Subject: pkg/30246: download-vulnerability-list doesn't use FETCH_CMD
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <reed@reedmedia.net>
List: pkgsrc-bugs
Date: 05/16/2005 17:57:00
>Number: 30246
>Category: pkg
>Synopsis: download-vulnerability-list doesn't use FETCH_CMD
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon May 16 17:57:00 +0000 2005
>Originator: reed@reedmedia.net
>Release: NetBSD 1.6.2_STABLE
>Organization:
http://bsd.reedmedia.net/
>Environment:
System: NetBSD rainier.reedmedia.net 1.6.2_STABLE NetBSD 1.6.2_STABLE (MYKERNEL) #1: Tue Jun 1 12:16:43 PDT 2004 reed@rainier.reedmedia.net:/usr/src/sys/arch/i386/compile/MYKERNEL i386
Architecture: i386
Machine: i386
>Description:
I noticed that the code for figuring out the fetch command and that
complaint of unknown fetch command probably should be done at pkgsrc
build time of the package and not needed in the end result script.
I was then told that the FETCH_CMD can be used to allow people
to use their own utility.
But it doesn't work that way.
Have a look at template:
utility=`echo "@FETCH_CMD@" | @AWK@ '{ print $1 }'`
case "$utility" in
*curl) @FETCH_CMD@ ${FETCH_ARGS} -o ${NEW_VUL_LIST} ${VUL_SOURCE} ;;
*ftp) @FETCH_CMD@ ${FETCH_ARGS} -o ${NEW_VUL_LIST} ${VUL_SOURCE} ;;
*wget) @FETCH_CMD@ ${FETCH_ARGS} -O ${NEW_VUL_LIST} ${VUL_SOURCE} ;;
*fetch) @FETCH_CMD@ ${FETCH_ARGS} -o ${NEW_VUL_LIST} ${VUL_SOURCE} ;;
And the end resulting script:
utility=`echo "/usr/bin/ftp" | /usr/bin/awk '{ print $1 }'`
case "$utility" in
*curl) /usr/bin/ftp ${FETCH_ARGS} -o ${NEW_VUL_LIST} ${VUL_SOURCE} ;;
*ftp) /usr/bin/ftp ${FETCH_ARGS} -o ${NEW_VUL_LIST} ${VUL_SOURCE} ;;
*wget) /usr/bin/ftp ${FETCH_ARGS} -O ${NEW_VUL_LIST} ${VUL_SOURCE} ;;
*fetch) /usr/bin/ftp ${FETCH_ARGS} -o ${NEW_VUL_LIST} ${VUL_SOURCE} ;;
The utility is hard-coded once you install as shown above.
Notice that curl, wget, fetch would never match in examples (using default
ftp) as this was implemented.
>How-To-Repeat:
Install audit-packages and look at the code for the installed
download-vulnerability-list.
Notice how it has tests for the fetch command that are
never used.
>Fix:
I haven't tested by change
s/@FETCH_CMD@/${FETCH_COMMAND}/
And then earlier set:
: ${FETCH_CMD=@FETCH_CMD@}
>Unformatted: