ports/127712: bad version specification for firefox3 in VuXML entry 2273879e-8a2f-11dd-a6fe-0030843d3802
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Mon Sep 29 11:10:04 UTC 2008
>Number: 127712
>Category: ports
>Synopsis: bad version specification for firefox3 in VuXML entry 2273879e-8a2f-11dd-a6fe-0030843d3802
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Sep 29 11:10:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.1-PRERELEASE i386
>Organization:
Code Labs
>Environment:
System: FreeBSD XXX 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #19: Tue Sep 23 13:21:48 MSD 2008 root at XXX:/usr/src/sys/i386/compile/XXX i386
>Description:
VuXML entry for 2273879e-8a2f-11dd-a6fe-0030843d3802,
http://www.freebsd.org/ports/portaudit/2273879e-8a2f-11dd-a6fe-0030843d3802.html
http://www.vuxml.org/freebsd/2273879e-8a2f-11dd-a6fe-0030843d3802.html
lists Firefox 3 version as 'firefox3 < 3.0.2,1'. This seem to be
incorrect -- portaudit(8) will use 'pkg_info -E' to match on this
template, but there is no such port named "firefox3", only "firefox":
-----
$ pkg_info -E 'firefox3>1.0.0'
$ pkg_info -E 'firefox>1.0.0'
firefox-2.0.0.17,1
firefox-3.0.2,1
-----
Moreover, the Makefile in /usr/ports/www/firefox3 says 'PORTNAME =
firefox', so the corresponding entry in /var/db/pkg is named
'firefox-3.x.y,z'. And this is the problem, because pkg_info matches on
the names from /var/db/pkg, not from the port directory names.
>How-To-Repeat:
Run 'pkg_info -E 'firefox3>1.0.0' on a system with FF3 port installed.
>Fix:
The proper version string would be 'firefox>=3.0.0,1<3.0.2,1'. Please
note that 'firefox>=3.0.0<3.0.2,1' will catch current version of FF 2.x,
because EPOCH takes precedence over version:
-----
$ pkg_info -E 'firefox>=3.0.0<3.0.2,1'
firefox-2.0.0.17,1
-----
And as FreeBSD's firefox 3.x has epoch set to 1 since revision 1.1
of its Makefile, it will be safe to include the mentioned version
string -- it should catch everything that had that vulnerabilities.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list