Subject: improved pkg-vulnerabilities checking
To: None <firstname.lastname@example.org>
From: Eric Haszlakiewicz <email@example.com>
Date: 11/09/2005 16:32:46
It's bugged me for a while that the switch to turn off vulnerablity
checking when building packages is a all-or-nothing switch. i.e.
skips checks for everything. I changed bsd.pkg.mk so I can do things
like this instead:
Then, it occured to me that just because I ignore one particular
vulnerability I might still care about a new one that is discovered later.
So, in addition to the above I thought something like this might be workable:
Where the "vulerability id" is the index of the vulnerability in the
pkg-vulnerabilities file. (i.e. line number, but not counting comment lines)
However, that seems somewhat fragile so I was thinking of changing the
format of the file so it looks like this:
<pkg pattern> <vulnid>,<type> <url>
libungif<4.1.3nb3 1520,remote-code-execution http://secunia.com/advisories/17436/
and bumping the format version to 1.0.1. (not 1.1, since it's still compatible
with old audit-packages script)
Then, since it's nice not to duplicate code, I combined it all into the
audit-packages script and had the package makefiles call that instead.
Patch is available at http://poe.swapsimple.com/pkgsrc_audit/