Date: Thu, 07 Dec 2006 14:35:15 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: mato <gamato@users.sourceforge.net> Cc: Vince <jhary@unsane.co.uk>, josh.carroll@psualum.com, freebsd-ports@freebsd.org, freebsd-questions@freebsd.org Subject: Re: portupgrade refusin to upgrade a port .. when it shouldn't imho Message-ID: <457826A3.9020702@infracaninophile.co.uk> In-Reply-To: <20061207140329.M59390@pobox.sk> References: <el7e8s$9ak$1@sea.gmane.org> <20061206233232.GA72778@xor.obsecurity.org> <45775FA0.7020206@users.sf.net> <8cb6106e0612061646m1a9b9f94nc33bdb36ad25594d@mail.gmail.com> <20061207131208.M28770@users.sf.net> <45781B2A.4000300@unsane.co.uk> <20061207140329.M59390@pobox.sk>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig4115E309C75B607C2E2A6D40 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable mato wrote: > On Thu, 07 Dec 2006 13:46:18 +0000, Vince wrote >> mato wrote: >>> On Wed, 6 Dec 2006 16:46:24 -0800, Josh Carroll wrote >>>>>>> ** Port marked as IGNORE: multimedia/win32-codecs: >>>>>>> is forbidden: Remote code execution: >>>>>>> http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.htm= l >>>>>>> >>>>>>> Isn't this behaviour flawed ?? Or am I missing something ? >>>> You need to make config in /usr/ports/multimedia/win32-codecs, and >>>> unselect quicktime. Then the port should install. This is assuming, >>>> of course, that you can live without the QT codec(s). >>>> >>>> Josh >>> >>> OK, I will try it.. Thank you all. >>> >>> But the question remains -- if new port version is not vulnerable why= i cannot >>> upgrade to it ?? >>> >> Its only not vulnerable if you unselect the quicktime codec. the >> vulnerability is in the quicktime codec. >> >> The port will by default use the stored config in >> /var/db/ports/win32-codecs/options and if this says to use the quickti= me >> codec then it will not upgrade. This seems pretty sensible to me. >> >> Vince >> >=20 >=20 > I cannot access and check the port's Makefile right now ... Is it Makef= ile > which says (conditionally) "hey i'm vulnerable" or is it portaudit/VuXM= L > database which says that. I guess the former, otherwise freshports.org= should > mark the port as vulnerable. Right? In general, this sort of security flagging is done via portaudit's own da= tabase which is derived mostly from VuXML. To get around the lockout imposed by= portaudit you can do: make DISABLE_VULNERABILITIES=3Dyes but a) this doesn't disable any actual vulnerabilities, just the checking= for their presence, and b) on your own head be it. Now, in the case of the win32-codecs port, it is done differently. The p= ort Makefile says this: =2Eif defined(WITH_QUICKTIME) FORBIDDEN=3D Remote code execution: http://vuxml.FreeBSD.org/24f6b1e= b-43d5-11 db-81e1-000e0c2e438a.html ADDITIONAL_CODECS_DISTFILES+=3D qt63dlls-20050115.tar.bz2 \ qtextras-20041107.tar.bz2 PLIST_SUB+=3D QUICKTIME=3D"" =2Eelse PLIST_SUB+=3D QUICKTIME=3D"@comment " =2Eendif ie. selecting the Quicktime plugins in the OPTIONS dialog, which causes WITH_QUICKTIME to be defined, means that the port will be marked forbidde= n, and any attempt to install it will be blocked. A simple 'make config' and unchecking that option will let you install the port with all of the other codecs. Freshports parses the VuXML database to mark ports as vulnerable -- the V= uXML data contains a listing of the vulnerable package names and ranges of ver= sion numbers. VuXML doesn't actually have a way of distinguishing what option= s are enabled for the port, although the textual note in the entry explains the= situation fairly clearly. It doesn't say "Users are advised to reinstall the port = with the Quicktime support turned off" which might be a nice addition. The system= will however prompt users to upgrade to a version of the port after the code t= o forbid installation with Quicktime stuff enabled was added. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK --------------enig4115E309C75B607C2E2A6D40 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFeCap8Mjk52CukIwRAy6hAJ0aFo6JQZt6vmHv54BnzMznOhNI+QCfXEzh OT0VSOkkTBLUhuqmxjjZHY0= =9WMg -----END PGP SIGNATURE----- --------------enig4115E309C75B607C2E2A6D40--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?457826A3.9020702>