From owner-cvs-all@FreeBSD.ORG Sat Sep 16 19:27:03 2006 Return-Path: X-Original-To: cvs-all@freebsd.org Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D3A816A407; Sat, 16 Sep 2006 19:27:03 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68C2843D45; Sat, 16 Sep 2006 19:26:59 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id 79A4D386C10; Sat, 16 Sep 2006 19:26:58 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 5F25C1141D; Sat, 16 Sep 2006 21:26:58 +0200 (CEST) Date: Sat, 16 Sep 2006 21:26:58 +0200 From: "Simon L. Nielsen" To: Peter Jeremy Message-ID: <20060916192657.GC1020@zaphod.nitro.dk> References: <200609141426.k8EEQiVC003730@repoman.freebsd.org> <20060916094324.GA11675@turion.vk2pj.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060916094324.GA11675@turion.vk2pj.dyndns.org> User-Agent: Mutt/1.5.11 Cc: cvs-ports@freebsd.org, Remko Lodder , cvs-all@freebsd.org, ports-committers@freebsd.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Sep 2006 19:27:03 -0000 On 2006.09.16 19:43:24 +1000, Peter Jeremy wrote: > On Thu, 2006-Sep-14 14:26:44 +0000, Remko Lodder wrote: > >remko 2006-09-14 14:26:44 UTC > > Rewrite the win32-codecs entry to even better explain the vulnerability [2]. > > Since there's no longer a maintainer and there doesn't appear to be a > fix at the master site, this port may be broken for some time. Is it > possible to just not install the QuickTime dll's? > > Based on the codec breakdown, QuickTime support is the following files: > 3ivX.qtx > ACTLComponent.qtx > AvidQTAVUICodec.qtx > BeHereiVideo.qtx > Indeo4.qtx > On2_VP3.qtx > ZyGoVideo.qtx > QuickTime.qts > QuickTimeEssentials.qtx > QuickTimeInternetExtras.qtx > qtmlClient.dll > > Does anyone know if those files can just be removed to avoid the > vulnerability whilst still have the remaining win32 codecs work? If we remove the Quicktime codecs then I will be happy to remove FORBIDDEN from the port. Unfortunatly I don't have the time too look into finding out which files has to be removed myself, so I have no idea if you identified the right files. -- Simon L. Nielsen FreeBSD Security Team