Re: package with security hole not flagged at build time

["Steven M. Bellovin" <smb%cs.columbia.edu@localhost>]

On Sat, 13 Jan 2007 16:19:51 +0000
Adrian Portelli <adrianp%stindustries.net@localhost> wrote:

> Steven M. Bellovin wrote:
> ...
> >>>           --Steve Bellovin, http://www.cs.columbia.edu/~smb
> >> Just as a matter of interest if you install the package and then
> >> run audit-packages does it pick it up as being vulnerable ?
> >>
> > 
> > Yes...
> > 
> >             --Steve Bellovin, http://www.cs.columbia.edu/~smb
> 
> Hi Steven,
> 
> Just one additional bit of information . . .
> 
> Do you have PKGVULNDIR set anywhere (mk.conf, audit-packages.conf,
> environment) or have you played with it of late ?
> 

No.

But something just occurred to me.  I seem to have *two*
pkg-vulnerabilities files, one in /usr/pkg/share and one
in /usr/pkgsrc/distfiles.  I have no idea why.  Both seem to have been
updated in the last few days, the one in distfiles just now when I
manually ran /etc/security.local (which does nothing but run
download-vulnerability-list and audit-packages, and which of course is
run from cron).  It's almost as if the build process is looking at the
one in /usr/pkg/share -- why, I couldn't tell you.)


                --Steve Bellovin, http://www.cs.columbia.edu/~smb