Check ought to:

1. Complain about an error before line 3.

2. check to make sure that the security catalog is a file before trying to read it.

Thanks! I'll go fix that...