Re: PR/59446 CVS commit: pkgsrc/mk

["George Georgalis via gnats" <gnats-admin%NetBSD.org@localhost>]

The following reply was made to PR pkg/59446; it has been noted by GNATS.

From: George Georgalis <george%galis.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: pkg-manager%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, pkgsrc-bugs%netbsd.org@localhost, 
	kim%netbsd.org@localhost, Jonathan Perkin <jperkin%pkgsrc.org@localhost>
Subject: Re: PR/59446 CVS commit: pkgsrc/mk
Date: Sat, 31 May 2025 23:30:54 -0700

 --000000000000bf075506367ccaaa
 Content-Type: text/plain; charset="UTF-8"
 
 Works for me, thanks!
 
 ===> Checking for vulnerabilities in tcpdump-4.99.5
 Package tcpdump-4.99.5 has a information-disclosure vulnerability, see
 https://nvd.nist.gov/vuln/detail/CVE-2018-19519
 Package tcpdump-4.99.5 has a out-of-bounds-read vulnerability, see
 https://nvd.nist.gov/vuln/detail/CVE-2019-1010220
 Package tcpdump-4.99.5 has a out-of-bounds-read vulnerability, see
 https://nvd.nist.gov/vuln/detail/CVE-2018-19325
 Package tcpdump-4.99.5 has a out-of-bounds-write vulnerability, see
 https://nvd.nist.gov/vuln/detail/CVE-2023-1801
 ERROR: Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URL in
 pkg_install.conf(5) if this package is absolutely essential.
 *** Error code 1
 
 Stop.
 bmake[1]: stopped making "all" in /opt/pkgsrc-stable/net/tcpdump
 *** Error code 1
 
 Stop.
 bmake: stopped making "all" in /opt/pkgsrc-stable/net/tcpdump
 
 
 I raised the discussion on tech-pkg but failed to mention a few salient
 points.
 
 I used LLM to make my comments more concise and clear, I failed to mention
 that and missed a few language/technical details in my edit, but they are
 not very important. (LLM is really not clear about "jurisdiction" when it
 comes to site security and the ecosystem of software.)
 
 Focused observations:
 - Per-CVE risk assessment rather than per-package has advantages
 - The separation between pkg_add, pkgin, package repos and
 pkg-vulnerabilities creates potential security blind spots
 - audit trails for security-relevant configuration changes, and/or ATF for
 security feature / unit testing could be helpful
 
 My feeling is pkgsrc should set the right disposition with regard to
 security---as a higher priority than adding/fixing packages---even if the
 final implementation details are left to site administrators, the supported
 security features should work.
 
 In another case, package+CVE exceptions may be needed, since a CVE could
 apply to a lib with zero consequence in one package, and serious liability
 in for another... simply adding a per package exception, would create a gap
 if a new CVE introduced liability---more to consider.
 
 Thanks,
 -George
 
 -- 
 George Georgalis, (415) 894-2710, http://www.galis.org/
 
 --000000000000bf075506367ccaaa
 Content-Type: text/html; charset="UTF-8"
 Content-Transfer-Encoding: quoted-printable
 
 <div dir=3D"ltr"><div dir=3D"ltr">Works for me, thanks!<br><br>=3D=3D=3D&gt=
 ; Checking for vulnerabilities in tcpdump-4.99.5<br>Package tcpdump-4.99.5 =
 has a information-disclosure vulnerability, see <a href=3D"https://nvd.nist=
 .gov/vuln/detail/CVE-2018-19519" target=3D"_blank">https://nvd.nist.gov/vul=
 n/detail/CVE-2018-19519</a><br>Package tcpdump-4.99.5 has a out-of-bounds-r=
 ead vulnerability, see <a href=3D"https://nvd.nist.gov/vuln/detail/CVE-2019=
 -1010220" target=3D"_blank">https://nvd.nist.gov/vuln/detail/CVE-2019-10102=
 20</a><br>Package tcpdump-4.99.5 has a out-of-bounds-read vulnerability, se=
 e <a href=3D"https://nvd.nist.gov/vuln/detail/CVE-2018-19325"; target=3D"_bl=
 ank">https://nvd.nist.gov/vuln/detail/CVE-2018-19325</a><br>Package tcpdump=
 -4.99.5 has a out-of-bounds-write vulnerability, see <a href=3D"https://nvd=
 .nist.gov/vuln/detail/CVE-2023-1801" target=3D"_blank">https://nvd.nist.gov=
 /vuln/detail/CVE-2023-1801</a><br>ERROR: Define ALLOW_VULNERABLE_PACKAGES i=
 n mk.conf or IGNORE_URL in pkg_install.conf(5) if this package is absolutel=
 y essential.<br>*** Error code 1<br><br>Stop.<br>bmake[1]: stopped making &=
 quot;all&quot; in /opt/pkgsrc-stable/net/tcpdump<br>*** Error code 1<br><br=
 >Stop.<br>bmake: stopped making &quot;all&quot; in /opt/pkgsrc-stable/net/t=
 cpdump<br><div><br></div><div><br></div>I raised the discussion on tech-pkg=
  but failed to mention a few salient points.<br><br><div>I used LLM to make=
  my comments more concise and clear, I failed to mention that and missed a =
 few language/technical details in my edit, but they are not very important.=
  (LLM is really not clear about &quot;jurisdiction&quot; when it comes to s=
 ite security and the ecosystem of software.) <br></div><div><br></div><div>=
 Focused observations:</div><div>- Per-CVE risk assessment rather than per-p=
 ackage has advantages</div><div>- The separation between pkg_add, pkgin, pa=
 ckage repos and pkg-vulnerabilities creates potential security blind spots<=
 /div><div>- audit trails for security-relevant configuration changes, and/o=
 r ATF for security feature / unit testing could be helpful</div><div><br></=
 div><div>My feeling is pkgsrc should set the right disposition with=20
 regard to security---as a higher priority than adding/fixing packages---eve=
 n=20
 if the final implementation details are left to site administrators,=20
 the supported security features should work.<br><br></div><div>In another c=
 ase, package+CVE exceptions may be needed, since a CVE could apply to a lib=
  with zero consequence in one package, and serious liability in for another=
 ... simply adding a per package exception, would create a gap if a new CVE =
 introduced liability---more to consider.</div><div><br></div><div>Thanks,</=
 div><div>-George</div><div><br></div>-- <br>George Georgalis, (415) 894-271=
 0, <a href=3D"http://www.galis.org/"; target=3D"_blank">http://www.galis.org=
 /</a><br></div>
 </div>
 
 --000000000000bf075506367ccaaa--