Date: Thu, 19 Apr 2007 19:23:18 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Foxfair Hu <foxfair@drago.fomokka.net> Cc: security-team@freebsd.org, Lowell Gilbert <freebsd-ports-local@be-well.ilk.org>, David Southwell <david@vizion2000.net>, ports@freebsd.org, Kris Kennaway <kris@obsecurity.org>, jharris@widomaker.com Subject: Re: Lynx -vulnerabilities- is this permanent? Message-ID: <20070419172317.GA1039@zaphod.nitro.dk> In-Reply-To: <46274C13.3050604@drago.fomokka.net> References: <200704181057.34795.david@vizion2000.net> <44wt09ilei.fsf@be-well.ilk.org> <4626CFA1.1070209@drago.fomokka.net> <20070419034906.GA48902@xor.obsecurity.org> <46274C13.3050604@drago.fomokka.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2007.04.19 19:01:39 +0800, Foxfair Hu wrote: > Kris Kennaway wrote: > >On Thu, Apr 19, 2007 at 10:10:41AM +0800, Foxfair Hu wrote: > >>Lowell Gilbert wrote: > >>>David Southwell <david@vizion2000.net> writes: > >>> > >>>>portupgrade -a produces following output for lynx on cvsup from today. > >>>>freebsd 6.1 > >>>>----------------------------------------- > >>>>---> Upgrading 'lynx-2.8.5_2' to 'lynx-2.8.6_4' (www/lynx) > >>>>---> Building '/usr/ports/www/lynx' > >>>>===> Cleaning for lynx-2.8.6_4 > >>>>===> lynx-2.8.6_4 has known vulnerabilities: > >>>>=> lynx -- remote buffer overflow. > >>>> Reference: > >>>><http://www.FreeBSD.org/ports/portaudit/c01170bf-4990-11da-a1b8-000854d03344.html>; > >>>>=> Please update your ports tree and try again. > >>>>*** Error code 1 > >>>> > >>>>Stop in /usr/ports/www/lynx. > >>>> > >>>>Any news or advice forthcoming? > >>>That doesn't *seem* to be applicable to the current version. > >>>It looks like a version-number parsing problem producing a false warning. > >>>I don't have access to my build machine to check more closely, though... > >>> > >>Definitely a false alert, lynx 2.8.5rel4 had fixed the problem, and it > >>was rev1.112 of Makefile > >>in www/lynx. If no one objects, I'll put this diff to prevent portaudit > >>send wrong warning again: > > > >Wrong fix, fix the vuxml instead of hacking around it. > > vuxml -> security-team's baby. > Cc added. The problem is caused by interesting version numbering in the www/lynx-current port which now conflicts with www/lynx: [simon@zaphod:lynx-current] make -V PKGNAME lynx-2.8.7d4 Basically the problem was fixed in lynx-current (I assume, I haven't checked) 2.8.6d14 which really should have been 2.8.6.d14 to avoid problems like this. [simon@zaphod:~] pkg_version -t 2.8.6d14 2.8.6_4 > [simon@zaphod:~] pkg_version -t 2.8.6.d14 2.8.6_4 < I will try to have a look at how to work around this tonight, but I don't know if I will get to it today. -- Simon L. Nielsen FreeBSD Security Team
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070419172317.GA1039>