Date: Mon, 10 Sep 2007 17:09:40 -0500 From: "Jeremy Messenger" <mezz7@cox.net> To: "John Murphy" <freebsd001@freeode.co.uk> Cc: malcolm_green@tiscali.co.uk, Gnome list <freebsd-gnome@freebsd.org> Subject: Re: make gnome2 fails because evince has vulnerability Message-ID: <op.tygk6ejx9aq2h7@mezz.mezzweb.com> In-Reply-To: <20070910205231.167f48f7@turion.freeode.co.uk> References: <20070910205231.167f48f7@turion.freeode.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 10 Sep 2007 14:52:31 -0500, John Murphy <freebsd001@freeode.co.u= k> = wrote: > malcolm_green@tiscali.co.uk wrote: > >> Dear freebsd-gnome team >> May I enquire of you about a problem when doing make install >> in /usr/ports/x11/gnome2 under PCBSD 1.4RC. It fails saying >> evince has a vulnerability. I have followed the advice output by >> the make and used kports to update the ports, fetch a new index, >> and update the ports-db. Upon re-issuing make install I get the >> same error. Now I am unsure what to do. Surely the make install >> script should not refuse to continue building but merely issue a >> warning. There must be a way to prevent this blowup, but the whole >> ports system is like a empty cube in space to a relatively new >> BSD person. >> >> I can see that one way to avoid it would be to get a new evince, >> but kports says my copy is the latest. >> The ports I am using is supplied on the PCBSD CD so I dont know when >> it dates from, and in any case I have updated the ports tree with >> kports. > >> Perhaps there is a good document I should read. > > <- Snipped screen output (mine is the same as yours. See below.) -> > > Hi Malcolm, > > No solution, but just wanted to say I have the same problem on > FreeBSD-6.2. I've run csup and portupgrade -arR. I've run the > gnomelogalyzer.sh from within /usr/ports/x11/gnome2 and checked > all of its suggestions. (The recommended mailing list archive > search showed no results for evince or [k|x]pdf in 2007! I get > the impression Rambler isn't updated much these days...). > > The only thing I haven't tried (and I'm loath to do so as I > doubt it will help) is 'pkg_delete -rf pkg-config\*'. > > The reference URL: > > http://www.FreeBSD.org/ports/portaudit/0e43a14d-3f3f-11dc-a79a-0016179= b2dd5.html > > mentions xpdf and kpdf. Do you have either of those installed? > I have kpdf and I'm wondering if the problem is because of that. > > Any suggestions from the port maintainers (or clues from anyone) > would be much appreciated. It has been fixed, someone has added evince as vulnerability by mistake.= = The evince doesn't has any of pdf source code in its tarball. It depends= = on poppler and poppler has been marked as safe (patched) a while ago. Cheers, Mezz > [root@turion gnome2]# make install <snip> > =3D=3D=3D> gnome2-2.18.3 depends on executable: evince - not found > =3D=3D=3D> Verifying install for evince in /usr/ports/graphics/evin= ce > =3D=3D=3D> evince-0.8.3_1 has known vulnerabilities: > =3D> xpdf -- stack based buffer overflow. > Reference: = > <http://www.FreeBSD.org/ports/portaudit/0e43a14d-3f3f-11dc-a79a-001617= 9b2dd5.html> > =3D> Please update your ports tree and try again. > *** Error code 1 > > Stop in /usr/ports/graphics/evince. > *** Error code 1 > > Stop in /usr/ports/x11/gnome2. > *** Error code 1 > > Stop in /usr/ports/x11/gnome2. -- = mezz7@cox.net - mezz@FreeBSD.org FreeBSD GNOME Team - FreeBSD Multimedia Hat (ports, not src) http://www.FreeBSD.org/gnome/ - gnome@FreeBSD.org http://wiki.freebsd.org/multimedia - multimedia@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.tygk6ejx9aq2h7>