Hello Noryungi,
Noryungi writes:
> [...]
> Just installed pkgsrc-2019Q2, and I get the following message while trying
> to compile "jq" (/dev/jq):
>
> $ bmake && bmake install
> => Bootstrap dependency digest>=20010302: found digest-20160304
> ===> Checking for vulnerabilities in jq-1.6
> Package jq-1.6 has a denial-of-service vulnerability, see
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4074
> ERROR: Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URL in
> pkg_install.conf(5) if this package is absolutely essential.
> *** Error code 1
> Stop.
>
> However, the CVE link provided:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4074
> points out that this denial-of-service is for jq 1.5, while distinfo (as
> well as the message above) indicate that jq is now version 1.6 in pkgsrc.
>
> Furthermore, reading the different references of the CVE link points to:
> https://github.com/stedolan/jq/issues/1136
>
> ... which itself indicates the issue has been fixed in a commit in
> mid-August 2016.
>
> I think we can safely assume jq 1.6 does not contain the vulnerability
> anymore. I believe the pkgsrc warning should be removed and/or modified to
> reflect these changes.
> [...]
Yes, jq-1.6 addressed that indeed.
However, checking the corresponding entry in pkg-vulnerabilities (the
file that store this information and is used by pkg_admin(1) to report
vulnerable packages):
jq<1.5nb4 denial-of-service http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4074
(and indeed the corresponding patch was backported in jq-1.5 in May
2018).
I think that this entry was still showed because the
pkg-vulnerabilities file was not updated. Can you please (re)run
`pkg_admin fetch-pkg-vulnerabilities' to update it?
Thank you!