On Tue, 11 Jan 2005, Steven M. Bellovin wrote:
> cups<1.1.2[12]*         denial-of-service       http://www.cups.org/str.php?L104

That's no valid pkg pattern. Relational operations ("<" etc.) can only 
take fixed version numbers to compare against. I'm not sure what's 
intended here, but something like cups<1.2.23 will probably DTRT.

An easy way to test if the pattern is ok before committing stuff to the 
vulnerability file is to use "pkg_admin pmatch":

 	miyu% pkg_admin pmatch 'cups<1.1.2[12]*' cups-1.2.2 ; echo $?
 	pkg_admin: `[' not recognised
 	pkg_admin: `]' not recognised
 	pkg_admin: `*' not recognised

If the idea is really to have "anything below 1.1.23" marked as 
vulnerable, just use that:

 	miyu% pkg_admin pmatch 'cups<1.1.23' cups-1.1.21 ; echo $?
 	0
 	miyu% pkg_admin pmatch 'cups<1.1.23' cups-1.1.22 ; echo $?
 	0
 	miyu% pkg_admin pmatch 'cups<1.1.23' cups-1.1.22nb1 ; echo $?
 	0
 	miyu% pkg_admin pmatch 'cups<1.1.23' cups-1.1.23 ; echo $?
 	1
 	miyu% pkg_admin pmatch 'cups<1.1.23' cups-1.1.23nb1 ; echo $?
 	1


  - Hubert

-- 
NetBSD - Free AND Open!      (And of course secure, portable, yadda yadda)