Subject: pkg/36662: pkgtools/pkg_install's audit_packages appears to be platform-specific
To: None <email@example.com, firstname.lastname@example.org,>
From: None <email@example.com>
Date: 07/17/2007 15:25:00
>Synopsis: pkgtools/pkg_install's audit_packages appears to be platform-specific
>Arrival-Date: Tue Jul 17 15:25:00 +0000 2007
>Originator: Stuart Shelton
IRIX64 octane 6.5 07202013 IP30
I've spotted two problems with pkgtools/pkg_install-20070715:
'#include <err.h>' is no good on platforms which lack err.h
Correcting this to '#include <nbcompat/err.h>' works.
't_pvfile = pvstat.st_ctimespec.tv_sec;' is odd, because I can't find any stat() implementation which returns a 'st_ctimespec' struct (this seems to be entirely *BSD specific)! Changing this to 't_pvfile = pvstat.st_ctime;' allows the code to compile - but I'm not sure it will do what the author intended.
Further bugs in audit_packages:
Currently, 'pkg-vulnerabilities' is downloaded to '/usr/bsd/src/distfiles/'. Even if I pass the '-K' flag to audit_packages, it only appears to look in '/usr/bsd/var/db/pkg/'.
If I use the '-v' flag, the output is:
"/usr/bsd/var/db/pkg/pkg-vulnerabilities more than a week old, continuing...
audit-packages: Unable to open: /usr/bsd/var/db/pkg/pkg-vulnerabilities"
... so the code (admittedly, affected by the about change) is calling stat() on a file which doesn't exist before checking if it exists.
If I use '-vv' then I always get:
"Reading settings from: /usr/bsd/etc/audit-packages.conf
debug2: Using PKGDB_DIR: /usr/bsd/var/db/pkg
debug2: Using pkg-vulnerabilities file: /usr/bsd/var/db/pkg/pkg-vulnerabilities
debug2: Using verify tool: /usr/bsd/bin/gpg
debug2: Using ignore directives: Segmentation fault (core dumped)"
... upon which dbx says:
"Core from signal SIGSEGV: Segmentation violation
> 0 strlen(0x0, 0x2, 0xfb55d08, 0xfb55d10, 0xfb4fbc8, 0x0, 0x1, 0x0) ["/xlv52/patches/7143/work/irix/lib/libc/libc_n32_M4/strings/strlen.s":58, 0xfa43040]
1 _doprnt_s(0x1, 0xfb4fbe8, 0x0, 0x0, 0x20, 0x0, 0x0, 0x0) ["/xlv52/patches/7143/work/irix/lib/libc/libc_n32_M4/print/inline_doprnt.c":486, 0xfaac360]
2 <Unknown>() [< unknown >, 0x10004b34]"
This appears to be because IRIX' libc (in common with some other UNIX platforms?) can't seem to handle a NULL argument to *printf().
The fix would appear to be to insert 'if (ignore != NULL)' before line 311.
Finally, running download-vulnerability-list results in audit-packages dying with a Bus Error on lines 172 and 173.
Running this through a debugger, the fault occurs on line 702 of libnbcompat's sha2.c in the function SHA512_Transform
audit-packages from pkg_install-20070416 works perfectly.
Attempt to install pkg_install-20070715, attempt to compile on non-NetBSD platform; attempt to use audit-packages.
Reverting to pkg_install-20070416 seems to be the best fix - this compiles cleanly first-time, and audit-packages works just fine and doesn't segfault.