Bug 271368 - pkg info failure leads to nasty pkg delete behaviour
Summary: pkg info failure leads to nasty pkg delete behaviour
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: amd64 Any
: --- Affects Many People
Assignee: freebsd-pkg (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-05-11 18:11 UTC by Mike Wayne
Modified: 2023-11-28 03:23 UTC (History)
2 users (show)

See Also:
linimon: maintainer-feedback? (pkg)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Wayne 2023-05-11 18:11:45 UTC 
pkg-1.19.1_1 installed
pkg audit on 12.4-RELEASE-p2 system reported this security vulnerability:

   py39-setuptools-63.1.0 is vulnerable:
     py39-setuptools -- denial of service vulnerability
     CVE: CVE-2022-40897
     WWW: https://vuxml.FreeBSD.org/freebsd/1b38aec4-4149-4c7d-851c-3c4de3a1fbd0.html

so I checked what used it (I am eliminating most responses in the chain):
   % pkg info -dx py39-setuptools
   % pkg info -dx python39-3.9
   % pkg info -dx readline
   readline-8.2.1:
        indexinfo-0.3.1
   % pkg info -dx indexinfo-0.3.1
   indexinfo-0.3.1:                    # No port listed suggests that nothing uses it
   % pkg info -dx indexinfo            # Double checking that no ports are listed
   indexinfo-0.3.1:                    # Same response
# So it's safe to remove:
   % sudo pkg delete indexinfo-0.3.1
# Which then proceeded to delete most of the ports installed on the system with no warning or ability to confirm!