Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 28 Aug 2012 13:53:34 -0500
From:      Bryan Drewery <bryan@shatow.net>
To:        David Newman <dnewman@networktest.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: portaudit and automake14
Message-ID:  <503D13AE.1010003@shatow.net>
In-Reply-To: <503D1259.9080801@networktest.com>
References:  <503D1259.9080801@networktest.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 8/28/2012 1:47 PM, David Newman wrote:
> 1. On a 8.0-RELEASE system, I'm having a problem with the automake14
> port, where the portaudit port reports this vulnerability:
> 
> http://portaudit.freebsd.org/10f38033-e006-11e1-9304-000000000000.html
> 
> Refreshing the ports collection with 'portsnap fetch extract' and then
> running 'portmaster automake14' returned the same error as before:
> 
> automake -- Insecure 'distcheck' recipe granted world-writable distdir
> 
> I then tried to do 'make deinstall && make reinstall' for automake14,
> but that just deinstalled the port. The system returns the same error as
> above when trying to reinstall.
> 
> How to resolve?
> 
> 2. This system also has a couple of other automake ports installed:
> 
> automake-1.12.3
> automake-wrapper-20101119
> 
> How to determine if these are necessary in addition to automake14?


automake14 is not vulnerable to this issue. The vuxml was recently
updated to show that it only affects 1.5 and up.

http://www.vuxml.org/freebsd/36235c38-e0a8-11e1-9f4d-002354ed89bc.html

Not sure when portaudit updates, but in the meantime you can ignore that
error:

env DISABLE_VULNERABILITIES=1 portmaster ...

You can also try deinstalling automake14 as it may not even be required
on your system and the newer 1.12 may automatically be used instead.

To be clear, automake14 is super old. automake-1.12.3 is current.


> 
> Thanks
> 
> dn
> 

Bryan




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?503D13AE.1010003>