Subject: Re: incompatibility between audit-packages and make-time checks
To: Alistair Crooks <agc@pkgsrc.org>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-security
Date: 02/16/2005 09:21:15
In message <20050216105942.GA5957@nef.pbox.org>, Alistair Crooks writes:
>
>Having investigated further, I've located the problem.
>
>bsd.pkg.mk does the checks for the vulnerable package in a target called
>check-vulnerable. It is basically an invocation of awk:
>
> ${SETENV} PKGNAME="${PKGNAME}" \
> PKGBASE="${PKGBASE}" \
> ${AWK} '/^$$/ { next } \
> /^#.*/ { next } \
> $$1 !~ ENVIRON["PKGBASE"] { next } \
> { s = sprintf("${PKG_ADMIN} pmatch \"%s\" %s &
>& ${ECHO} \"*** WARNING - %s vulnerability in %s - see %s for more information
> ***\"", $$1, ENVIRON["PKGNAME"], $$2, ENV
>IRON["PKGNAME"], $$3); system(s); }' < ${PKGVULNDIR}/pkg-vulnerabilities || ${
>FALSE}; \
>
>The problem area is the line which is used to try to speed up the search by
>ignoring packages which don't match the basename of the package (the package
>name without any version suffix).
>
> $$1 !~ ENVIRON["PKGBASE"] { next }
>
>If this line is removed, the check in www/mozilla-gtk2 will work fine, at
>the cost of some more cycles at package build time. With caches filled,
>the timings are as follows:
>
>[10:52:31] agc@sys3 ...pkgsrc/www/mozilla-gtk2 56 > time make check-vulnerable
>0.376u 0.257s 0:00.40 155.0% 0+0k 0+0io 0pf+0w
>[10:52:38] agc@sys3 ...pkgsrc/www/mozilla-gtk2 57 >
>
>and
>
>[10:52:04] agc@sys3 ...pkgsrc/www/mozilla-gtk2 54 > time make check-vulnerable
>*** WARNING - www-address-spoof vulnerability in mozilla-gtk2-1.7.5 - see http
>://secunia.com/advisories/14154/ for more information ***
>1.803u 1.919s 0:02.54 146.0% 0+0k 0+0io 0pf+0w
>[10:52:13] agc@sys3 ...pkgsrc/www/mozilla-gtk2 55 >
>
>Admittedly, this is on a fairly fast machine - 2.8 GHz P4, 2 GB RAM.
>
>However, in the interests of correctness, I'll disable the incorrect
>check for just now.
Thanks. I was suspicious of that statement but didn't spot the flaw.
I think that the optimization can be restored, if you wish, by making
it conditional on $1 not having any metacharacters.
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb