Subject: Re: package with security hole not flagged at build time
To: Adrian Portelli <email@example.com>
From: Steven M. Bellovin <firstname.lastname@example.org>
Date: 01/13/2007 11:36:14
On Sat, 13 Jan 2007 16:19:51 +0000
Adrian Portelli <email@example.com> wrote:
> Steven M. Bellovin wrote:
> >>> --Steve Bellovin, http://www.cs.columbia.edu/~smb
> >> Just as a matter of interest if you install the package and then
> >> run audit-packages does it pick it up as being vulnerable ?
> > Yes...
> > --Steve Bellovin, http://www.cs.columbia.edu/~smb
> Hi Steven,
> Just one additional bit of information . . .
> Do you have PKGVULNDIR set anywhere (mk.conf, audit-packages.conf,
> environment) or have you played with it of late ?
But something just occurred to me. I seem to have *two*
pkg-vulnerabilities files, one in /usr/pkg/share and one
in /usr/pkgsrc/distfiles. I have no idea why. Both seem to have been
updated in the last few days, the one in distfiles just now when I
manually ran /etc/security.local (which does nothing but run
download-vulnerability-list and audit-packages, and which of course is
run from cron). It's almost as if the build process is looking at the
one in /usr/pkg/share -- why, I couldn't tell you.)
--Steve Bellovin, http://www.cs.columbia.edu/~smb