Subject: pkg/23899: security/audit-packages doesn't support "env" fetch command
To: None <>
From: None <>
List: netbsd-bugs
Date: 12/27/2003 08:45:29
>Number:         23899
>Category:       pkg
>Synopsis:       security/audit-packages doesn't support "env" fetch command
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Dec 27 08:47:00 UTC 2003
>Originator:     David Sainty
>Release:        NetBSD 1.6K/pkgsrc-today
Dynamic Technology Services and Products Ltd (NZ)
System: NetBSD 1.6K NetBSD 1.6K (TEQUILA-$Revision: 1.41 $) #1: Tue Dec 31 19:46:39 NZDT 2002 i386
Architecture: i386
Machine: i386
	The "download-vulnerability-list" command from security/audit-packages
	attempts to parse FETCH_CMD, typically set in /etc/mk.conf.  It
	handles a limited set of known commands (curl, ftp, wget), and fails
	on unknown commands.

	If FETCH_CMD sets environment variables before running the given
	command, download-vulnerability-list will fail.

	echo 'FETCH_CMD=env http_proxy="http://proxy/" ftp_proxy="http://proxy/" ftp' >> /etc/mk.conf
	cd pkgsrc/security/audit-packages; make install


The patch below will recognise and handle FETCH_CMD values of this format, and
shouldn't break in any cases that the existing code wouldn't break :)

The patch is in keeping with the existing method of analysing the command.
Possibly a preferable approach is to change the usage of FETCH_CMD so we don't
need to parse it at all...

--- security/audit-packages/files/download-vulnerability-list.orig	Sat Dec  6 20:40:47 2003
+++ security/audit-packages/files/download-vulnerability-list	Sat Dec 27 21:13:02 2003
@@ -50,7 +50,21 @@
-utility=`echo "@FETCH_CMD@" | @AWK@ '{ print $1 }'`
+# Skip the "env" command or anything containing an "=", which are either
+# parameters to "env", or environment variables to be set directly by the
+# shell.
+unset utility
+for utility in $fetchcmd; do
+  case "$utility" in
+  */env|env) ;;
+  *=*) ;;
+  *) break;;
+  esac
 case "$utility" in