Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 3 Jul 2015 06:01:03 -0700
From:      David Wolfskill <david@catwhisker.org>
To:        freebsd-ports@freebsd.org
Subject:   Please help un-confuse me about vuxml
Message-ID:  <20150703130103.GM1472@albert.catwhisker.org>

next in thread | raw e-mail | index | archive | help

--ensexbfp9Ul6anXl
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Before I get started on something that is likely to devolve into
something a bit "rant-ish," I will take this opportunity to thank the
folks who work on things such as maintaining ports, the port- and
package-building infrastructure, and maintaining the vulnerability
database(s).  (For about 3 decades of my career, I worked in
sysadmin(-like) positions; I'm familiar with the value of
well-maintained infrastructure... and that infrastructure and those who
maintain it usually get noticed when something is perceived to be
"wrong.")  That said, as the Subject indicates, I'm confused about
something....

Upon an initial successful smoke test after a src update of FreeBSD, it
is my practice to then update the installed ports.

As I do this moderately frequently (generally, daily), I build the ports
(rather than rely on externally-built packages).  I use portmaster(8) to
do this (and have been doing so for several years).

Today, the ports selected for update (after addressing the ffmpeg update)
were:

=3D=3D=3D>>> The following actions will be taken if you choose to proceed:
        Upgrade R-cran-stringi-0.5.2_1 to R-cran-stringi-0.5.5
        Upgrade harfbuzz-0.9.40_1 to harfbuzz-0.9.41
        Upgrade iso-codes-3.57 to iso-codes-3.59
        Upgrade netpbm-10.35.94_1 to netpbm-10.35.96
        Upgrade openjdk-7.80.15,1 to openjdk-7.80.15_1,1
        Upgrade p5-DateTime-1.19 to p5-DateTime-1.20
        Upgrade p5-DateTime-TimeZone-1.92 to p5-DateTime-TimeZone-1.92_1
        Upgrade mplayer-1.1.r20150403_2 to mplayer-1.1.r20150403_3
        Upgrade wireshark-1.12.5_1 to wireshark-1.12.6

=3D=3D=3D>>> Proceed? y/n [y]=20


As indicated, I told it to proceed (while I directed my focus
elsewhere).

I was thus a bit startled (and yes, annoyed) a few minutes later to see:

| ...
| =3D=3D=3D>>> Deleting stale distfile: iso-codes-3.57.tar.xz
| 0;portmaster: All (9)^G=3D=3D=3D>>> Returning to update check of installe=
d ports
|=20
| =3D=3D=3D>>> Launching child to install graphics/netpbm
|=20
| =3D=3D=3D>>> All >> graphics/netpbm (4/9)
| 0;portmaster: All >> graphics/netpbm (4/9)^G
| =3D=3D=3D>>> Currently installed version: netpbm-10.35.94_1
| =3D=3D=3D>>> Port directory: /usr/ports/graphics/netpbm
|=20
| =3D=3D=3D>>> Starting check for build dependencies
| =3D=3D=3D>>> Gathering dependency list for graphics/netpbm from ports
| =3D=3D=3D>>> Dependency check complete for graphics/netpbm
|=20
| =3D=3D=3D>>> All >> netpbm-10.35.94_1 (4/9)
| 0;portmaster: All >> netpbm-10.35.94_1 (4/9)^G
| =3D=3D=3D>  Cleaning for netpbm-10.35.96
| =3D=3D=3D>  netpbm-10.35.96 has known vulnerabilities:
| netpbm-10.35.96 is vulnerable:
| dcraw -- integer overflow condition
| CVE: CVE-2015-3885
| WWW: https://vuxml.FreeBSD.org/freebsd/57325ecf-facc-11e4-968f-b888e347c6=
38.html
|=20
| 1 problem(s) in the installed packages found.
| =3D> Please update your ports tree and try again.
| =3D> Note: Vulnerable ports are marked as such even if there is no update=
 available.
| =3D> If you wish to ignore this vulnerability rebuild with 'make DISABLE_=
VULNERABILITIES=3Dyes'
| *** Error code 1
|=20
| Stop.
| make[1]: stopped in /common/ports/graphics/netpbm
| *** Error code 1
|=20
| Stop.
| make: stopped in /common/ports/graphics/netpbm
|=20
| =3D=3D=3D>>> make build failed for graphics/netpbm
| =3D=3D=3D>>> Aborting update
|=20
| =3D=3D=3D>>> Update for graphics/netpbm failed
| =3D=3D=3D>>> Aborting update
|=20
| =3D=3D=3D>>> The following actions were performed:
|         Upgrade of R-cran-stringi-0.5.2_1 to R-cran-stringi-0.5.5
|         Upgrade of harfbuzz-0.9.40_1 to harfbuzz-0.9.41
|         Upgrade of iso-codes-3.57 to iso-codes-3.59
|=20
| =3D=3D=3D>>> You can restart from the point of failure with this command =
line:
|        portmaster <flags> graphics/netpbm java/openjdk7 devel/p5-DateTime=
 devel/p5-DateTime-TimeZone multimedia/mplayer net/wireshark=20
|=20


