From owner-freebsd-ports@FreeBSD.ORG Thu Dec 7 14:37:34 2006 Return-Path: X-Original-To: freebsd-ports@freebsd.org Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 47EAE16A47E; Thu, 7 Dec 2006 14:37:34 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.187.76.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6904743CEA; Thu, 7 Dec 2006 14:35:06 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from [172.16.3.238] (gateway.ash.thebunker.net [213.129.64.4]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.13.8/8.13.8) with ESMTP id kB7EZOKn001162 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 7 Dec 2006 14:35:35 GMT (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: smtp.infracaninophile.co.uk from=m.seaman@infracaninophile.co.uk; sender-id=permerror; spf=permerror X-SenderID: Sendmail Sender-ID Filter v0.2.14 smtp.infracaninophile.co.uk kB7EZOKn001162 Message-ID: <457826A3.9020702@infracaninophile.co.uk> Date: Thu, 07 Dec 2006 14:35:15 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 1.5.0.8 (X11/20061120) MIME-Version: 1.0 To: mato References: <20061206233232.GA72778@xor.obsecurity.org> <45775FA0.7020206@users.sf.net> <8cb6106e0612061646m1a9b9f94nc33bdb36ad25594d@mail.gmail.com> <20061207131208.M28770@users.sf.net> <45781B2A.4000300@unsane.co.uk> <20061207140329.M59390@pobox.sk> In-Reply-To: <20061207140329.M59390@pobox.sk> X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; micalg=pgp-ripemd160; protocol="application/pgp-signature"; boundary="------------enig4115E309C75B607C2E2A6D40" X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-2.0.2 (smtp.infracaninophile.co.uk [81.187.76.162]); Thu, 07 Dec 2006 14:35:49 +0000 (GMT) X-Virus-Scanned: ClamAV version 0.88.6, clamav-milter version 0.88.6 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.1 required=5.0 tests=AWL,BAYES_00, DKIM_POLICY_TESTING autolearn=ham version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on happy-idiot-talk.infracaninophile.co.uk Cc: Vince , josh.carroll@psualum.com, freebsd-ports@freebsd.org, freebsd-questions@freebsd.org Subject: Re: portupgrade refusin to upgrade a port .. when it shouldn't imho X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2006 14:37:34 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig4115E309C75B607C2E2A6D40 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable mato wrote: > On Thu, 07 Dec 2006 13:46:18 +0000, Vince wrote >> mato wrote: >>> On Wed, 6 Dec 2006 16:46:24 -0800, Josh Carroll wrote >>>>>>> ** Port marked as IGNORE: multimedia/win32-codecs: >>>>>>> is forbidden: Remote code execution: >>>>>>> http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.htm= l >>>>>>> >>>>>>> Isn't this behaviour flawed ?? Or am I missing something ? >>>> You need to make config in /usr/ports/multimedia/win32-codecs, and >>>> unselect quicktime. Then the port should install. This is assuming, >>>> of course, that you can live without the QT codec(s). >>>> >>>> Josh >>> >>> OK, I will try it.. Thank you all. >>> >>> But the question remains -- if new port version is not vulnerable why= i cannot >>> upgrade to it ?? >>> >> Its only not vulnerable if you unselect the quicktime codec. the >> vulnerability is in the quicktime codec. >> >> The port will by default use the stored config in >> /var/db/ports/win32-codecs/options and if this says to use the quickti= me >> codec then it will not upgrade. This seems pretty sensible to me. >> >> Vince >> >=20 >=20 > I cannot access and check the port's Makefile right now ... Is it Makef= ile > which says (conditionally) "hey i'm vulnerable" or is it portaudit/VuXM= L > database which says that. I guess the former, otherwise freshports.org= should > mark the port as vulnerable. Right? In general, this sort of security flagging is done via portaudit's own da= tabase which is derived mostly from VuXML. To get around the lockout imposed by= portaudit you can do: make DISABLE_VULNERABILITIES=3Dyes but a) this doesn't disable any actual vulnerabilities, just the checking= for their presence, and b) on your own head be it. Now, in the case of the win32-codecs port, it is done differently. The p= ort Makefile says this: =2Eif defined(WITH_QUICKTIME) FORBIDDEN=3D Remote code execution: http://vuxml.FreeBSD.org/24f6b1e= b-43d5-11 db-81e1-000e0c2e438a.html ADDITIONAL_CODECS_DISTFILES+=3D qt63dlls-20050115.tar.bz2 \ qtextras-20041107.tar.bz2 PLIST_SUB+=3D QUICKTIME=3D"" =2Eelse PLIST_SUB+=3D QUICKTIME=3D"@comment " =2Eendif ie. selecting the Quicktime plugins in the OPTIONS dialog, which causes WITH_QUICKTIME to be defined, means that the port will be marked forbidde= n, and any attempt to install it will be blocked. A simple 'make config' and unchecking that option will let you install the port with all of the other codecs. Freshports parses the VuXML database to mark ports as vulnerable -- the V= uXML data contains a listing of the vulnerable package names and ranges of ver= sion numbers. VuXML doesn't actually have a way of distinguishing what option= s are enabled for the port, although the textual note in the entry explains the= situation fairly clearly. It doesn't say "Users are advised to reinstall the port = with the Quicktime support turned off" which might be a nice addition. The system= will however prompt users to upgrade to a version of the port after the code t= o forbid installation with Quicktime stuff enabled was added. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK --------------enig4115E309C75B607C2E2A6D40 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFeCap8Mjk52CukIwRAy6hAJ0aFo6JQZt6vmHv54BnzMznOhNI+QCfXEzh OT0VSOkkTBLUhuqmxjjZHY0= =9WMg -----END PGP SIGNATURE----- --------------enig4115E309C75B607C2E2A6D40--