Subject: Re: package with security hole not flagged at build time
To: Adrian Portelli <adrianp@stindustries.net>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: pkgsrc-users
Date: 01/13/2007 11:36:14
On Sat, 13 Jan 2007 16:19:51 +0000
Adrian Portelli <adrianp@stindustries.net> wrote:
> Steven M. Bellovin wrote:
> ...
> >>> --Steve Bellovin, http://www.cs.columbia.edu/~smb
> >> Just as a matter of interest if you install the package and then
> >> run audit-packages does it pick it up as being vulnerable ?
> >>
> >
> > Yes...
> >
> > --Steve Bellovin, http://www.cs.columbia.edu/~smb
>
> Hi Steven,
>
> Just one additional bit of information . . .
>
> Do you have PKGVULNDIR set anywhere (mk.conf, audit-packages.conf,
> environment) or have you played with it of late ?
>
No.
But something just occurred to me. I seem to have *two*
pkg-vulnerabilities files, one in /usr/pkg/share and one
in /usr/pkgsrc/distfiles. I have no idea why. Both seem to have been
updated in the last few days, the one in distfiles just now when I
manually ran /etc/security.local (which does nothing but run
download-vulnerability-list and audit-packages, and which of course is
run from cron). It's almost as if the build process is looking at the
one in /usr/pkg/share -- why, I couldn't tell you.)
--Steve Bellovin, http://www.cs.columbia.edu/~smb