Do a search and you'll find very little official comprehensive tutorial-type documentation on how to apply one or more patches to OpenBSD. The information is spread among different manual pages and such.
As described in Security updates FAQ:
While applying fixes from the errata page typically requires less time than a CVS checkout/update and rebuild, there is no universal set of instructions to follow. Sometimes you must patch and recompile one application, sometimes more.
Here's how I patched an OpenBSD 6.3 system running on Cubox i4-pro with 32GB MicroSD card in July of 2018.
Allow non-root user to use CVS
It's not a good idea to use root to work with CVS. Add your user to the wsrc group.
# user mod -G wsrc 'YOUR_USER_NAME'
Create directories for ports and xenocara.
# cd /usr # mkdir -p xenocara ports # chgrp wsrc xenocara ports # chmod 775 xenocara ports
Logout and log back in to make effective your group membership.
Make sure /etc/installurl is configured.
$ more /etc/installurl http://cloudflare.cdn.openbsd.org/pub/OpenBSD
$ su - # pkg_add curl
Download and unpack source code
$ curl -O https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.3/ports.tar.gz $ curl -O https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.3/src.tar.gz $ curl -O https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.3/sys.tar.gz $ curl -O https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.3/xenocara.tar.gz $ tar xzf src.tar.gz -C /usr/src $ tar xzf sys.tar.gz -C /usr/src $ tar xzf ports.tar.gz -C /usr $ tar xzf xenocara.tar.gz -C /usr/xenocara
Download and unpack errata (patches)
Patches are available from the release's errata page. For example, for 6.3, the latest release when this guide was written, the errata is available from https://www.openbsd.org/errata63.html.
The patches are in individual files or a single tarball that contains all patches. I chose to download and unpack the single tarball.
$ curl -O https://cloudflare.cdn.openbsd.org/pub/OpenBSD/patches/6.3.tar.gz $ tar xzf 6.3.tar.gz
Follow the instructions of each individual patch on how to apply it. For example, for release 6.3, the first patch was 001_perl.patch.sig.
$ head -n 19 6.3/common/001_perl.patch.sig untrusted comment: signature from openbsd 6.3 base secret key RWRxzbLwAd76ZTObQY7HOmQ+VKZdvmQb1cF7qN9gqYqmrbzeLyZtd+NLMdegPgXay3/j5cn2wu4CfSvXPHNkdUzth/2N9E6IIgM= OpenBSD 6.3 errata 001, April 14, 2018: Heap overflows exist in perl which can lead to segmentation faults, crashes, and reading memory past the buffer. Embargoed by perl for 53 days. Apply by doing: signify -Vep /etc/signify/openbsd-63-base.pub -x 001_perl.patch.sig \ -m - | (cd /usr/src && patch -p0) And then rebuild and install perl: cd /usr/src/gnu/usr.bin/perl/ make -f Makefile.bsd-wrapper obj make -f Makefile.bsd-wrapper depend make -f Makefile.bsd-wrapper make -f Makefile.bsd-wrapper install
Let's follow these instructions.
$ cd 6.3/common/ $ signify -Vep /etc/signify/openbsd-63-base.pub -x 001_perl.patch.sig -m - | (cd /usr/src && patch -p0) $ su - # cd /usr/src/gnu/usr.bin/perl/ # make -f Makefile.bsd-wrapper obj # make -f Makefile.bsd-wrapper depend # make -f Makefile.bsd-wrapper # make -f Makefile.bsd-wrapper install
I found that I had to build and install as the root user. I'm still not sure if this is expected or I'm doing something wrong.
Once I have applied all patches, I keep track of new patches by subscribing to the announce@ openbsd.org mailing list or by periodically browsing to the errata page for the release as described above.