Subject: pkg/21572: pkgsrc gives bogus assurances of security
To: None <gnats-bugs@gnats.netbsd.org>
From: None <kre@munnari.OZ.AU>
List: netbsd-bugs
Date: 05/14/2003 18:11:03
>Number: 21572
>Category: pkg
>Synopsis: pkgsrc gives bogus assurances of security
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed May 14 11:14:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator: Robert Elz
>Release: NetBSD 1.6S - pkgsrc of 2003-05-14
>Organization:
Prince of Songkla University
>Environment:
System: NetBSD delta.cs.mu.OZ.AU 1.6L NetBSD 1.6L (DELTA) #29: Fri Jan 10 11:40:50 ICT 2003 kre@fuchsia.cs.mu.OZ.AU:/usr/obj/sys/DELTA i386
(the system send-pr is being run on, not otherwise relevant)
Architecture: i386
Machine: i386
>Description:
Every time a new package is being installed using pkgsrc
the message
===> Checking for vulnerabilities in <whatever>
is printed (unless ALLOW_VULNERABLE_PACKAGES is defined of course).
That suggests that pkgsrc is actually checking for vulnerabilities,
and if it goes on, without further complaint, then the package being
installed has no known vulnerabilities.
That's not necessarily true - the check only gets made if
${PKGVULNDIR}/vulnerabilities exists. If it doesn't, then
pkgsrc claims it is checking for vulnerabilities, but doesn't,
giving a false sense of security.
>How-To-Repeat:
Be on a system with no vulnerabilities data, install any
random pkgsrc package, and watch.
>Fix:
The "right" way would probably be to move the
${ECHO_MSG} "${_PKGSRC_IN}> Checking for vulnerabilities in ${PKGNAME}"
to inside the check-vulnerable target, after the test for the
vulnerability data existing has been made. But that would
totally screw up the way that output redirections are being used.
The "easy" way is to test that the vulnerability data file exists
before doing the "echo" (perhaps moving it from check-vulnerable
to do-fetch rather than doing it twice, though that would be a risk
should anyone ever want to use check-vulnerable from elsewhere).
>Release-Note:
>Audit-Trail:
>Unformatted: