Re: package with security hole not flagged at build time

[Adrian Portelli <adrianp%stindustries.net@localhost>]

Steven M. Bellovin wrote:
> No.
> 
> But something just occurred to me.  I seem to have *two*
> pkg-vulnerabilities files, one in /usr/pkg/share and one
> in /usr/pkgsrc/distfiles.  I have no idea why.  Both seem to have been
> updated in the last few days, the one in distfiles just now when I
> manually ran /etc/security.local (which does nothing but run
> download-vulnerability-list and audit-packages, and which of course is
> run from cron).  It's almost as if the build process is looking at the
> one in /usr/pkg/share -- why, I couldn't tell you.)
> 
> 
>               --Steve Bellovin, http://www.cs.columbia.edu/~smb

I thought it might be something like that.  Unfortunately I think
there's a bit of a disconnect between security/audit-packages and the
pkgsrc infrastructure ATM when it comes to the location of the
pkg-vulnerabilities file.

I'd suggest you decide where you want the pkg-vulnerabilities file to
live and then set it via PKGVULNDIR= in _both_ your mk.conf and
${PKG_SYSCONFDIR}/audit-packages.conf.  That will ensure the pkgsrc
infrastructure and audit-packages use the same file.  Then ${RM} any
existing pkg-vulnerability files and run download-vulnerability-list(8)
again.  Just check it's landed in the right place (the CVS Id should be
v 1.1839) and try a 'make extract' on mail/fetchmail and it should bail
with an error.

I'm in the middle of a rather large update to audit-packages ATM and I
hope to sort this out when I commit it.

adrian.