Subject: pkg/35024: audit-packages(8) enhancement
To: None <,,>
From: None <>
List: pkgsrc-bugs
Date: 11/09/2006 17:15:00
>Number:         35024
>Category:       pkg
>Synopsis:       audit-packages(8) enhancement
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Nov 09 17:15:00 +0000 2006
>Originator:     Jukka Salmi
>Release:        pkgsrc HEAD
When using audit-packages' -p option the specified package name is
required to include the full version number. E.g. running
`audit-packages -p php' doesn not output any vulnerabilities even
though a vulnerable PHP package is installed; however, explicitly
specifying the php packages' version number makes this work:

$ audit-packages -p php-4.4.4nb3
Package php-4.4.4nb3 has a [...]

It would be nice if it wouldn't be required to specify the packages'
version number. IMHO this would be also more consistent with pkg_info(1)
see above
Index: files/audit-packages
RCS file: /cvsroot/pkgsrc/security/audit-packages/files/audit-packages,v
retrieving revision 1.28
diff -u -p -r1.28 audit-packages
--- files/audit-packages	5 Oct 2006 14:26:42 -0000	1.28
+++ files/audit-packages	9 Nov 2006 16:51:52 -0000
@@ -197,8 +197,9 @@ while read pat type url; do
 		vulnpkgs=`@PKG_TOOLS_BIN@/pkg_info -e "$pat"`
-		if `@PKG_TOOLS_BIN@/pkg_admin pmatch "$pat" "$one_package"` ; then
-			vulnpkgs=$one_package
+		one_pkg=`@PKG_TOOLS_BIN@/pkg_info -e "$one_package"`
+		if `@PKG_TOOLS_BIN@/pkg_admin pmatch "$pat" "$one_pkg"` ; then
+			vulnpkgs=$one_pkg
 	for pkg in $vulnpkgs ; do