Subject: Re: package with security hole not flagged at build time
To: Adrian Portelli <>
From: Steven M. Bellovin <>
List: pkgsrc-users
Date: 01/14/2007 21:22:58
On Sat, 13 Jan 2007 17:02:01 +0000
Adrian Portelli <> wrote:

> Steven M. Bellovin wrote:
> > No.
> > 
> > But something just occurred to me.  I seem to have *two*
> > pkg-vulnerabilities files, one in /usr/pkg/share and one
> > in /usr/pkgsrc/distfiles.  I have no idea why.  Both seem to have
> > been updated in the last few days, the one in distfiles just now
> > when I manually ran /etc/security.local (which does nothing but run
> > download-vulnerability-list and audit-packages, and which of course
> > is run from cron).  It's almost as if the build process is looking
> > at the one in /usr/pkg/share -- why, I couldn't tell you.)
> > 
> > 
> > 		--Steve Bellovin,
> I thought it might be something like that.  Unfortunately I think
> there's a bit of a disconnect between security/audit-packages and the
> pkgsrc infrastructure ATM when it comes to the location of the
> pkg-vulnerabilities file.

I had a similar problem, once upon a time, when I'd built something via
pkg_comp, but that wasn't the case here.
> I'd suggest you decide where you want the pkg-vulnerabilities file to
> live and then set it via PKGVULNDIR= in _both_ your mk.conf and
> ${PKG_SYSCONFDIR}/audit-packages.conf.  That will ensure the pkgsrc
> infrastructure and audit-packages use the same file.  Then ${RM} any
> existing pkg-vulnerability files and run
> download-vulnerability-list(8) again.  Just check it's landed in the
> right place (the CVS Id should be v 1.1839) and try a 'make extract'
> on mail/fetchmail and it should bail with an error.

I put it in /usr/pkg/share, as part of my campaign to let systems be
maintainable without any form of source tree.
> I'm in the middle of a rather large update to audit-packages ATM and I
> hope to sort this out when I commit it.

And thanks.

		--Steve Bellovin,