From owner-freebsd-ports@FreeBSD.ORG Thu Dec 7 14:08:30 2006 Return-Path: X-Original-To: freebsd-ports@freebsd.org Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 35DAD16A47B; Thu, 7 Dec 2006 14:08:30 +0000 (UTC) (envelope-from gamato@users.sf.net) Received: from mail.pipni.cz (mail.pipni.cz [193.86.238.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2881E43CB8; Thu, 7 Dec 2006 14:07:37 +0000 (GMT) (envelope-from gamato@users.sf.net) Received: from mail.pipni.cz ([193.86.238.3]:44568 helo=gamato.org) id 1GsJvB-0000no-DA; Thu, 07 Dec 2006 15:08:21 +0100 From: "mato" To: Vince Date: Thu, 7 Dec 2006 15:08:21 +0100 Message-Id: <20061207140329.M59390@pobox.sk> In-Reply-To: <45781B2A.4000300@unsane.co.uk> References: <20061206233232.GA72778@xor.obsecurity.org> <45775FA0.7020206@users.sf.net> <8cb6106e0612061646m1a9b9f94nc33bdb36ad25594d@mail.gmail.com> <20061207131208.M28770@users.sf.net> <45781B2A.4000300@unsane.co.uk> X-Mailer: Open WebMail 2.51 20050627 X-OriginatingIP: 170.252.96.10 (m@gamato.org) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Cc: josh.carroll@psualum.com, freebsd-ports@freebsd.org, freebsd-questions@freebsd.org Subject: Re: portupgrade refusin to upgrade a port .. when it shouldn't imho X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2006 14:08:30 -0000 On Thu, 07 Dec 2006 13:46:18 +0000, Vince wrote > mato wrote: > > On Wed, 6 Dec 2006 16:46:24 -0800, Josh Carroll wrote > >>>>> ** Port marked as IGNORE: multimedia/win32-codecs: > >>>>> is forbidden: Remote code execution: > >>>>> http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html > >>>>> > >>>>> Isn't this behaviour flawed ?? Or am I missing something ? > >> You need to make config in /usr/ports/multimedia/win32-codecs, and > >> unselect quicktime. Then the port should install. This is assuming, > >> of course, that you can live without the QT codec(s). > >> > >> Josh > > > > > > OK, I will try it.. Thank you all. > > > > But the question remains -- if new port version is not vulnerable why i cannot > > upgrade to it ?? > > > Its only not vulnerable if you unselect the quicktime codec. the > vulnerability is in the quicktime codec. > > The port will by default use the stored config in > /var/db/ports/win32-codecs/options and if this says to use the quicktime > codec then it will not upgrade. This seems pretty sensible to me. > > Vince > I cannot access and check the port's Makefile right now ... Is it Makefile which says (conditionally) "hey i'm vulnerable" or is it portaudit/VuXML database which says that. I guess the former, otherwise freshports.org should mark the port as vulnerable. Right? Cheers, Martin