pkg/36773: pointer bug in audit-packages

[dholland%eecs.harvard.edu@localhost]

>Number:         36773
>Category:       pkg
>Synopsis:       pointer bug in audit-packages
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Aug 12 06:50:00 +0000 2007
>Originator:     David A. Holland <dholland%eecs.harvard.edu@localhost>
>Release:        NetBSD 4.99.20 (pkgsrc 20070811)
>Organization:
   Harvard EECS
>Environment:
System: NetBSD tanaqui 4.99.20 NetBSD 4.99.20 (TANAQUI) #17: Thu Jul 5 23:22:29 
EDT 2007 root@tanaqui:/usr/src/sys/arch/i386/compile/TANAQUI i386
Architecture: i386
Machine: i386
>Description:

I used to have a neatly formatted multi-line IGNORE_URLS setting in
audit-packages.conf; it broke, so I was looking at the config parser,
and in the course of doing so I spotted a bug.

If you set GPG in the config file, because clean_conf() does not
return a fresh string as its return value, verify_bin ends up pointing
into the line buffer. This probably has undesirable results.

>How-To-Repeat:

Try setting GPG= and then some other variable. I haven't actually
tried this though - I only read the code.

>Fix:

Index: audit-packages.c
===================================================================
RCS file: 
/cvsroot/pkgsrc/pkgtools/pkg_install/files/audit-packages/audit-packages.c,v
retrieving revision 1.9
diff -u -r1.9 audit-packages.c
--- audit-packages.c    10 Aug 2007 22:50:46 -0000      1.9
+++ audit-packages.c    12 Aug 2007 06:39:57 -0000
@@ -637,7 +637,7 @@
                else if (strncmp(line, "GPG", 3) == 0) {
                        retval = clean_conf(line);
                        if (retval != NULL)
-                               verify_bin = retval;
+                               verify_bin = safe_strdup(retval);
                }
                else if (strncmp(line, "PKGVULNDIR", 9) == 0) {
                        retval = clean_conf(line);