From owner-freebsd-ports@freebsd.org Fri Jul 3 13:01:11 2015 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2BCBF993B1E for ; Fri, 3 Jul 2015 13:01:11 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from albert.catwhisker.org (mx.catwhisker.org [198.144.209.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EB50C2D09 for ; Fri, 3 Jul 2015 13:01:10 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from albert.catwhisker.org (localhost [127.0.0.1]) by albert.catwhisker.org (8.14.9/8.14.9) with ESMTP id t63D13sB074822 for ; Fri, 3 Jul 2015 06:01:03 -0700 (PDT) (envelope-from david@albert.catwhisker.org) Received: (from david@localhost) by albert.catwhisker.org (8.14.9/8.14.9/Submit) id t63D13Tx074821 for freebsd-ports@freebsd.org; Fri, 3 Jul 2015 06:01:03 -0700 (PDT) (envelope-from david) Date: Fri, 3 Jul 2015 06:01:03 -0700 From: David Wolfskill To: freebsd-ports@freebsd.org Subject: Please help un-confuse me about vuxml Message-ID: <20150703130103.GM1472@albert.catwhisker.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ensexbfp9Ul6anXl" Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jul 2015 13:01:11 -0000 --ensexbfp9Ul6anXl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Before I get started on something that is likely to devolve into something a bit "rant-ish," I will take this opportunity to thank the folks who work on things such as maintaining ports, the port- and package-building infrastructure, and maintaining the vulnerability database(s). (For about 3 decades of my career, I worked in sysadmin(-like) positions; I'm familiar with the value of well-maintained infrastructure... and that infrastructure and those who maintain it usually get noticed when something is perceived to be "wrong.") That said, as the Subject indicates, I'm confused about something.... Upon an initial successful smoke test after a src update of FreeBSD, it is my practice to then update the installed ports. As I do this moderately frequently (generally, daily), I build the ports (rather than rely on externally-built packages). I use portmaster(8) to do this (and have been doing so for several years). Today, the ports selected for update (after addressing the ffmpeg update) were: =3D=3D=3D>>> The following actions will be taken if you choose to proceed: Upgrade R-cran-stringi-0.5.2_1 to R-cran-stringi-0.5.5 Upgrade harfbuzz-0.9.40_1 to harfbuzz-0.9.41 Upgrade iso-codes-3.57 to iso-codes-3.59 Upgrade netpbm-10.35.94_1 to netpbm-10.35.96 Upgrade openjdk-7.80.15,1 to openjdk-7.80.15_1,1 Upgrade p5-DateTime-1.19 to p5-DateTime-1.20 Upgrade p5-DateTime-TimeZone-1.92 to p5-DateTime-TimeZone-1.92_1 Upgrade mplayer-1.1.r20150403_2 to mplayer-1.1.r20150403_3 Upgrade wireshark-1.12.5_1 to wireshark-1.12.6 =3D=3D=3D>>> Proceed? y/n [y]=20 As indicated, I told it to proceed (while I directed my focus elsewhere). I was thus a bit startled (and yes, annoyed) a few minutes later to see: | ... | =3D=3D=3D>>> Deleting stale distfile: iso-codes-3.57.tar.xz | 0;portmaster: All (9)^G=3D=3D=3D>>> Returning to update check of installe= d ports |=20 | =3D=3D=3D>>> Launching child to install graphics/netpbm |=20 | =3D=3D=3D>>> All >> graphics/netpbm (4/9) | 0;portmaster: All >> graphics/netpbm (4/9)^G | =3D=3D=3D>>> Currently installed version: netpbm-10.35.94_1 | =3D=3D=3D>>> Port directory: /usr/ports/graphics/netpbm |=20 | =3D=3D=3D>>> Starting check for build dependencies | =3D=3D=3D>>> Gathering dependency list for graphics/netpbm from ports | =3D=3D=3D>>> Dependency check complete for graphics/netpbm |=20 | =3D=3D=3D>>> All >> netpbm-10.35.94_1 (4/9) | 0;portmaster: All >> netpbm-10.35.94_1 (4/9)^G | =3D=3D=3D> Cleaning for netpbm-10.35.96 | =3D=3D=3D> netpbm-10.35.96 has known vulnerabilities: | netpbm-10.35.96 is vulnerable: | dcraw -- integer overflow condition | CVE: CVE-2015-3885 | WWW: https://vuxml.FreeBSD.org/freebsd/57325ecf-facc-11e4-968f-b888e347c6= 38.html |=20 | 1 problem(s) in the installed packages found. | =3D> Please update your ports tree and try again. | =3D> Note: Vulnerable ports are marked as such even if there is no update= available. | =3D> If you wish to ignore this vulnerability rebuild with 'make DISABLE_= VULNERABILITIES=3Dyes' | *** Error code 1 |=20 | Stop. | make[1]: stopped in /common/ports/graphics/netpbm | *** Error code 1 |=20 | Stop. | make: stopped in /common/ports/graphics/netpbm |=20 | =3D=3D=3D>>> make build failed for graphics/netpbm | =3D=3D=3D>>> Aborting update |=20 | =3D=3D=3D>>> Update for graphics/netpbm failed | =3D=3D=3D>>> Aborting update |=20 | =3D=3D=3D>>> The following actions were performed: | Upgrade of R-cran-stringi-0.5.2_1 to R-cran-stringi-0.5.5 | Upgrade of harfbuzz-0.9.40_1 to harfbuzz-0.9.41 | Upgrade of iso-codes-3.57 to iso-codes-3.59 |=20 | =3D=3D=3D>>> You can restart from the point of failure with this command = line: | portmaster graphics/netpbm java/openjdk7 devel/p5-DateTime= devel/p5-DateTime-TimeZone multimedia/mplayer net/wireshark=20 |=20 I then turned my attention to my /usr/ports SVN working copy to check the update log for graphics/netpbm/Makefile; the most recent entry was: | ------------------------------------------------------------------------ | r391058 | feld | 2015-07-01 06:28:35 -0700 (Wed, 01 Jul 2015) | 6 lines |=20 | Update to 10.35.96 |=20 | CVE-2015-3885 fix is included |=20 | Approved by: ports-secteam (with hat) |=20 | ------------------------------------------------------------------------ And that combination of things catalyzed this note. Here's what I'm seeing: - There is a claim that the port to which I was trying to update was "vulnerable" per vuxml. - The vuxml entry effectively required human intervention to update the port. - The most recent update to the port itself claimed that it had a fix to address said vulnerability. (This gives one reason to wonder why *this* version of the port had a vuxml entry, then.) - I had no feasible way to have a clue about any of this until the artificial failure disrupted the usual update process. - As far as I can tell, there was no value in the existence of the vuxml entry for this port under these circumstances. Rather, it was merely annoying and disruptive, for no gain whatsoever. There wasn't even an UPDATING entry to warn a person about what was going on. So... what am I missing? How is a vuxml entry for ports/graphics/netpbm @r391058 that claims it's vulnerable per CVE-2015-3885 useful or helpful? Thanks.... Peace, david --=20 David H. Wolfskill david@catwhisker.org Those who murder in the name of God or prophet are blasphemous cowards. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --ensexbfp9Ul6anXl Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJVloeOXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4RThEMDY4QTIxMjc1MDZFRDIzODYzRTc4 QTY3RjlDOERFRjQxOTNCAAoJEIpn+cje9Bk7xWsP/06BxH/501qOvBSgDtDej9uP +aJVUpY2nYQFRoNauOxV4J+jzfW6HdGEZMkGJIwRAAHLEH4DLvNzRmtMyLhGF2fF axUl8CytogiOSTsWNsSq0QDUtLKDXFF5s+AHyLamtGgtK8zEy3fsi5zj8404r1eD GqX0TKphSHFQzBrDMNShFz6gFxDY5OJAGhXvV1t2bEuIOx/lOmMFKhaivahFGq5z mdxKzLM0vcyiCKwtX2+zRM4EjsJPDJSx08GO4pT5v94KBqexlvcZN1egV2uzqNlr Ogn9p1oUlFBfSrE/mDRM+079umN697iB4b4Uo1KGHKt3Rsv1uK/49RqYLm3GjKlP F4XVRuFxJEZo+SDnx0p66ckNTNcyTbR+VcM0NU3JK/+30DreHVWCiZUiVRu+0y5n Eb+jGt16+G9sD82gqeTCX/y7kE0k2jWb1y7oac19cLI/+8oagE+/N1aBBIUqV3oA 5hXcxKO3Bvl1cjaXTjIjdCuHXQQI7wAbuEofAt7Yc6JHksh30nARWyo+vR8EsZgL irku2/KfGUcTs05gwyg5ed84dCVXWzropR8WJU06gz6nP6C2wbCkuZcSOPPxuXGj ySjPN9QKGKuw5WcFFpSbgcGMPCsHyF+qsd3ufTWG3kRCOGT7247/sgzPtDKV8+Gy ZXsirLhGTO2xbKrLyiDN =ajw7 -----END PGP SIGNATURE----- --ensexbfp9Ul6anXl--