netbsd-bugs: pkg/17368: security/audit-packages: several minor annoyances in the download-vulnerability-list script

Subject: pkg/17368: security/audit-packages: several minor annoyances in the download-vulnerability-list script
To: None <gnats-bugs@gnats.netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: netbsd-bugs
Date: 06/23/2002 15:52:25

>Number:         17368
>Category:       pkg
>Synopsis:       security/audit-packages: several minor annoyances in the download-vulnerability-list script
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Jun 23 12:53:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Greg A. Woods
>Release:        audit-packages-1.13
>Organization:
Planix, Inc.; Toronto, Ontario; Canada
>Environment:
System: NetBSD 1.5W
>Description:

	There are several minor annoyances in the
	download-vulnerability-list script from
	security/audit-packages.

	The 'ftp' command (the NetBSD variant), as used by the script,
	generates unnecessary output about what addresses it's trying
	and on an INET6 machine with no ipv6 visibility to the Interent
	it's even more noisy.  Oddly the real error message related to
	the ipv6 attempt isn't shown though.

	This output should be hidden (though of course any real error
	messages generated by 'ftp' should be reported).  Unfortunately
	there doesn't seem to currently be a way to make ftp completely
	quiet (-V doesn't work).

	The downloaded file is left unreadable by anyone but whom ever
	runs the script (root in my case as I run it from /etc/security)
	This file should be left in mode 0444 or maybe 0644 (and of
	course be owned by the user running the script).



>How-To-Repeat:

	here's a trimmed example of the extra output it causes...

	[ On Sunday, June 23, 2002 at 06:54:38 (-0400), Proven Weird Charlie Root wrote: ]
	> Subject: proven daily insecurity output for Sun Jun 23 03:30:00 EDT 2002
	>
	> 
	> Trying 3ffe:8050:201:1860:2a0:c9ff:feed:b7ea...
	> Trying 204.152.184.75...
	
	Note that a manual run of the same ftp command will also print:

	ftp: connect to address 3ffe:8050:201:1860:2a0:c9ff:feed:b7ea: No route to host

	before the second "Trying" line.

	Also note:

	$ ls -l /usr/pkgsrc/distfiles/vulnerabilities
	-rw-------  1 root  wheel  14364 Jun 21 08:00 /usr/pkgsrc/distfiles/vulnevulnerabilities

>Fix:

	The first problem will need some "smart" filtering of ftp's
	output, or a fix to the 'ftp' command itself (though presumably
	this script is expected to work on multiple platforms so
	depending on some NetBSD-specific feature is not desirable).

	the latter problem is easily fixed with a 'chmod 444' after a
	successful download and replacement of any old file....
>Release-Note:
>Audit-Trail:
>Unformatted: