Subject: pkg/33253: security/audit-packages: small cleanups
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: Auster <lrou@rtk0.lneuro.x.ua>
List: pkgsrc-bugs
Date: 04/13/2006 17:15:00
>Number: 33253
>Category: pkg
>Synopsis: security/audit-packages: small cleanups
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: pkg-manager
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Thu Apr 13 17:15:00 +0000 2006
>Originator: Auster
>Release: NetBSD 3.99.17
>Organization:
>Environment:
System: NetBSD lrou.x.ua 3.99.17 NetBSD 3.99.17 (lrou-1.740) #1: Mon Apr 10 17:07:09 EEST 2006 root@lrou.x.ua:/usr/src/sys/arch/i386/compile/lrou i386
Architecture: i386
Machine: i386
>Description:
small cleanups in security/audit-packages
>How-To-Repeat:
% man 8 audit-packages
[snip]
-i [vulnid:vulnid|pkgpat:pattern]
Specify a list of vulnerabilities or packages to ignore.
for example: audit lang/sun-jre14, multimedia/mplayer
% audit-packages
Package sun-jre14-2.11 has a local-file-write vulnerability (vulnid:1122), see http://secunia.com/advisories/14902/
Package sun-jre14-2.11 has a denial-of-service vulnerability (vulnid:1570), see http://secunia.com/advisories/17478/
Package mplayer-1.0rc7nb9 has a heap-overflow vulnerability (vulnid:1811), see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0579
% audit-packages -i vulnid:1122 -i vulnid:1570 -i 'pkgpat:mplayer*'
Package sun-jre14-2.11 has a local-file-write vulnerability (vulnid:1122), see http://secunia.com/advisories/14902/
Package sun-jre14-2.11 has a denial-of-service vulnerability (vulnid:1570), see http://secunia.com/advisories/17478/
% audit-packages -i 1122 -i 1570 -i 'pkgpat:mplayer*'
%
% audit-packages -i 'vulnid:1122 vulnid:1570 pkgpat:mplayer*'
Package sun-jre14-2.11 has a local-file-write vulnerability (vulnid:1122), see http://secunia.com/advisories/14902/
Package sun-jre14-2.11 has a denial-of-service vulnerability (vulnid:1570), see http://secunia.com/advisories/17478/
% audit-packages -i '1122 1570 pkgpat:mplayer*'
%
>Fix:
1) audit-packages(8)
- -i [vulnid:vulnid|pkgpat:pattern]
- Specify a list of vulnerabilities or packages to ignore.
+ -i IGNORELIST
+ Specify a list of tokens to ignore. Token(s) takes the form:
+ vulnid|pkgpat:pattern [vulnid|pkgpat:pattern ...]
+ # proposition
+ Note: `dvi' options can also be configured via
+ configuration items in audit-packages.conf.
2) sbin/audit-packages
--- /usr/pkg/sbin/audit-packages
+++ /usr/pkg/sbin/audit-packages.4example
@@ -48,7 +48,7 @@
argv0="${1##*/}"
cat <<EOF
$2
-Usage: $argv0 [-dv] [-i vulnid:id|pkgpat:pattern]
+Usage: $argv0 [-dv] [-i ignorelist]
[-K pkg_dbdir] [-p package]
-d : Run download-vulnerability-list before anything else.
-i : Ignore packages matching one of the specified vulnerabilities,
@@ -61,6 +61,9 @@
exit 1
}
+download=no
+verbose=no
+ignore_list=
settingsmsg=""
if [ -r /usr/pkg/etc/audit-packages.conf ]; then
settingsmsg="Reading settings from /usr/pkg/etc/audit-packages.conf"
@@ -69,9 +72,6 @@
vuls="${PKGVULNDIR}/pkg-vulnerabilities"
-download=no
-verbose=no
-ignore_list=
pkg_patterns=
vulnids=
one_package=
3) examples/audit-packages/audit-packages.conf
# download=yes
# Run download-vulnerability-list before anything else.
# verbose=yes
# Verbose mode
# ignore_list="vulnid|pkgpat:pattern [vulnid|pkgpat:pattern ..]"
# Ignore packages matching one of the specified vulnerabilities,
# or matching one of the provided patterns.