From owner-freebsd-questions@FreeBSD.ORG  Thu Dec  7 14:37:34 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 47EAE16A47E;
	Thu,  7 Dec 2006 14:37:34 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk
	[81.187.76.162])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6904743CEA;
	Thu,  7 Dec 2006 14:35:06 +0000 (GMT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from [172.16.3.238] (gateway.ash.thebunker.net [213.129.64.4])
	(authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.13.8/8.13.8) with ESMTP id
	kB7EZOKn001162
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 7 Dec 2006 14:35:35 GMT
	(envelope-from m.seaman@infracaninophile.co.uk)
Authentication-Results: smtp.infracaninophile.co.uk
	from=m.seaman@infracaninophile.co.uk; sender-id=permerror;
	spf=permerror
X-SenderID: Sendmail Sender-ID Filter v0.2.14 smtp.infracaninophile.co.uk
	kB7EZOKn001162
Message-ID: <457826A3.9020702@infracaninophile.co.uk>
Date: Thu, 07 Dec 2006 14:35:15 +0000
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 1.5.0.8 (X11/20061120)
MIME-Version: 1.0
To: mato <gamato@users.sourceforge.net>
References: <el7e8s$9ak$1@sea.gmane.org>	<20061206233232.GA72778@xor.obsecurity.org>	<45775FA0.7020206@users.sf.net>	<8cb6106e0612061646m1a9b9f94nc33bdb36ad25594d@mail.gmail.com>	<20061207131208.M28770@users.sf.net>	<45781B2A.4000300@unsane.co.uk>
	<20061207140329.M59390@pobox.sk>
In-Reply-To: <20061207140329.M59390@pobox.sk>
X-Enigmail-Version: 0.94.0.0
Content-Type: multipart/signed; micalg=pgp-ripemd160;
	protocol="application/pgp-signature";
	boundary="------------enig4115E309C75B607C2E2A6D40"
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by
	milter-greylist-2.0.2 (smtp.infracaninophile.co.uk
	[81.187.76.162]); Thu, 07 Dec 2006 14:35:49 +0000 (GMT)
X-Virus-Scanned: ClamAV version 0.88.6, clamav-milter version 0.88.6 on
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.1 required=5.0 tests=AWL,BAYES_00,
	DKIM_POLICY_TESTING autolearn=ham version=3.1.7
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on 
	happy-idiot-talk.infracaninophile.co.uk
Cc: Vince <jhary@unsane.co.uk>, josh.carroll@psualum.com,
	freebsd-ports@freebsd.org, freebsd-questions@freebsd.org
Subject: Re: portupgrade refusin to upgrade a port .. when it shouldn't imho
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Dec 2006 14:37:34 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig4115E309C75B607C2E2A6D40
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable

mato wrote:
> On Thu, 07 Dec 2006 13:46:18 +0000, Vince wrote
>> mato wrote:
>>> On Wed, 6 Dec 2006 16:46:24 -0800, Josh Carroll wrote
>>>>>>> ** Port marked as IGNORE: multimedia/win32-codecs:
>>>>>>>         is forbidden: Remote code execution:
>>>>>>> http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.htm=
l
>>>>>>>
>>>>>>> Isn't this behaviour flawed ??  Or am I missing something ?
>>>> You need to make config in /usr/ports/multimedia/win32-codecs, and
>>>> unselect quicktime. Then the port should install. This is assuming,
>>>>  of course, that you can live without the QT codec(s).
>>>>
>>>> Josh
>>>
>>> OK, I will try it..  Thank you all.
>>>
>>> But the question remains -- if new port version is not vulnerable why=
 i cannot
>>> upgrade to it ??
>>>
>> Its only not vulnerable if you unselect the quicktime codec. the
>> vulnerability is in the quicktime codec.
>>
>> The port will by default use the stored config in
>> /var/db/ports/win32-codecs/options and if this says to use the quickti=
me
>> codec then it will not upgrade. This seems pretty sensible to me.
>>
>> Vince
>>
>=20
>=20
> I cannot access and check the port's Makefile right now ... Is it Makef=
ile
> which says (conditionally) "hey i'm vulnerable" or is it portaudit/VuXM=
L
> database which says that.  I guess the former, otherwise freshports.org=
 should
> mark the port as vulnerable.  Right?

In general, this sort of security flagging is done via portaudit's own da=
tabase
which is derived mostly from VuXML.  To get around the lockout imposed by=
 portaudit
you can do:

     make DISABLE_VULNERABILITIES=3Dyes

but a) this doesn't disable any actual vulnerabilities, just the checking=

for their presence, and b) on your own head be it.

Now, in the case of the win32-codecs port, it is done differently.  The p=
ort
Makefile says this:

=2Eif defined(WITH_QUICKTIME)
FORBIDDEN=3D      Remote code execution: http://vuxml.FreeBSD.org/24f6b1e=
b-43d5-11
db-81e1-000e0c2e438a.html
ADDITIONAL_CODECS_DISTFILES+=3D   qt63dlls-20050115.tar.bz2 \
                                qtextras-20041107.tar.bz2
PLIST_SUB+=3D     QUICKTIME=3D""
=2Eelse
PLIST_SUB+=3D     QUICKTIME=3D"@comment "
=2Eendif

ie. selecting the Quicktime plugins in the OPTIONS dialog, which causes
WITH_QUICKTIME to be defined, means that the port will be marked forbidde=
n,
and any attempt to install it will be blocked.

A simple 'make config' and unchecking that option will let you install
the port with all of the other codecs.

Freshports parses the VuXML database to mark ports as vulnerable -- the V=
uXML
data contains a listing of the vulnerable package names and ranges of ver=
sion
numbers.  VuXML doesn't actually have a way of distinguishing what option=
s are
enabled for the port, although the textual note in the entry explains the=
 situation
fairly clearly.  It doesn't say "Users are advised to reinstall the port =
with the
Quicktime support turned off" which might be a nice addition.  The system=
 will
however prompt users to upgrade to a version of the port after the code t=
o
forbid installation with Quicktime stuff enabled was added.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       Flat 3
                                                      7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW, UK


--------------enig4115E309C75B607C2E2A6D40
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFeCap8Mjk52CukIwRAy6hAJ0aFo6JQZt6vmHv54BnzMznOhNI+QCfXEzh
OT0VSOkkTBLUhuqmxjjZHY0=
=9WMg
-----END PGP SIGNATURE-----

--------------enig4115E309C75B607C2E2A6D40--