pkg/33253: security/audit-packages: small cleanups

[Auster <lrou%rtk0.lneuro.x.ua@localhost>]

>Number:         33253
>Category:       pkg
>Synopsis:       security/audit-packages: small cleanups
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Apr 13 17:15:00 +0000 2006
>Originator:     Auster
>Release:        NetBSD 3.99.17
>Organization:
>Environment:
System: NetBSD lrou.x.ua 3.99.17 NetBSD 3.99.17 (lrou-1.740) #1: Mon Apr 10 
17:07:09 EEST 2006 root%lrou.x.ua@localhost:/usr/src/sys/arch/i386/compile/lrou 
i386
Architecture: i386
Machine: i386
>Description:
        small cleanups in security/audit-packages

>How-To-Repeat:

% man 8 audit-packages
[snip]
        -i [vulnid:vulnid|pkgpat:pattern]
                Specify a list of vulnerabilities or packages to ignore.


for example: audit lang/sun-jre14, multimedia/mplayer

% audit-packages
Package sun-jre14-2.11 has a local-file-write vulnerability (vulnid:1122), see 
http://secunia.com/advisories/14902/
Package sun-jre14-2.11 has a denial-of-service vulnerability (vulnid:1570), see 
http://secunia.com/advisories/17478/
Package mplayer-1.0rc7nb9 has a heap-overflow vulnerability (vulnid:1811), see 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0579

% audit-packages -i vulnid:1122 -i vulnid:1570 -i 'pkgpat:mplayer*'
Package sun-jre14-2.11 has a local-file-write vulnerability (vulnid:1122), see 
http://secunia.com/advisories/14902/
Package sun-jre14-2.11 has a denial-of-service vulnerability (vulnid:1570), see 
http://secunia.com/advisories/17478/

% audit-packages -i 1122 -i 1570 -i 'pkgpat:mplayer*'
%

% audit-packages -i 'vulnid:1122 vulnid:1570 pkgpat:mplayer*'
Package sun-jre14-2.11 has a local-file-write vulnerability (vulnid:1122), see 
http://secunia.com/advisories/14902/
Package sun-jre14-2.11 has a denial-of-service vulnerability (vulnid:1570), see 
http://secunia.com/advisories/17478/

% audit-packages -i '1122 1570 pkgpat:mplayer*'
%


>Fix:

1) audit-packages(8)
        -     -i [vulnid:vulnid|pkgpat:pattern]
        -               Specify a list of vulnerabilities or packages to ignore.
        +     -i IGNORELIST
        +               Specify a list of tokens to ignore. Token(s) takes the 
form:
        +                       vulnid|pkgpat:pattern [vulnid|pkgpat:pattern 
...]

        + # proposition
        +       Note: `dvi' options can also be configured via
        +       configuration items in audit-packages.conf.


2) sbin/audit-packages 
        --- /usr/pkg/sbin/audit-packages
        +++ /usr/pkg/sbin/audit-packages.4example
        @@ -48,7 +48,7 @@
                argv0="${1##*/}"
                cat <<EOF
         $2
        -Usage: $argv0 [-dv] [-i vulnid:id|pkgpat:pattern]
        +Usage: $argv0 [-dv] [-i ignorelist]
                             [-K pkg_dbdir] [-p package]
             -d : Run download-vulnerability-list before anything else.
             -i : Ignore packages matching one of the specified vulnerabilities,
        @@ -61,6 +61,9 @@
                exit 1
         }
 
        +download=no
        +verbose=no
        +ignore_list=
         settingsmsg=""
         if [ -r /usr/pkg/etc/audit-packages.conf ]; then
                settingsmsg="Reading settings from 
/usr/pkg/etc/audit-packages.conf"
        @@ -69,9 +72,6 @@
 
         vuls="${PKGVULNDIR}/pkg-vulnerabilities"
 
        -download=no
        -verbose=no
        -ignore_list=
         pkg_patterns=
         vulnids=
         one_package=



3) examples/audit-packages/audit-packages.conf

        # download=yes
        #       Run download-vulnerability-list before anything else.

        # verbose=yes
        #       Verbose mode

        # ignore_list="vulnid|pkgpat:pattern [vulnid|pkgpat:pattern ..]"
        #       Ignore packages matching one of the specified vulnerabilities,
        #       or matching one of the provided patterns.