Apply Patch to OpenBSD

Do a search and you'll find very little official comprehensive tutorial-type documentation on how to apply one or more patches to OpenBSD. The information is spread among different manual pages and such.

As described in Security updates FAQ:

While applying fixes from the errata page typically requires less time
than a CVS checkout/update and rebuild, there is no universal set of
instructions to follow. Sometimes you must patch and recompile one
application, sometimes more.

Here's how I patched an OpenBSD 6.3 system running on Cubox i4-pro with 32GB MicroSD card in July of 2018.

Allow non-root user to use CVS

It's not a good idea to use root to work with CVS. Add your user to the wsrc group.

# user mod -G wsrc 'YOUR_USER_NAME'

Create directories for ports and xenocara.

# cd /usr
# mkdir -p xenocara ports
# chgrp wsrc xenocara ports
# chmod 775 xenocara ports

Logout and log back in to make effective your group membership.

Source: https://www.openbsd.org/faq/faq5.html#wsrc

Install packages

Make sure /etc/installurl is configured.

$ more /etc/installurl
http://cloudflare.cdn.openbsd.org/pub/OpenBSD

Install packages.

$ su -
# pkg_add curl

Download and unpack source code

$ curl -O https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.3/ports.tar.gz
$ curl -O https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.3/src.tar.gz
$ curl -O https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.3/sys.tar.gz
$ curl -O https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.3/xenocara.tar.gz
$ tar xzf src.tar.gz -C /usr/src
$ tar xzf sys.tar.gz -C /usr/src
$ tar xzf ports.tar.gz -C /usr
$ tar xzf xenocara.tar.gz -C /usr/xenocara

Source: https://www.openbsd.org/anoncvs.html#starting

Download and unpack errata (patches)

Patches are available from the release's errata page. For example, for 6.3, the latest release when this guide was written, the errata is available from https://www.openbsd.org/errata63.html.

The patches are in individual files or a single tarball that contains all patches. I chose to download and unpack the single tarball.

$ curl -O https://cloudflare.cdn.openbsd.org/pub/OpenBSD/patches/6.3.tar.gz
$ tar xzf 6.3.tar.gz

Apply patches

Follow the instructions of each individual patch on how to apply it. For example, for release 6.3, the first patch was 001_perl.patch.sig.

$ head -n 19 6.3/common/001_perl.patch.sig
untrusted comment: signature from openbsd 6.3 base secret key
RWRxzbLwAd76ZTObQY7HOmQ+VKZdvmQb1cF7qN9gqYqmrbzeLyZtd+NLMdegPgXay3/j5cn2wu4CfSvXPHNkdUzth/2N9E6IIgM=

OpenBSD 6.3 errata 001, April 14, 2018:

Heap overflows exist in perl which can lead to segmentation faults,
crashes, and reading memory past the buffer. Embargoed by perl for 53 days.

Apply by doing:
    signify -Vep /etc/signify/openbsd-63-base.pub -x 001_perl.patch.sig \
        -m - | (cd /usr/src && patch -p0)

And then rebuild and install perl:
    cd /usr/src/gnu/usr.bin/perl/
    make -f Makefile.bsd-wrapper obj
    make -f Makefile.bsd-wrapper depend
    make -f Makefile.bsd-wrapper
    make -f Makefile.bsd-wrapper install

Let's follow these instructions.

$ cd 6.3/common/
$ signify -Vep /etc/signify/openbsd-63-base.pub -x 001_perl.patch.sig -m - | (cd /usr/src && patch -p0)
$ su -
# cd /usr/src/gnu/usr.bin/perl/
# make -f Makefile.bsd-wrapper obj
# make -f Makefile.bsd-wrapper depend
# make -f Makefile.bsd-wrapper
# make -f Makefile.bsd-wrapper install

I found that I had to build and install as the root user. I'm still not sure if this is expected or I'm doing something wrong.

Once I have applied all patches, I keep track of new patches by subscribing to the announce@ openbsd.org mailing list or by periodically browsing to the errata page for the release as described above.