misc/116115: Bug in portaudit: it does not handle packagenames with ,

Remko Lodder remko at FreeBSD.org
Wed Sep 5 04:30:07 PDT 2007


The following reply was made to PR misc/116115; it has been noted by GNATS.

From: Remko Lodder <remko at FreeBSD.org>
To: Klavs Klavsen <klavs at EnableIT.dk>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: misc/116115: Bug in portaudit: it does not handle packagenames
 with	,
Date: Wed, 05 Sep 2007 13:26:24 +0200

 Klavs Klavsen wrote:
 >> Number:         116115
 >> Category:       misc
 >> Synopsis:       Bug in portaudit: it does not handle packagenames with ,
 >> Confidential:   no
 >> Severity:       critical
 >> Priority:       high
 >> Responsible:    freebsd-bugs
 >> State:          open
 >> Quarter:        
 >> Keywords:       
 >> Date-Required:
 >> Class:          sw-bug
 >> Submitter-Id:   current-users
 >> Arrival-Date:   Wed Sep 05 10:20:01 GMT 2007
 >> Closed-Date:
 >> Last-Modified:
 >> Originator:     Klavs Klavsen
 >> Release:        FreeBSD-6.2
 >> Organization:
 > EnableIT
 >> Environment:
 > FreeBSD tomcat5-ny.telmore.dk 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 11:05:30 UTC 2007     root at dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP  i386
 > 
 >> Description:
 > Hi guys,
 > 
 > I was just testing portaudit on FreeBSD 6.2.
 > 
 > I have mod_jk-1.2.19,1 installed.
 > 
 > a portaudit -Fda does not show it's vulnerable to anything.
 > 
 > However - it really is, and it's in the vulndb as well.
 > 
 > If I rename mod_jk-1.2.19,1 to mod_jk-1.2.19 a portaudit -Fda (or just -a)
 > says it's vulnerable.
 > 
 > So the conclusion is that portaudit's "version number" matching doesn't
 > seem to handle ,'s all that well.
 >> How-To-Repeat:
 > rename mod_jk to mod_jk-1.2.19,1 and see it NOT work. 
 >> Fix:
 > 
 > 
 
 Actually you are incorrect strictly seen. You are correct that there is
 a problem though :-). Portaudit handles the ,\d perfectly, though
 PORTEPOCH (as the ,\d is called) makes version handling very different.
 If a port has PORTEPOCH, this always is 'newer' then any other version
 available. This is to make sure we can rollback from newer version.
 
 I fixed this in the vuxml document seconds ago.
 
 Thanks for noting this!
 
 Cheers
 remko
 -- 
 Kind regards,
 
      Remko Lodder               ** remko at elvandar.org
      FreeBSD                    ** remko at FreeBSD.org
 
      /* Quis custodiet ipsos custodes */


More information about the freebsd-bugs mailing list