[Bug 271368] pkg info failure leads to nasty pkg delete behaviour

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 271368] pkg info failure leads to nasty pkg delete behaviour"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 11 May 2023 18:11:45 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271368

            Bug ID: 271368
           Summary: pkg info failure leads to nasty pkg delete behaviour
           Product: Ports & Packages
           Version: Latest
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: freebsdbugs@wayne47.com

pkg-1.19.1_1 installed
pkg audit on 12.4-RELEASE-p2 system reported this security vulnerability:

   py39-setuptools-63.1.0 is vulnerable:
     py39-setuptools -- denial of service vulnerability
     CVE: CVE-2022-40897
     WWW:
https://vuxml.FreeBSD.org/freebsd/1b38aec4-4149-4c7d-851c-3c4de3a1fbd0.html

so I checked what used it (I am eliminating most responses in the chain):
   % pkg info -dx py39-setuptools
   % pkg info -dx python39-3.9
   % pkg info -dx readline
   readline-8.2.1:
        indexinfo-0.3.1
   % pkg info -dx indexinfo-0.3.1
   indexinfo-0.3.1:                    # No port listed suggests that nothing
uses it
   % pkg info -dx indexinfo            # Double checking that no ports are
listed
   indexinfo-0.3.1:                    # Same response
# So it's safe to remove:
   % sudo pkg delete indexinfo-0.3.1
# Which then proceeded to delete most of the ports installed on the system with
no warning or ability to confirm!

-- 
You are receiving this mail because:
You are the assignee for the bug.