Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 10 Nov 2008 22:44:52 -0600
From:      Rick Voland <rpvoland@spamcop.net>
To:        Rene Ladan <r.c.ladan@gmail.com>
Cc:        jsa@wickedmachine.net, Eduardo Cerejo <ejcerejo@optonline.net>, FreeBSD-ports@FreeBSD.org
Subject:   Re: VLC fails to compile after cvsuping
Message-ID:  <49190DC4.20000@spamcop.net>
In-Reply-To: <4918877B.8020705@gmail.com>
References:  <20081110091440.daaa7da9.ejcerejo@optonline.net> <4918877B.8020705@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Rene Ladan wrote:
> Eduardo Cerejo schreef:
>> I just cvsuped my ports tree and vlc is the only port that it is
>> failing to compile.  I'm using FBSD 7stable and this is the error that
>> I'm getting:
>>
>> --->  Upgrading 'vlc-0.8.6.i,2' to 'vlc-0.8.6.i_2,2' (multimedia/vlc)
>> --->  Building '/usr/ports/multimedia/vlc'
>> ===>  Cleaning for vlc-0.8.6.i_2,2
>> ===>  vlc-0.8.6.i_2,2 has known vulnerabilities:
>> => vlc -- cue processing stack overflow.
>>    Reference:
>> <http://www.FreeBSD.org/ports/portaudit/4b09378e-addb-11dd-a578-0030843d3802.html>;
>>
>> => Please update your ports tree and try again.
>> *** Error code 1
>>
>> Stop in /usr/ports/multimedia/vlc.
>> ** Command failed [exit code 1]: /usr/bin/script -qa
>> /tmp/portupgrade.1384.0 env UPGRADE_TOOL=portupgrade
>> UPGRADE_PORT=vlc-0.8.6.i,2 UPGRADE_PORT_VER=0.8.6.i,2 make
>> ** Fix the problem and try again.
>> ** Listing the failed packages (-:ignored / *:skipped / !:failed)
>>         ! multimedia/vlc (vlc-0.8.6.i,2)        (unknown build error)
> 
> I don't know if this is a FAQ yet.  Add DISABLE_VULNERABILITIES=yes to your
> /etc/make.conf and try again. This doesn't solve the vulnerabilities, so
> IGNORE_VULNERABILITIES would be more appropriate in my opninion.
> 
> Regards,
> Rene


I am confused.  The purpose of this update is to "solve the
vulnerabilities" as indicated at:
http://www.freshports.org/multimedia/vlc
"Fix a stack overflow vulnerability...."

The security notice indicates that this version should be free of this
particular issue.
http://www.vuxml.org/freebsd/4b09378e-addb-11dd-a578-0030843d3802.html
vlc -- cue processing stack overflow
Affected packages
vlc < 0.8.6i_2,2

So, why is portaudit preventing the updating to this version patched to
solve the issue?


Is the spelling difference important?
0.8.6i_2,2
vs
0.8.6.i_2,2



Thanks,

Rick Voland
rpvoland@spamcop.net

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49190DC4.20000>