From owner-freebsd-ports@FreeBSD.ORG Thu Dec 7 17:16:25 2006 Return-Path: X-Original-To: freebsd-ports@freebsd.org Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9605716A47B for ; Thu, 7 Dec 2006 17:16:25 +0000 (UTC) (envelope-from gamato@users.sf.net) Received: from slimak.dkm.cz (smtp.dkm.cz [62.24.64.34]) by mx1.FreeBSD.org (Postfix) with SMTP id 38F8E43CAF for ; Thu, 7 Dec 2006 17:15:30 +0000 (GMT) (envelope-from gamato@users.sf.net) Received: (qmail 32949 invoked by uid 0); 7 Dec 2006 17:16:19 -0000 Received: from r5h168.net.upc.cz (HELO ?86.49.7.168?) (86.49.7.168) by smtp.dkm.cz with SMTP; 7 Dec 2006 17:16:19 -0000 Message-ID: <45784C62.80904@users.sf.net> Date: Thu, 07 Dec 2006 18:16:18 +0100 From: mato User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.0.8) Gecko/20061111 SeaMonkey/1.0.6 MIME-Version: 1.0 To: Matthew Seaman References: <20061206233232.GA72778@xor.obsecurity.org> <45775FA0.7020206@users.sf.net> <8cb6106e0612061646m1a9b9f94nc33bdb36ad25594d@mail.gmail.com> <20061207131208.M28770@users.sf.net> <45781B2A.4000300@unsane.co.uk> <20061207140329.M59390@pobox.sk> <457826A3.9020702@infracaninophile.co.uk> In-Reply-To: <457826A3.9020702@infracaninophile.co.uk> Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: Vince , josh.carroll@psualum.com, freebsd-ports@freebsd.org, freebsd-questions@freebsd.org Subject: Re: portupgrade refusin to upgrade a port .. when it shouldn't imho X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2006 17:16:25 -0000 Matthew Seaman wrote: > mato wrote: > >> On Thu, 07 Dec 2006 13:46:18 +0000, Vince wrote >> >>> mato wrote: >>> >>>> On Wed, 6 Dec 2006 16:46:24 -0800, Josh Carroll wrote >>>> >>>>>>>> ** Port marked as IGNORE: multimedia/win32-codecs: >>>>>>>> is forbidden: Remote code execution: >>>>>>>> http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html >>>>>>>> >>>>>>>> Isn't this behaviour flawed ?? Or am I missing something ? >>>>>>>> >>>>> You need to make config in /usr/ports/multimedia/win32-codecs, and >>>>> unselect quicktime. Then the port should install. This is assuming, >>>>> of course, that you can live without the QT codec(s). >>>>> >>>>> Josh >>>>> >>>> OK, I will try it.. Thank you all. >>>> >>>> But the question remains -- if new port version is not vulnerable why i cannot >>>> upgrade to it ?? >>>> >>>> >>> Its only not vulnerable if you unselect the quicktime codec. the >>> vulnerability is in the quicktime codec. >>> >>> The port will by default use the stored config in >>> /var/db/ports/win32-codecs/options and if this says to use the quicktime >>> codec then it will not upgrade. This seems pretty sensible to me. >>> >>> Vince >>> >>> >> I cannot access and check the port's Makefile right now ... Is it Makefile >> which says (conditionally) "hey i'm vulnerable" or is it portaudit/VuXML >> database which says that. I guess the former, otherwise freshports.org should >> mark the port as vulnerable. Right? >> > > In general, this sort of security flagging is done via portaudit's own database > which is derived mostly from VuXML. To get around the lockout imposed by portaudit > you can do: > > make DISABLE_VULNERABILITIES=yes > > but a) this doesn't disable any actual vulnerabilities, just the checking > for their presence, and b) on your own head be it. > > Now, in the case of the win32-codecs port, it is done differently. The port > Makefile says this: > > .if defined(WITH_QUICKTIME) > FORBIDDEN= Remote code execution: http://vuxml.FreeBSD.org/24f6b1eb-43d5-11 > db-81e1-000e0c2e438a.html > ADDITIONAL_CODECS_DISTFILES+= qt63dlls-20050115.tar.bz2 \ > qtextras-20041107.tar.bz2 > PLIST_SUB+= QUICKTIME="" > .else > PLIST_SUB+= QUICKTIME="@comment " > .endif > > ie. selecting the Quicktime plugins in the OPTIONS dialog, which causes > WITH_QUICKTIME to be defined, means that the port will be marked forbidden, > and any attempt to install it will be blocked. > > A simple 'make config' and unchecking that option will let you install > the port with all of the other codecs. > > Freshports parses the VuXML database to mark ports as vulnerable -- the VuXML > data contains a listing of the vulnerable package names and ranges of version > numbers. VuXML doesn't actually have a way of distinguishing what options are > enabled for the port, although the textual note in the entry explains the situation > fairly clearly. It doesn't say "Users are advised to reinstall the port with the > Quicktime support turned off" which might be a nice addition. The system will > however prompt users to upgrade to a version of the port after the code to > forbid installation with Quicktime stuff enabled was added. > > Cheers, > > Matthew > > Matthew, that is a great answer!! Thank you! :-) The last question would be how to make make(1) /portupgrade/portsystem to ignore FORBIDDEN. Anyway, thanks again. Martin