Based on your reply, the update does not seem too onerous to me. Since I would like to see the bug fixed, I'll go ahead and request the update... :^)
Thanks again for your efforts, - Tor PS - For what it's worth, I searched the changelog for "security" and found this newer entry: http://git.savannah.gnu.org/cgit/findutils.git/tree/ChangeLog * find/find.c: Fixed security holes. 1. There is a race condition between the lstat() to detect a symbolic link and the actual chdir(). 2. An attacker can move directories while find is _inside_ so that chdir(..) goes out of the intended file tree. On Tue, Jan 12, 2010 at 12:28:32AM +0000, Stuart Henderson wrote: > On 2010/01/09 10:36, open...@noid.net wrote: > > > > Hello, > > > > If this is the wrong place for this post, please let me know... > > More specifically, would it be appropriate to submit this to the Bug > > Tracking system using sendbug? > > We don't track problems with individual ports in the bug tracker. > ports@ is a good place to post, or if the port has a maintainer > (displayed in pkg_info) you can try contacting them first. > > > I think I've found a bug in OpenBSD's port of findutils. It can > > easily be reproduced with this command sequence: > > I think the bug is in the original software rather than the port, > we only have a small change to the configure script, that's all. > > > mkdir -p /tmp/a/b/c > > gfind /tmp/a/b/c -depth -type d -empty > > gfind /tmp/a/b -depth -type d -empty > > gfind /tmp/a -depth -type d -empty > > rmdir -p /tmp/a/b/c > > > > If you do the above, you'll see that only the first gfind command > > works properly; the output is: > > > > /tmp/a/b/c > > > > The second gfind command has output that is not correct: > > > > /tmp/a/b/c > > /tmp/a/b > > > > The third gfind command only reports errors: > > > > gfind: /tmp/a/b: No such file or directory > > gfind: /tmp/a: No such file or directory > > > > The proper behavior would be if the last two invocations had the same > > output as the first. > > Updating the port to use a more recent version of findutils > fixes this. > > Any comments/oks/requests to use the last GPLv2 version instead? > I get the impression this port isn't very widely used.. > > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/misc/findutils/Makefile,v > retrieving revision 1.15 > diff -u -p -r1.15 Makefile > --- Makefile 15 Sep 2007 23:54:16 -0000 1.15 > +++ Makefile 12 Jan 2010 00:23:46 -0000 > @@ -2,24 +2,24 @@ > > COMMENT= finds and then operates on files > > -DISTNAME= findutils-4.1 > -PKGNAME= ${DISTNAME}p0 > +DISTNAME= findutils-4.4.2 > CATEGORIES= misc > > HOMEPAGE= http://www.gnu.org/software/findutils/ > > -# GPL > +# GPLv3+ > PERMIT_PACKAGE_CDROM= Yes > PERMIT_PACKAGE_FTP= Yes > PERMIT_DISTFILES_CDROM= Yes > PERMIT_DISTFILES_FTP= Yes > -WANTLIB= c > + > +WANTLIB= c m > > MASTER_SITES= ${MASTER_SITE_GNU:=findutils/} > > MODULES= devel/gettext > > -CONFIGURE_STYLE= gnu dest old > +CONFIGURE_STYLE= gnu > CONFIGURE_ARGS= --program-prefix="g" > CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \ > LDFLAGS="-L${LOCALBASE}/lib" > Index: distinfo > =================================================================== > RCS file: /cvs/ports/misc/findutils/distinfo,v > retrieving revision 1.3 > diff -u -p -r1.3 distinfo > --- distinfo 5 Apr 2007 17:41:07 -0000 1.3 > +++ distinfo 12 Jan 2010 00:23:46 -0000 > @@ -1,5 +1,5 @@ > -MD5 (findutils-4.1.tar.gz) = Pqj+WO9Thtp19scHcTqgWQ== > -RMD160 (findutils-4.1.tar.gz) = tmwKouctN46MPLmWjOto2ROK+HQ= > -SHA1 (findutils-4.1.tar.gz) = uRzQPKTJZZs+XUDoQcZL/S5/Jdg= > -SHA256 (findutils-4.1.tar.gz) = SH7MCmyMkGNKERWPNgl35c4KmmcBUC2my5alp+wUP6w= > -SIZE (findutils-4.1.tar.gz) = 294494 > +MD5 (findutils-4.4.2.tar.gz) = NRzErbB9VId/oV91+3fTnw== > +RMD160 (findutils-4.4.2.tar.gz) = 0pVKMdWcojjhi1C+gvHsz3rWkFQ= > +SHA1 (findutils-4.4.2.tar.gz) = 6N2I+izFir/9C/we3auQICMbsCQ= > +SHA256 (findutils-4.4.2.tar.gz) = > Q08y0XHLwKXnLPxTcsb8TLDmgfjc5Wag3ltvzNcCtio= > +SIZE (findutils-4.4.2.tar.gz) = 2149838 > Index: patches/patch-configure > =================================================================== > RCS file: patches/patch-configure > diff -N patches/patch-configure > --- patches/patch-configure 19 Feb 2005 13:04:44 -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,21 +0,0 @@ > -$OpenBSD: patch-configure,v 1.1 2005/02/19 13:04:44 alek Exp $ > ---- configure.orig Sat Feb 19 13:56:57 2005 > -+++ configure Sat Feb 19 13:58:03 2005 > -@@ -1892,7 +1892,7 @@ if eval "test \"`echo '${'ac_cv_lib_intl > - echo $ac_n "(cached) $ac_c" 1>&4 > - else > - ac_save_LIBS="$LIBS" > --LIBS="$LIBS -lintl " > -+LIBS="$LIBS -lintl -liconv" > - cat > conftest.$ac_ext <<EOF > - #line 1898 "configure" > - #include "confdefs.h" > -@@ -1915,7 +1915,7 @@ LIBS="$ac_save_LIBS" > - fi > - if eval "test \"`echo '$ac_cv_lib_'intl`\" = yes"; then > - echo "$ac_t""yes" 1>&4 > -- LIBS="$LIBS -lintl" > -+ LIBS="$LIBS -lintl -liconv" > - else > - echo "$ac_t""no" 1>&4 > - fi > Index: pkg/PLIST > =================================================================== > RCS file: /cvs/ports/misc/findutils/pkg/PLIST,v > retrieving revision 1.5 > diff -u -p -r1.5 PLIST > --- pkg/PLIST 2 Apr 2005 21:40:49 -0000 1.5 > +++ pkg/PLIST 12 Jan 2010 00:23:46 -0000 > @@ -1,15 +1,64 @@ > @comment $OpenBSD: PLIST,v 1.5 2005/04/02 21:40:49 pvalchev Exp $ > -bin/gfind > -bin/glocate > +...@bin bin/gfind > +...@bin bin/glocate > +...@bin bin/goldfind > bin/gupdatedb > -bin/gxargs > +...@bin bin/gxargs > +...@info info/find-maint.info > @info info/find.info > -libexec/gbigram > -libexec/gcode > -libexec/gfrcode > +...@comment lib/charset.alias > +...@bin libexec/gbigram > +...@bin libexec/gcode > +...@bin libexec/gfrcode > @man man/man1/gfind.1 > @man man/man1/glocate.1 > @man man/man1/gupdatedb.1 > @man man/man1/gxargs.1 > @man man/man5/glocatedb.5 > -var/ > +share/locale/be/LC_MESSAGES/findutils.mo > +share/locale/bg/LC_MESSAGES/findutils.mo > +share/locale/ca/LC_MESSAGES/findutils.mo > +share/locale/cs/LC_MESSAGES/findutils.mo > +share/locale/da/LC_MESSAGES/findutils.mo > +share/locale/de/LC_MESSAGES/findutils.mo > +share/locale/el/LC_MESSAGES/findutils.mo > +share/locale/eo/LC_MESSAGES/findutils.mo > +share/locale/es/LC_MESSAGES/findutils.mo > +share/locale/et/LC_MESSAGES/findutils.mo > +share/locale/fi/LC_MESSAGES/findutils.mo > +share/locale/fr/LC_MESSAGES/findutils.mo > +share/locale/ga/LC_MESSAGES/findutils.mo > +share/locale/gl/LC_MESSAGES/findutils.mo > +share/locale/hr/LC_MESSAGES/findutils.mo > +share/locale/hu/LC_MESSAGES/findutils.mo > +share/locale/id/LC_MESSAGES/findutils.mo > +share/locale/it/LC_MESSAGES/findutils.mo > +share/locale/ja/LC_MESSAGES/findutils.mo > +share/locale/ko/LC_MESSAGES/findutils.mo > +share/locale/lg/ > +share/locale/lg/LC_MESSAGES/ > +share/locale/lg/LC_MESSAGES/findutils.mo > +share/locale/lt/ > +share/locale/lt/LC_MESSAGES/ > +share/locale/lt/LC_MESSAGES/findutils.mo > +share/locale/ms/ > +share/locale/ms/LC_MESSAGES/ > +share/locale/ms/LC_MESSAGES/findutils.mo > +share/locale/nl/LC_MESSAGES/findutils.mo > +share/locale/pl/LC_MESSAGES/findutils.mo > +share/locale/pt/LC_MESSAGES/findutils.mo > +share/locale/pt_BR/LC_MESSAGES/findutils.mo > +share/locale/ro/LC_MESSAGES/findutils.mo > +share/locale/ru/LC_MESSAGES/findutils.mo > +share/locale/rw/ > +share/locale/rw/LC_MESSAGES/ > +share/locale/rw/LC_MESSAGES/findutils.mo > +share/locale/sk/LC_MESSAGES/findutils.mo > +share/locale/sl/LC_MESSAGES/findutils.mo > +share/locale/sr/LC_MESSAGES/findutils.mo > +share/locale/sv/LC_MESSAGES/findutils.mo > +share/locale/tr/LC_MESSAGES/findutils.mo > +share/locale/uk/LC_MESSAGES/findutils.mo > +share/locale/vi/LC_MESSAGES/findutils.mo > +share/locale/zh_CN/LC_MESSAGES/findutils.mo > +share/locale/zh_TW/LC_MESSAGES/findutils.mo
