pkgsrc-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/59446: not respected: ALLOW_VULNERABLE_PACKAGES=NO

>Number:         59446
>Category:       pkg
>Synopsis:       not respected: ALLOW_VULNERABLE_PACKAGES=NO
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue May 27 08:00:01 +0000 2025
>Originator:     George Georgalis
>Release:        pkgsrc-2025Q1 2025-05-27
>Organization:
>Environment:
Darwin AAAA.attlocal.net 22.6.0 Darwin Kernel Version 22.6.0: Thu Apr 24 20:21:55 PDT 2025; root:xnu-8796.141.3.712.2~1/RELEASE_ARM64_T8103 arm64
>Description:
although I configured
ALLOW_VULNERABLE_PACKAGES=  NO
in my $LOCALBASE/etc/mk.conf immediately after bootstrap,
then ran
pkg_admin fetch-pkg-vulnerabilities -u
prior to package builds, and pkgin installs.
Several vulnerable packages were installed,
as indicated by "pkg_admin audit"
>How-To-Repeat:
on Darwin/macOS fresh cvs checkout of pkg-2025Q1

PKG_DBDIR=$LOCALBASE/pkgdb
cd "$pkgsrc/bootstrap"
  ./bootstrap \
    --prefix "$LOCALBASE" \
    --workdir "$WRKOBJDIR" \
    --pkgdbdir $PKG_DBDIR \
    --make-jobs $cores \
    --unprivileged \
    --prefer-pkgsrc yes

cat >>$LOCALBASE/etc/mk.conf <<eof
# Security and vulnerability management
ALLOW_VULNERABLE_PACKAGES=  NO
eof

cd $pkgsrc/pkgtools/pkgin && bmake package-install \
  && read PACKAGES < <(bmake show-var VARNAME=PACKAGES) \
  && echo "file://$PACKAGES/ALL" >>$LOCALBASE/etc/pkgin/repositories.conf

cd $pkgsrc/net/tcpdump/ && bmake package
...
pkgin in tcpdump
pkg_admin audit
Package tcpdump-4.99.5 has a information-disclosure vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2018-19519
Package tcpdump-4.99.5 has a out-of-bounds-read vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2019-1010220
Package tcpdump-4.99.5 has a out-of-bounds-read vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2018-19325
Package tcpdump-4.99.5 has a out-of-bounds-write vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2023-1801
pkgin rm tcpdump
cd $pkgsrc/net/tcpdump/ && bmake install
===> Installing binary package of tcpdump-4.99.5
cd $pkgsrc/net/tcpdump/ && bmake deinstall
===> Deinstalling for tcpdump-4.99.5
cd $pkgsrc/net/tcpdump/ && bmake clean
===> Cleaning for tcpdump-4.99.5
cd $pkgsrc/net/tcpdump/ && bmake install
===> Building binary package for tcpdump-4.99.5
=> Creating binary package /opt/pkgsrc-stable/pkg-2025Q1-68350-Darwin_22.6.0_arm64/All/tcpdump-4.99.5.tgz
===> Installing binary package of tcpdump-4.99.5
cd $pkgsrc/net/tcpdump/ && bmake show-var VARNAME=ALLOW_VULNERABLE_PACKAGES
NO


>Fix:
Home | Main Index | Thread Index | Old Index