From owner-freebsd-ports@FreeBSD.ORG Tue Nov 11 07:18:22 2008 Return-Path: Delivered-To: freebsd-ports@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4A6F1065674 for ; Tue, 11 Nov 2008 07:18:22 +0000 (UTC) (envelope-from jsatkinson@embarqmail.com) Received: from mailrelay.embarq.synacor.com (mailrelay.embarq.synacor.com [208.47.184.3]) by mx1.freebsd.org (Postfix) with ESMTP id 62EA08FC14 for ; Tue, 11 Nov 2008 07:18:22 +0000 (UTC) (envelope-from jsatkinson@embarqmail.com) DKIM-Signature: v=1; a=rsa-sha1; d=embarqmail.com; s=s012408; c=relaxed/simple; q=dns/txt; i=@embarqmail.com; t=1226386689; h=From:Subject:Date:To:MIME-Version:Content-Type; bh=E7mmijAX2Bjk3GyNnqetjLDqnf4=; b=dK4DntO+xleWXFNrKNlh2o+MqBJoldZ7ql98z/WjNumk9tObsQ7/ufHctjdaCi3d 1rVdT7LlMLHV92JaDKXLanDqzoil+urkdg9rVW0Etpneoy/EQP8FAQ4WEdAuGelE; X_CMAE_Category: 0,0 Undefined,Undefined X-CNFS-Analysis: v=1.0 c=1 a=TKHAjhyJ_ocA:10 a=zbwwrMcQCXoA:10 a=6I5d2MoRAAAA:8 a=q56oFxeYAAAA:8 a=5089wCahAAAA:8 a=Iskwmu7MHLP1zGbh-FUA:9 a=qHA4fBewzaW5cNSRwhHxAuq_hIUA:4 a=xM-QfRgW2ikA:10 a=4iXfik_MsjQA:10 X-CM-Score: 0 X-Scanned-by: Cloudmark Authority Engine Authentication-Results: smtp09.embarq.synacor.com smtp.user=jsatkinson@embarqmail.com; auth=pass (LOGIN) Received: from [76.5.144.120] ([76.5.144.120:12732] helo=mephisto.wickedmachine.net) by mailrelay.embarq.synacor.com (envelope-from ) (ecelerity 2.2.2.33 r(25932/25934)) with ESMTPA id DD/1E-12776-00D29194; Tue, 11 Nov 2008 01:58:09 -0500 Message-ID: <49192D46.202@embarqmail.com> Date: Tue, 11 Nov 2008 01:59:18 -0500 From: "Joseph S. Atkinson" User-Agent: Thunderbird 2.0.0.17 (X11/20080929) MIME-Version: 1.0 To: Eduardo Cerejo References: <20081110091440.daaa7da9.ejcerejo@optonline.net> <4918877B.8020705@gmail.com> <49190DC4.20000@spamcop.net> In-Reply-To: <49190DC4.20000@spamcop.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Rick Voland , FreeBSD Ports , Martin Wilke Subject: Re: VLC fails to compile after cvsuping X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Joseph S. Atkinson" List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Nov 2008 07:18:22 -0000 Rick Voland wrote: > Rene Ladan wrote: >> Eduardo Cerejo schreef: >>> I just cvsuped my ports tree and vlc is the only port that it is >>> failing to compile. I'm using FBSD 7stable and this is the error that >>> I'm getting: >>> >>> ---> Upgrading 'vlc-0.8.6.i,2' to 'vlc-0.8.6.i_2,2' (multimedia/vlc) >>> ---> Building '/usr/ports/multimedia/vlc' >>> ===> Cleaning for vlc-0.8.6.i_2,2 >>> ===> vlc-0.8.6.i_2,2 has known vulnerabilities: >>> => vlc -- cue processing stack overflow. >>> Reference: >>> >>> >>> => Please update your ports tree and try again. >>> *** Error code 1 >>> >>> Stop in /usr/ports/multimedia/vlc. >>> ** Command failed [exit code 1]: /usr/bin/script -qa >>> /tmp/portupgrade.1384.0 env UPGRADE_TOOL=portupgrade >>> UPGRADE_PORT=vlc-0.8.6.i,2 UPGRADE_PORT_VER=0.8.6.i,2 make >>> ** Fix the problem and try again. >>> ** Listing the failed packages (-:ignored / *:skipped / !:failed) >>> ! multimedia/vlc (vlc-0.8.6.i,2) (unknown build error) >> I don't know if this is a FAQ yet. Add DISABLE_VULNERABILITIES=yes to your >> /etc/make.conf and try again. This doesn't solve the vulnerabilities, so >> IGNORE_VULNERABILITIES would be more appropriate in my opninion. >> >> Regards, >> Rene > > > I am confused. The purpose of this update is to "solve the > vulnerabilities" as indicated at: > http://www.freshports.org/multimedia/vlc > "Fix a stack overflow vulnerability...." > > The security notice indicates that this version should be free of this > particular issue. > http://www.vuxml.org/freebsd/4b09378e-addb-11dd-a578-0030843d3802.html > vlc -- cue processing stack overflow > Affected packages > vlc < 0.8.6i_2,2 > > So, why is portaudit preventing the updating to this version patched to > solve the issue? > > > Is the spelling difference important? > 0.8.6i_2,2 > vs > 0.8.6.i_2,2 > > > > Thanks, > > Rick Voland > rpvoland@spamcop.net > > > The ".i" is done via the magic of the ports infrastructure. Took me a minute to realize where that came from. It actually looks like the wrong port revision was entered into VuXML as vulnerable. 0.8.6.i_2,2 is the fixed version. You should be able to build it manually as a one off without modifying make.conf via: # make build deinstall reinstall DISABLE_VULNERABILITIES=true I am trying to find out what needs to be done to fix this proper currently. Thanks for the heads up.