Subject: pkg/33253: security/audit-packages: small cleanups
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: Auster <lrou@rtk0.lneuro.x.ua>
List: pkgsrc-bugs
Date: 04/13/2006 17:15:00
>Number:         33253
>Category:       pkg
>Synopsis:       security/audit-packages: small cleanups
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Apr 13 17:15:00 +0000 2006
>Originator:     Auster
>Release:        NetBSD 3.99.17
>Organization:
>Environment:
System: NetBSD lrou.x.ua 3.99.17 NetBSD 3.99.17 (lrou-1.740) #1: Mon Apr 10 17:07:09 EEST 2006 root@lrou.x.ua:/usr/src/sys/arch/i386/compile/lrou i386
Architecture: i386
Machine: i386
>Description:
	small cleanups in security/audit-packages

>How-To-Repeat:

% man 8 audit-packages
[snip]
	-i [vulnid:vulnid|pkgpat:pattern]
		Specify a list of vulnerabilities or packages to ignore.


for example: audit lang/sun-jre14, multimedia/mplayer

% audit-packages
Package sun-jre14-2.11 has a local-file-write vulnerability (vulnid:1122), see http://secunia.com/advisories/14902/
Package sun-jre14-2.11 has a denial-of-service vulnerability (vulnid:1570), see http://secunia.com/advisories/17478/
Package mplayer-1.0rc7nb9 has a heap-overflow vulnerability (vulnid:1811), see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0579

% audit-packages -i vulnid:1122 -i vulnid:1570 -i 'pkgpat:mplayer*'
Package sun-jre14-2.11 has a local-file-write vulnerability (vulnid:1122), see http://secunia.com/advisories/14902/
Package sun-jre14-2.11 has a denial-of-service vulnerability (vulnid:1570), see http://secunia.com/advisories/17478/

% audit-packages -i 1122 -i 1570 -i 'pkgpat:mplayer*'
%

% audit-packages -i 'vulnid:1122 vulnid:1570 pkgpat:mplayer*'
Package sun-jre14-2.11 has a local-file-write vulnerability (vulnid:1122), see http://secunia.com/advisories/14902/
Package sun-jre14-2.11 has a denial-of-service vulnerability (vulnid:1570), see http://secunia.com/advisories/17478/

% audit-packages -i '1122 1570 pkgpat:mplayer*'
%


>Fix:

1) audit-packages(8)
	-     -i [vulnid:vulnid|pkgpat:pattern]
	-		Specify a list of vulnerabilities or packages to ignore.
	+     -i IGNORELIST
	+		Specify a list of tokens to ignore. Token(s) takes the form:
	+     			vulnid|pkgpat:pattern [vulnid|pkgpat:pattern ...]

	+ # proposition
	+	Note: `dvi' options can also be configured via
	+	configuration items in audit-packages.conf.


2) sbin/audit-packages 
	--- /usr/pkg/sbin/audit-packages
	+++ /usr/pkg/sbin/audit-packages.4example
	@@ -48,7 +48,7 @@
 		argv0="${1##*/}"
 		cat <<EOF
	 $2
	-Usage: $argv0 [-dv] [-i vulnid:id|pkgpat:pattern]
	+Usage: $argv0 [-dv] [-i ignorelist]
	 		     [-K pkg_dbdir] [-p package]
	     -d : Run download-vulnerability-list before anything else.
	     -i : Ignore packages matching one of the specified vulnerabilities,
	@@ -61,6 +61,9 @@
 		exit 1
	 }
 
	+download=no
	+verbose=no
	+ignore_list=
	 settingsmsg=""
	 if [ -r /usr/pkg/etc/audit-packages.conf ]; then
 		settingsmsg="Reading settings from /usr/pkg/etc/audit-packages.conf"
	@@ -69,9 +72,6 @@
 
	 vuls="${PKGVULNDIR}/pkg-vulnerabilities"
 
	-download=no
	-verbose=no
	-ignore_list=
	 pkg_patterns=
	 vulnids=
	 one_package=



3) examples/audit-packages/audit-packages.conf

	# download=yes
	#	Run download-vulnerability-list before anything else.

	# verbose=yes
	# 	Verbose mode

	# ignore_list="vulnid|pkgpat:pattern [vulnid|pkgpat:pattern ..]"
	#	Ignore packages matching one of the specified vulnerabilities,
	#	or matching one of the provided patterns.