netbsd-bugs: pkg/23899: security/audit-packages doesn't support "env" fetch command

Subject: pkg/23899: security/audit-packages doesn't support "env" fetch command
To: None <gnats-bugs@gnats.netbsd.org>
From: None <dave@dtsp.co.nz>
List: netbsd-bugs
Date: 12/27/2003 08:45:29

>Number:         23899
>Category:       pkg
>Synopsis:       security/audit-packages doesn't support "env" fetch command
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Dec 27 08:47:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     David Sainty
>Release:        NetBSD 1.6K/pkgsrc-today
>Organization:
Dynamic Technology Services and Products Ltd (NZ)
>Environment:
System: NetBSD tequila.dave.dtsp.co.nz 1.6K NetBSD 1.6K (TEQUILA-$Revision: 1.41 $) #1: Tue Dec 31 19:46:39 NZDT 2002 dave@tequila.dave.dtsp.co.nz:/vol/tequila/userD/NetBSD-current/src/sys/arch/i386/compile/TEQUILA i386
Architecture: i386
Machine: i386
>Description:
	The "download-vulnerability-list" command from security/audit-packages
	attempts to parse FETCH_CMD, typically set in /etc/mk.conf.  It
	handles a limited set of known commands (curl, ftp, wget), and fails
	on unknown commands.

	If FETCH_CMD sets environment variables before running the given
	command, download-vulnerability-list will fail.

>How-To-Repeat:
	echo 'FETCH_CMD=env http_proxy="http://proxy/" ftp_proxy="http://proxy/" ftp' >> /etc/mk.conf
	cd pkgsrc/security/audit-packages; make install
	download-vulnerability-list

>Fix:

The patch below will recognise and handle FETCH_CMD values of this format, and
shouldn't break in any cases that the existing code wouldn't break :)

The patch is in keeping with the existing method of analysing the command.
Possibly a preferable approach is to change the usage of FETCH_CMD so we don't
need to parse it at all...

--- security/audit-packages/files/download-vulnerability-list.orig	Sat Dec  6 20:40:47 2003
+++ security/audit-packages/files/download-vulnerability-list	Sat Dec 27 21:13:02 2003
@@ -50,7 +50,21 @@
 fi
 
 cd ${PKGVULNDIR}
-utility=`echo "@FETCH_CMD@" | @AWK@ '{ print $1 }'`
+
+fetchcmd="@FETCH_CMD@"
+
+# Skip the "env" command or anything containing an "=", which are either
+# parameters to "env", or environment variables to be set directly by the
+# shell.
+unset utility
+for utility in $fetchcmd; do
+  case "$utility" in
+  */env|env) ;;
+  *=*) ;;
+  *) break;;
+  esac
+done
+
 case "$utility" in
 *curl)	@FETCH_CMD@ ${FETCH_ARGS} -o ${NEW_VUL_LIST} ${VUL_SOURCE} ;;
 *ftp)	@FETCH_CMD@ ${FETCH_ARGS} -o ${NEW_VUL_LIST} ${VUL_SOURCE} ;;
>Release-Note:
>Audit-Trail:
>Unformatted: