Subject: Re: incompatibility between audit-packages and make-time checks
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Alistair Crooks <agc@pkgsrc.org>
List: tech-security
Date: 02/16/2005 10:59:42
On Tue, Feb 15, 2005 at 01:28:53PM -0500, Steven M. Bellovin wrote:
> There's an incompatibility in how the vulnerability database is checked 
> in pkgsrc Makefiles versus how it's checked in audit-packages.  This is 
> showing up today with mozilla-gtk2; you can do a 'make install' and it 
> will succeed, but audit-packages will flag it. 
> 
> The problem, I believe, is in the definition of a regular expression.  
> The line causing trouble is this:
> 
>    mozilla{,-bin,-gtk2,-gtk2-bin}<=1.7.5           www-address-spoof       http://secunia.com/advisories/14154/

The vulnerability database doesn't use a regular expression in the
sense of re_format(7) or POSIX regexps - it uses its own way of doing
it, such that ordering of version numbers can be checked. Hence the
csh-style alternates, and <=, <, >, >=.

> The check in 'make' is relying on awk and 'pkg_admin pmatch'; the check 
> in audit-packages uses pkg_info to see if something matching that 
> pattern is installed.  Somehow, they're producing different answers.

There's also a fundamental difference between the two checks, in that
the call via pkg_info (for the audit-packages case) is checking an
installed package version against the database.  The check in 'make'
at package build time can't do that, and so it does a "would this
match if it were installed?" style of check.  I thought that they used
the same code path (they do use the same basic matching routines), but
it's been years since I wrote them, and even then they were munged
around by someone else after that.

Having investigated further, I've located the problem.

bsd.pkg.mk does the checks for the vulnerable package in a target called
check-vulnerable. It is basically an invocation of awk:

               ${SETENV} PKGNAME="${PKGNAME}"                          \
                          PKGBASE="${PKGBASE}"                          \
                        ${AWK} '/^$$/ { next }                          \ 
                                /^#.*/ { next }                         \ 
                                $$1 !~ ENVIRON["PKGBASE"] { next }      \ 
                                { s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s && ${ECHO} \"*** WARNING - %s vulnerability in %s - see %s for more information ***\"", $$1, ENVIRON["PKGNAME"], $$2, ENV
IRON["PKGNAME"], $$3); system(s); }' < ${PKGVULNDIR}/pkg-vulnerabilities || ${FALSE}; \

The problem area is the line which is used to try to speed up the search by
ignoring packages which don't match the basename of the package (the package
name without any version suffix).

	$$1 !~ ENVIRON["PKGBASE"] { next }

If this line is removed, the check in www/mozilla-gtk2 will work fine, at
the cost of some more cycles at package build time. With caches filled,
the timings are as follows:

[10:52:31] agc@sys3 ...pkgsrc/www/mozilla-gtk2 56 > time make check-vulnerable
0.376u 0.257s 0:00.40 155.0%    0+0k 0+0io 0pf+0w
[10:52:38] agc@sys3 ...pkgsrc/www/mozilla-gtk2 57 >

and

[10:52:04] agc@sys3 ...pkgsrc/www/mozilla-gtk2 54 > time make check-vulnerable
*** WARNING - www-address-spoof vulnerability in mozilla-gtk2-1.7.5 - see http://secunia.com/advisories/14154/ for more information ***
1.803u 1.919s 0:02.54 146.0%    0+0k 0+0io 0pf+0w
[10:52:13] agc@sys3 ...pkgsrc/www/mozilla-gtk2 55 >

Admittedly, this is on a fairly fast machine - 2.8 GHz P4, 2 GB RAM.

However, in the interests of correctness, I'll disable the incorrect
check for just now.

Regards,
Alistair