Subject: incompatibility between audit-packages and make-time checks
To: None <,>
From: Steven M. Bellovin <>
List: tech-pkg
Date: 02/15/2005 13:28:53
There's an incompatibility in how the vulnerability database is checked 
in pkgsrc Makefiles versus how it's checked in audit-packages.  This is 
showing up today with mozilla-gtk2; you can do a 'make install' and it 
will succeed, but audit-packages will flag it. 

The problem, I believe, is in the definition of a regular expression.  
The line causing trouble is this:

   mozilla{,-bin,-gtk2,-gtk2-bin}<=1.7.5           www-address-spoof

The check in 'make' is relying on awk and 'pkg_admin pmatch'; the check 
in audit-packages uses pkg_info to see if something matching that 
pattern is installed.  Somehow, they're producing different answers.

		--Prof. Steven M. Bellovin,