From owner-freebsd-vuxml@FreeBSD.ORG  Mon Sep 13 18:16:48 2004
Return-Path: <owner-freebsd-vuxml@FreeBSD.ORG>
Delivered-To: freebsd-vuxml@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7BB9E16A4CE; Mon, 13 Sep 2004 18:16:48 +0000 (GMT)
Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id F409143D49; Mon, 13 Sep 2004 18:16:47 +0000 (GMT)
	(envelope-from dan@langille.org)
Received: from xeon (xeon.unixathome.org [192.168.0.18])
	by bast.unixathome.org (Postfix) with ESMTP
	id D919B3D3D; Mon, 13 Sep 2004 14:16:37 -0400 (EDT)
Date: Mon, 13 Sep 2004 14:16:37 -0400 (EDT)
From: Dan Langille <dan@langille.org>
X-X-Sender: dan@xeon.unixathome.org
To: "Jacques A. Vidrine" <nectar@FreeBSD.org>
In-Reply-To: <20040913174748.GC71191@madman.celabo.org>
Message-ID: <20040913135431.F22240@xeon.unixathome.org>
References: <20040913123610.G22240@xeon.unixathome.org>
 <20040913174748.GC71191@madman.celabo.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-vuxml@freebsd.org
Subject: Re: Matching a name to a port
X-BeenThere: freebsd-vuxml@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Documenting security issues in VuXML <freebsd-vuxml.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-vuxml>,
	<mailto:freebsd-vuxml-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-vuxml>
List-Post: <mailto:freebsd-vuxml@freebsd.org>
List-Help: <mailto:freebsd-vuxml-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-vuxml>,
	<mailto:freebsd-vuxml-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Sep 2004 18:16:48 -0000

On Mon, 13 Sep 2004, Jacques A. Vidrine wrote:

> On Mon, Sep 13, 2004 at 01:33:22PM -0400, Dan Langille wrote:
> > I'm trying to match vuln.xml information against actual ports.  To do
> > this, I need to know how the entries in the <name> field are derived.
> >
> > I first thought it might be PORTNAME.  But that's not the case.  I now
> > think it might be ${PKGNAMEPREFIX}${PORTNAME}$.
>
> ${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX}
>
> See the definition of PKGNAME in bsd.port.mk.  It is PKGNAME minus the
> version information.
>
> > If am i correct, then I have some questions about the following entries.
> >
> > What ports do the following refer to?

Jacques: Thanks for pointing out the ports I missed.  I have snipped them
from the discussion so we can concentrate on the others.

> >  ImageMagick-nox11
> graphics/ImageMagick

I see ImageMagick in the names for this vuln.  Where does
ImageMagick-nox11 enter the picture?

> >  libtool
> depends, could be devel/libtool13 or devel/libtool15, or even the
> no-longer-existent devel/libtool or devel/libtool14

Looking at the data:

      <package>
        <name>libtool</name>
        <range><ge>1.3</ge><lt>1.3.5_2</lt></range>
        <range><ge>1.4</ge><lt>1.4.3_3</lt></range>
        <range><ge>1.5</ge><lt>1.5.2</lt></range>
      </package>

I suggest we need three package entries to cover the various FreeBSD ports
which have existed.  Please see the mysql suggestion below for an example
of what I mean.

This URL shows the libtool ports in question.

http://www.freshports.org/search.php?stype=name&method=match&query=libtool&num=10&deleted=includedeleted&casesensitivity=caseinsensitive&search=Search&orderby=category&orderbyupdown=asc

> >  mpg123-esound

We have mpg123, but no mpg123-esound.  I wonder where it comes from.


> >  mplayer-esound
> >  mplayer-gtk
> >  mplayer-gtk-esound
>
> multimedia/mplayer

I don't know what to do about those.  The vuln has an entry for mplayer,
so we'll catch that on FreshPorts, but not the other tree.


> >  mysql-client
> >  mysql-scripts
> >  mysql-server
> depends, could be any of the database/mysql*-(client|scripts|server) ports.

FreshPorts, or any other code for that matter, has no way
of knowing that port this vuln entry refers to.
Intuitively, yes, we know it's going to be one of mysql323-client,
ysql40-client, and mysql50-client.

Yes, the range entries help human eyes:

        <range><ge>4.1</ge><lt>4.1.3</lt></range>
        <range><ge>5</ge><le>5.0.0_2</le></range>

I suggest we need two packages:

      <package>
        <name>mysql40-client</name>
        <range><ge>4.0</ge><lt>4.0.20</lt></range>
        <range><ge>4.1</ge><lt>4.1.1_2</lt></range>
      </package>
      <package>
        <name>mysql50-client</name>
        <range><ge>5.0</ge><lt>5.0.0_2</lt></range>
      </package>
    </affects>


Should the entry be modified to refer explicity to


> > The answers may be obvious to the trained eye, but how does one write code
> > against this?
>
> Ports are re-named, moved, removed.  I'm not sure that it can be
> done exactly other than by what I suggested previously: a database
> of the "history" of package names.  IIRC, portupgrade uses ad hoc
> heuristics to guess the port origin from the package name, when the
> ORIGIN comment is not usable for some reason.
>
> The dichotomy of package name and port origin has always been a
> troublesome aspect of the FreeBSD Ports collection :-(

Moving things around isn't so much of a problem.  Locating them in the
first place is the issue.  Later moves are not a problem.

-- 
Dan Langille - http://www.langille.org/
BSDCan - The Technical BSD Conference: http://www.bsdcan.org/