[Bug 286455] pkg-audit(8) listing false positives for librewolf v137.0.2 with "vuln.xml" of 20250425

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 01 Jun 2025 14:24:00 UTC 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286455

Mark Millard <marklmi26-fbsd@yahoo.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |marklmi26-fbsd@yahoo.com

--- Comment #11 from Mark Millard <marklmi26-fbsd@yahoo.com> ---
(In reply to ax61 from comment #9)

When the port epoch's are different, the port version is
not used at all: the epoch difference then overrides any
version check.

From

https://github.com/freebsd/pkg/blob/main/libpkg/pkg_version.c :

/*
 * version_cmp(pkg1, pkg2) returns -1, 0 or 1 depending on if the version
 * components of pkg1 is less than, equal to or greater than pkg2. No
 * comparison of the basenames is done.
 *
 * The port version is defined by:
 * ${PORTVERSION}[_${PORTREVISION}][,${PORTEPOCH}]
 * ${PORTEPOCH} supersedes ${PORTVERSION} supersedes ${PORTREVISION}.
 * See the commit log for revision 1.349 of ports/Mk/bsd.port.mk
 * for more information.
 *
 * The epoch and revision are defined to be a single number, while the rest
 * of the version should conform to the porting guidelines. It can contain
 * multiple components, separated by a period, including letters.
 *
 * The tests allow for significantly more latitude in the version numbers
 * than is allowed in the guidelines. No point in enforcing them here.
 * That's what portlint is for.
 *
 * Jeremy D. Lea.
 * reimplemented by Oliver Eikemeier
 */
int
pkg_version_cmp(const char * const pkg1, const char * const pkg2)
{
        const char *v1, *v2, *ve1, *ve2;
        unsigned long e1, e2, r1, r2;
        int result = 0;

        v1 = split_version(pkg1, &ve1, &e1, &r1);
        v2 = split_version(pkg2, &ve2, &e2, &r2);

        assert (v1 != NULL && v2 != NULL);

        /* Check epoch, port version, and port revision, in that order. */
        if (e1 != e2)
                result = (e1 < e2 ? -1 : 1);
. . .

-- 
You are receiving this mail because:
You are on the CC list for the bug.