Subject: incompatibility between audit-packages and make-time checks
To: None <tech-pkg@netbsd.org, tech-security@netbsd.org>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-pkg
Date: 02/15/2005 13:28:53
There's an incompatibility in how the vulnerability database is checked 
in pkgsrc Makefiles versus how it's checked in audit-packages.  This is 
showing up today with mozilla-gtk2; you can do a 'make install' and it 
will succeed, but audit-packages will flag it. 

The problem, I believe, is in the definition of a regular expression.  
The line causing trouble is this:

   mozilla{,-bin,-gtk2,-gtk2-bin}<=1.7.5           www-address-spoof       http://secunia.com/advisories/14154/

The check in 'make' is relying on awk and 'pkg_admin pmatch'; the check 
in audit-packages uses pkg_info to see if something matching that 
pattern is installed.  Somehow, they're producing different answers.

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb