| Summary: | pkg info failure leads to nasty pkg delete behaviour | ||
|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Mike Wayne <freebsdbugs> |
| Component: | Individual Port(s) | Assignee: | freebsd-pkg (Nobody) <pkg> |
| Status: | New --- | ||
| Severity: | Affects Many People | CC: | gert, pkg |
| Priority: | --- | Flags: | linimon:
maintainer-feedback?
(pkg) |
| Version: | Latest | ||
| Hardware: | amd64 | ||
| OS: | Any | ||
pkg-1.19.1_1 installed pkg audit on 12.4-RELEASE-p2 system reported this security vulnerability: py39-setuptools-63.1.0 is vulnerable: py39-setuptools -- denial of service vulnerability CVE: CVE-2022-40897 WWW: https://vuxml.FreeBSD.org/freebsd/1b38aec4-4149-4c7d-851c-3c4de3a1fbd0.html so I checked what used it (I am eliminating most responses in the chain): % pkg info -dx py39-setuptools % pkg info -dx python39-3.9 % pkg info -dx readline readline-8.2.1: indexinfo-0.3.1 % pkg info -dx indexinfo-0.3.1 indexinfo-0.3.1: # No port listed suggests that nothing uses it % pkg info -dx indexinfo # Double checking that no ports are listed indexinfo-0.3.1: # Same response # So it's safe to remove: % sudo pkg delete indexinfo-0.3.1 # Which then proceeded to delete most of the ports installed on the system with no warning or ability to confirm!