make gnome2 fails because evince has vulnerability

Jeremy Messenger mezz7 at cox.net
Mon Sep 10 15:05:52 PDT 2007 

On Mon, 10 Sep 2007 14:52:31 -0500, John Murphy <freebsd001 at freeode.co.uk>  
wrote:

> malcolm_green at tiscali.co.uk wrote:
>
>> Dear freebsd-gnome team
>>    May I enquire of you about a problem when doing make install
>> in /usr/ports/x11/gnome2 under PCBSD 1.4RC. It fails saying
>> evince has a vulnerability. I have followed the advice output by
>> the make and used kports to update the ports, fetch a new index,
>> and update the ports-db. Upon re-issuing make install I get the
>> same error. Now I am unsure what to do. Surely the make install
>> script should not refuse to continue building but merely issue a
>> warning. There must be a way to prevent this blowup, but the whole
>> ports system is like a empty cube in space to a relatively new
>> BSD person.
>>
>> I can see that one way to avoid it would be to get a new evince,
>> but kports says my copy is the latest.
>> The ports I am using is supplied on the PCBSD CD so I dont know when
>> it dates from, and in any case I have updated the ports tree with
>> kports.
>
>> Perhaps there is a good document I should read.
>
> <- Snipped screen output (mine is the same as yours. See below.) ->
>
> Hi Malcolm,
>
> No solution, but just wanted to say I have the same problem on
> FreeBSD-6.2. I've run csup and portupgrade -arR. I've run the
> gnomelogalyzer.sh from within /usr/ports/x11/gnome2 and checked
> all of its suggestions. (The recommended mailing list archive
> search showed no results for evince or [k|x]pdf in 2007! I get
> the impression Rambler isn't updated much these days...).
>
> The only thing I haven't tried (and I'm loath to do so as I
> doubt it will help) is 'pkg_delete -rf pkg-config\*'.
>
> The reference URL:
>
> http://www.FreeBSD.org/ports/portaudit/0e43a14d-3f3f-11dc-a79a-0016179b2dd5.html
>
> mentions xpdf and kpdf. Do you have either of those installed?
> I have kpdf and I'm wondering if the problem is because of that.
>
> Any suggestions from the port maintainers (or clues from anyone)
> would be much appreciated.

It has been fixed, someone has added evince as vulnerability by mistake.  
The evince doesn't has any of pdf source code in its tarball. It depends  
on poppler and poppler has been marked as safe (patched) a while ago.

Cheers,
Mezz

> [root at turion gnome2]# make install
<snip>
> ===>   gnome2-2.18.3 depends on executable: evince - not found
> ===>    Verifying install for evince in /usr/ports/graphics/evince
> ===>  evince-0.8.3_1 has known vulnerabilities:
> => xpdf -- stack based buffer overflow.
>    Reference:  
> <http://www.FreeBSD.org/ports/portaudit/0e43a14d-3f3f-11dc-a79a-0016179b2dd5.html>
> => Please update your ports tree and try again.
> *** Error code 1
>
> Stop in /usr/ports/graphics/evince.
> *** Error code 1
>
> Stop in /usr/ports/x11/gnome2.
> *** Error code 1
>
> Stop in /usr/ports/x11/gnome2.


-- 
mezz7 at cox.net  -  mezz at FreeBSD.org
FreeBSD GNOME Team  -  FreeBSD Multimedia Hat (ports, not src)
http://www.FreeBSD.org/gnome/  -  gnome at FreeBSD.org
http://wiki.freebsd.org/multimedia  -  multimedia at FreeBSD.org

More information about the freebsd-gnome mailing list