tech-pkg: Re: weird output from audit-packages

Subject: Re: weird output from audit-packages
To: Hubert Feyrer <hubert@feyrer.de>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-pkg
Date: 01/11/2005 08:46:04

In message <Pine.GSO.4.61.0501111431560.21935@rfhpc8317>, Hubert Feyrer writes:
>On Tue, 11 Jan 2005, Steven M. Bellovin wrote:
>> cups<1.1.2[12]*         denial-of-service       http://www.cups.org/str.php?
>L104
>
>That's no valid pkg pattern. Relational operations ("<" etc.) can only 
>take fixed version numbers to compare against. I'm not sure what's 
>intended here, but something like cups<1.2.23 will probably DTRT.
>
>An easy way to test if the pattern is ok before committing stuff to the 
>vulnerability file is to use "pkg_admin pmatch":
>
> 	miyu% pkg_admin pmatch 'cups<1.1.2[12]*' cups-1.2.2 ; echo $?
> 	pkg_admin: `[' not recognised
> 	pkg_admin: `]' not recognised
> 	pkg_admin: `*' not recognised
>
>If the idea is really to have "anything below 1.1.23" marked as 
>vulnerable, just use that:
>
> 	miyu% pkg_admin pmatch 'cups<1.1.23' cups-1.1.21 ; echo $?
> 	0
> 	miyu% pkg_admin pmatch 'cups<1.1.23' cups-1.1.22 ; echo $?
> 	0
> 	miyu% pkg_admin pmatch 'cups<1.1.23' cups-1.1.22nb1 ; echo $?
> 	0
> 	miyu% pkg_admin pmatch 'cups<1.1.23' cups-1.1.23 ; echo $?
> 	1
> 	miyu% pkg_admin pmatch 'cups<1.1.23' cups-1.1.23nb1 ; echo $?
> 	1

Thanks -- I'll send-pr it.

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb