Subject: Re: package with security hole not flagged at build time
To: Adrian Portelli <>
From: Steven M. Bellovin <>
List: pkgsrc-users
Date: 01/13/2007 11:36:14
On Sat, 13 Jan 2007 16:19:51 +0000
Adrian Portelli <> wrote:

> Steven M. Bellovin wrote:
> ...
> >>> 		--Steve Bellovin,
> >> Just as a matter of interest if you install the package and then
> >> run audit-packages does it pick it up as being vulnerable ?
> >>
> > 
> > Yes...
> > 
> > 		--Steve Bellovin,
> Hi Steven,
> Just one additional bit of information . . .
> Do you have PKGVULNDIR set anywhere (mk.conf, audit-packages.conf,
> environment) or have you played with it of late ?


But something just occurred to me.  I seem to have *two*
pkg-vulnerabilities files, one in /usr/pkg/share and one
in /usr/pkgsrc/distfiles.  I have no idea why.  Both seem to have been
updated in the last few days, the one in distfiles just now when I
manually ran /etc/security.local (which does nothing but run
download-vulnerability-list and audit-packages, and which of course is
run from cron).  It's almost as if the build process is looking at the
one in /usr/pkg/share -- why, I couldn't tell you.)

		--Steve Bellovin,