Date: Tue, 11 Nov 2008 01:59:18 -0500 From: "Joseph S. Atkinson" <jsatkinson@embarqmail.com> To: Eduardo Cerejo <ejcerejo@optonline.net> Cc: Rick Voland <rpvoland@spamcop.net>, FreeBSD Ports <freebsd-ports@FreeBSD.org>, Martin Wilke <miwi@freebsd.org> Subject: Re: VLC fails to compile after cvsuping Message-ID: <49192D46.202@embarqmail.com> In-Reply-To: <49190DC4.20000@spamcop.net> References: <20081110091440.daaa7da9.ejcerejo@optonline.net> <4918877B.8020705@gmail.com> <49190DC4.20000@spamcop.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Rick Voland wrote: > Rene Ladan wrote: >> Eduardo Cerejo schreef: >>> I just cvsuped my ports tree and vlc is the only port that it is >>> failing to compile. I'm using FBSD 7stable and this is the error that >>> I'm getting: >>> >>> ---> Upgrading 'vlc-0.8.6.i,2' to 'vlc-0.8.6.i_2,2' (multimedia/vlc) >>> ---> Building '/usr/ports/multimedia/vlc' >>> ===> Cleaning for vlc-0.8.6.i_2,2 >>> ===> vlc-0.8.6.i_2,2 has known vulnerabilities: >>> => vlc -- cue processing stack overflow. >>> Reference: >>> <http://www.FreeBSD.org/ports/portaudit/4b09378e-addb-11dd-a578-0030843d3802.html>; >>> >>> => Please update your ports tree and try again. >>> *** Error code 1 >>> >>> Stop in /usr/ports/multimedia/vlc. >>> ** Command failed [exit code 1]: /usr/bin/script -qa >>> /tmp/portupgrade.1384.0 env UPGRADE_TOOL=portupgrade >>> UPGRADE_PORT=vlc-0.8.6.i,2 UPGRADE_PORT_VER=0.8.6.i,2 make >>> ** Fix the problem and try again. >>> ** Listing the failed packages (-:ignored / *:skipped / !:failed) >>> ! multimedia/vlc (vlc-0.8.6.i,2) (unknown build error) >> I don't know if this is a FAQ yet. Add DISABLE_VULNERABILITIES=yes to your >> /etc/make.conf and try again. This doesn't solve the vulnerabilities, so >> IGNORE_VULNERABILITIES would be more appropriate in my opninion. >> >> Regards, >> Rene > > > I am confused. The purpose of this update is to "solve the > vulnerabilities" as indicated at: > http://www.freshports.org/multimedia/vlc > "Fix a stack overflow vulnerability...." > > The security notice indicates that this version should be free of this > particular issue. > http://www.vuxml.org/freebsd/4b09378e-addb-11dd-a578-0030843d3802.html > vlc -- cue processing stack overflow > Affected packages > vlc < 0.8.6i_2,2 > > So, why is portaudit preventing the updating to this version patched to > solve the issue? > > > Is the spelling difference important? > 0.8.6i_2,2 > vs > 0.8.6.i_2,2 > > > > Thanks, > > Rick Voland > rpvoland@spamcop.net > > > The ".i" is done via the magic of the ports infrastructure. Took me a minute to realize where that came from. It actually looks like the wrong port revision was entered into VuXML as vulnerable. 0.8.6.i_2,2 is the fixed version. You should be able to build it manually as a one off without modifying make.conf via: # make build deinstall reinstall DISABLE_VULNERABILITIES=true I am trying to find out what needs to be done to fix this proper currently. Thanks for the heads up.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49192D46.202>