I then turned my attention to my /usr/ports SVN working copy to check
the update log for graphics/netpbm/Makefile; the most recent entry was:

| ------------------------------------------------------------------------
| r391058 | feld | 2015-07-01 06:28:35 -0700 (Wed, 01 Jul 2015) | 6 lines
|=20
| Update to 10.35.96
|=20
| CVE-2015-3885 fix is included
|=20
| Approved by:    ports-secteam (with hat)
|=20
| ------------------------------------------------------------------------

And that combination of things catalyzed this note.

Here's what I'm seeing:
- There is a claim that the port to which I was trying to update was
  "vulnerable" per vuxml.

- The vuxml entry effectively required human intervention to update
  the port.

- The most recent update to the port itself claimed that it had a
  fix to address said vulnerability.  (This gives one reason to
  wonder why *this* version of the port had a vuxml entry, then.)

- I had no feasible way to have a clue about any of this until the
  artificial failure disrupted the usual update process.

- As far as I can tell, there was no value in the existence of the vuxml
  entry for this port under these circumstances.  Rather, it was merely
  annoying and disruptive, for no gain whatsoever.  There wasn't even an
  UPDATING entry to warn a person about what was going on.

So... what am I missing?  How is a vuxml entry for ports/graphics/netpbm
@r391058 that claims it's vulnerable per CVE-2015-3885 useful or
helpful?

Thanks....

Peace,
david
--=20
David H. Wolfskill				david@catwhisker.org
Those who murder in the name of God or prophet are blasphemous cowards.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.

--ensexbfp9Ul6anXl
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJVloeOXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4RThEMDY4QTIxMjc1MDZFRDIzODYzRTc4
QTY3RjlDOERFRjQxOTNCAAoJEIpn+cje9Bk7xWsP/06BxH/501qOvBSgDtDej9uP
+aJVUpY2nYQFRoNauOxV4J+jzfW6HdGEZMkGJIwRAAHLEH4DLvNzRmtMyLhGF2fF
axUl8CytogiOSTsWNsSq0QDUtLKDXFF5s+AHyLamtGgtK8zEy3fsi5zj8404r1eD
GqX0TKphSHFQzBrDMNShFz6gFxDY5OJAGhXvV1t2bEuIOx/lOmMFKhaivahFGq5z
mdxKzLM0vcyiCKwtX2+zRM4EjsJPDJSx08GO4pT5v94KBqexlvcZN1egV2uzqNlr
Ogn9p1oUlFBfSrE/mDRM+079umN697iB4b4Uo1KGHKt3Rsv1uK/49RqYLm3GjKlP
F4XVRuFxJEZo+SDnx0p66ckNTNcyTbR+VcM0NU3JK/+30DreHVWCiZUiVRu+0y5n
Eb+jGt16+G9sD82gqeTCX/y7kE0k2jWb1y7oac19cLI/+8oagE+/N1aBBIUqV3oA
5hXcxKO3Bvl1cjaXTjIjdCuHXQQI7wAbuEofAt7Yc6JHksh30nARWyo+vR8EsZgL
irku2/KfGUcTs05gwyg5ed84dCVXWzropR8WJU06gz6nP6C2wbCkuZcSOPPxuXGj
ySjPN9QKGKuw5WcFFpSbgcGMPCsHyF+qsd3ufTWG3kRCOGT7247/sgzPtDKV8+Gy
ZXsirLhGTO2xbKrLyiDN
=ajw7
-----END PGP SIGNATURE-----

--ensexbfp9Ul6anXl--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150703130103.GM1472>