Subject: Re: package with security hole not flagged at build time
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Adrian Portelli <adrianp@stindustries.net>
List: pkgsrc-users
Date: 01/13/2007 17:02:01
Steven M. Bellovin wrote:
> No.
>
> But something just occurred to me. I seem to have *two*
> pkg-vulnerabilities files, one in /usr/pkg/share and one
> in /usr/pkgsrc/distfiles. I have no idea why. Both seem to have been
> updated in the last few days, the one in distfiles just now when I
> manually ran /etc/security.local (which does nothing but run
> download-vulnerability-list and audit-packages, and which of course is
> run from cron). It's almost as if the build process is looking at the
> one in /usr/pkg/share -- why, I couldn't tell you.)
>
>
> --Steve Bellovin, http://www.cs.columbia.edu/~smb
I thought it might be something like that. Unfortunately I think
there's a bit of a disconnect between security/audit-packages and the
pkgsrc infrastructure ATM when it comes to the location of the
pkg-vulnerabilities file.
I'd suggest you decide where you want the pkg-vulnerabilities file to
live and then set it via PKGVULNDIR= in _both_ your mk.conf and
${PKG_SYSCONFDIR}/audit-packages.conf. That will ensure the pkgsrc
infrastructure and audit-packages use the same file. Then ${RM} any
existing pkg-vulnerability files and run download-vulnerability-list(8)
again. Just check it's landed in the right place (the CVS Id should be
v 1.1839) and try a 'make extract' on mail/fetchmail and it should bail
with an error.
I'm in the middle of a rather large update to audit-packages ATM and I
hope to sort this out when I commit it.
adrian.