Subject: pkg/21572: pkgsrc gives bogus assurances of security
To: None <>
From: None <kre@munnari.OZ.AU>
List: netbsd-bugs
Date: 05/14/2003 18:11:03
>Number:         21572
>Category:       pkg
>Synopsis:       pkgsrc gives bogus assurances of security
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May 14 11:14:00 UTC 2003
>Originator:     Robert Elz
>Release:        NetBSD 1.6S - pkgsrc of 2003-05-14
	Prince of Songkla University
System: NetBSD 1.6L NetBSD 1.6L (DELTA) #29: Fri Jan 10 11:40:50 ICT 2003 i386
	(the system send-pr is being run on, not otherwise relevant)
Architecture: i386
Machine: i386
	Every time a new package is being installed using pkgsrc
	the message
		===> Checking for vulnerabilities in <whatever>
	is printed (unless ALLOW_VULNERABLE_PACKAGES is defined of course).

	That suggests that pkgsrc is actually checking for vulnerabilities,
	and if it goes on, without further complaint, then the package being
	installed has no known vulnerabilities.

	That's not necessarily true - the check only gets made if
	${PKGVULNDIR}/vulnerabilities exists.   If it doesn't, then
	pkgsrc claims it is checking for vulnerabilities, but doesn't,
	giving a false sense of security.

	Be on a system with no vulnerabilities data, install any
	random pkgsrc package, and watch.

	The "right" way would probably be to move the
   ${ECHO_MSG} "${_PKGSRC_IN}> Checking for vulnerabilities in ${PKGNAME}"
	to inside the check-vulnerable target, after the test for the
	vulnerability data existing has been made.   But that would
	totally screw up the way that output redirections are being used.

	The "easy" way is to test that the vulnerability data file exists
	before doing the "echo" (perhaps moving it from check-vulnerable
	to do-fetch rather than doing it twice, though that would be a risk
	should anyone ever want to use check-vulnerable from elsewhere).