Subject: Re: package with security hole not flagged at build time
To: Adrian Portelli <adrianp@stindustries.net>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: pkgsrc-users
Date: 01/13/2007 11:36:14
On Sat, 13 Jan 2007 16:19:51 +0000
Adrian Portelli <adrianp@stindustries.net> wrote:

> Steven M. Bellovin wrote:
> ...
> >>> 		--Steve Bellovin, http://www.cs.columbia.edu/~smb
> >> Just as a matter of interest if you install the package and then
> >> run audit-packages does it pick it up as being vulnerable ?
> >>
> > 
> > Yes...
> > 
> > 		--Steve Bellovin, http://www.cs.columbia.edu/~smb
> 
> Hi Steven,
> 
> Just one additional bit of information . . .
> 
> Do you have PKGVULNDIR set anywhere (mk.conf, audit-packages.conf,
> environment) or have you played with it of late ?
> 

No.

But something just occurred to me.  I seem to have *two*
pkg-vulnerabilities files, one in /usr/pkg/share and one
in /usr/pkgsrc/distfiles.  I have no idea why.  Both seem to have been
updated in the last few days, the one in distfiles just now when I
manually ran /etc/security.local (which does nothing but run
download-vulnerability-list and audit-packages, and which of course is
run from cron).  It's almost as if the build process is looking at the
one in /usr/pkg/share -- why, I couldn't tell you.)


		--Steve Bellovin, http://www.cs.columbia.edu/~smb