Date: Sat, 14 Apr 2007 14:52:48 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Steinar Bormer <steinab@ifi.uio.no> Cc: questions@freebsd.org Subject: Re: astro/google-earth Message-ID: <4620DCB0.8080306@infracaninophile.co.uk> In-Reply-To: <3jzvefz87sl.fsf@buri.ifi.uio.no> References: <3jzvefz87sl.fsf@buri.ifi.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigDDCF590989D05676AE90F046 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Steinar Bormer wrote: > Greetings, >=20 >=20 > On 2007-04-13 astro/google-earth was updated. See: >=20 > <URL: http://www.freebsd.org/cgi/query-pr.cgi?pr=3D108864 > >=20 >=20 > The Makefile now says nothing about FORBIDDEN, but 'make' still gives > the following output: >=20 > ,---- > | # make > | =3D=3D=3D> google-earth-4.0.2735 has known vulnerabilities: > | =3D> google-earth -- heap overflow in the KML engine. > | Reference: <http://www.FreeBSD.org/ports/portaudit/5c9a2769-5ade-1= 1db-a5ae-00508d6a62df.html> > | =3D> Please update your ports tree and try again. > | *** Error code 1 > |=20 > | Stop in /usr/ports/astro/google-earth. > `---- >=20 > Needless to say I've updated the ports tree twice today, and Makefile, > distinfo and pkg-plist have been updated. You question boils down to: why does the ports system still think Google Earth v. 4.0.2735 is still vulnerable when portaudit and VuXML say that only versions earlier than 4.0.2414 are vulnerable? Ports certainly shouldn't do that given this: happy-idiot-talk:~:% pkg_version -t 4.0.2414 4.0.2735 < Looks like a bug to me. =20 > What I really don't understand is where this message quoted above is > coming from. It's not included in any of the four files in > /usr/ports/astro/google-earth, so it must be stored somewhere else. An= y > pointers on how to proceed from here are appreciated. >=20 This message comes from portaudit(1). There's a steaming great clue to that effect in the URL you quote. A good thing to try is downloading a new portaudit database: portaudit -F Then retry the update. Perhaps there was an error in the version numberi= ng in the version of the portaudit database you had originally, which has si= nce been fixed. This would have fixed it for me, if I had Google Earth insta= lled: happy-idiot-talk:...ports/astro/google-earth:% portaudit -C Affected package: google-earth-4.0.2735 Type of problem: google-earth -- heap overflow in the KML engine. Reference: <http://www.FreeBSD.org/ports/portaudit/5c9a2769-5ade-11db-a5a= e-00508d6a62df.html> happy-idiot-talk:...ports/astro/google-earth:% sudo portaudit -F=20 Password: auditfile.tbz 100% of 41 kB 49 kBps New database installed. happy-idiot-talk:...ports/astro/google-earth:% portaudit -C If you absolutely have to upgrade straight away and cannot, for some unimaginable reason, download a fresh portaudit database, then you can define the somewhat misnamed 'DISABLE_VUNERABILITIES' variable in your make environment. It doesn't disable any vulnerabilities per se -- much as we might desire that it should -- rather it disables all the warnings and lock-outs of installing ports with known vulnerabilities. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigDDCF590989D05676AE90F046 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGINy28Mjk52CukIwRCDK/AJ9ODSMNdyd4gkhWv1rZLr7DVo7tLQCcD2xl sbXhxD9BvZrgpHsHjf13s/o= =2Qze -----END PGP SIGNATURE----- --------------enigDDCF590989D05676AE90F046--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4620DCB0.8080306>