ports/127712: bad version specification for firefox3 in VuXML entry 2273879e-8a2f-11dd-a6fe-0030843d3802

Eygene Ryabinkin rea-fbsd at codelabs.ru
Mon Sep 29 11:10:04 UTC 2008 

>Number:         127712
>Category:       ports
>Synopsis:       bad version specification for firefox3 in VuXML entry 2273879e-8a2f-11dd-a6fe-0030843d3802
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 29 11:10:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE i386
>Organization:
Code Labs
>Environment:

System: FreeBSD XXX 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #19: Tue Sep 23 13:21:48 MSD 2008 root at XXX:/usr/src/sys/i386/compile/XXX i386

>Description:

VuXML entry for 2273879e-8a2f-11dd-a6fe-0030843d3802,
  http://www.freebsd.org/ports/portaudit/2273879e-8a2f-11dd-a6fe-0030843d3802.html
  http://www.vuxml.org/freebsd/2273879e-8a2f-11dd-a6fe-0030843d3802.html
lists Firefox 3 version as 'firefox3 < 3.0.2,1'.  This seem to be
incorrect -- portaudit(8) will use 'pkg_info -E' to match on this
template, but there is no such port named "firefox3", only "firefox":
-----
$ pkg_info -E 'firefox3>1.0.0'
$ pkg_info -E 'firefox>1.0.0'
firefox-2.0.0.17,1
firefox-3.0.2,1
-----

Moreover, the Makefile in /usr/ports/www/firefox3 says 'PORTNAME =
firefox', so the corresponding entry in /var/db/pkg is named
'firefox-3.x.y,z'.  And this is the problem, because pkg_info matches on
the names from /var/db/pkg, not from the port directory names.

>How-To-Repeat:

Run 'pkg_info -E 'firefox3>1.0.0' on a system with FF3 port installed.

>Fix:

The proper version string would be 'firefox>=3.0.0,1<3.0.2,1'.  Please
note that 'firefox>=3.0.0<3.0.2,1' will catch current version of FF 2.x,
because EPOCH takes precedence over version:
-----
$ pkg_info -E 'firefox>=3.0.0<3.0.2,1'
firefox-2.0.0.17,1
-----
And as FreeBSD's firefox 3.x has epoch set to 1 since revision 1.1
of its Makefile, it will be safe to include the mentioned version
string -- it should catch everything that had that vulnerabilities.
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list