portupgrade refusin to upgrade a port .. when it shouldn't imho
gamato at users.sf.net
Thu Dec 7 06:08:30 PST 2006
On Thu, 07 Dec 2006 13:46:18 +0000, Vince wrote
> mato wrote:
> > On Wed, 6 Dec 2006 16:46:24 -0800, Josh Carroll wrote
> >>>>> ** Port marked as IGNORE: multimedia/win32-codecs:
> >>>>> is forbidden: Remote code execution:
> >>>>> http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html
> >>>>> Isn't this behaviour flawed ?? Or am I missing something ?
> >> You need to make config in /usr/ports/multimedia/win32-codecs, and
> >> unselect quicktime. Then the port should install. This is assuming,
> >> of course, that you can live without the QT codec(s).
> >> Josh
> > OK, I will try it.. Thank you all.
> > But the question remains -- if new port version is not vulnerable why i cannot
> > upgrade to it ??
> Its only not vulnerable if you unselect the quicktime codec. the
> vulnerability is in the quicktime codec.
> The port will by default use the stored config in
> /var/db/ports/win32-codecs/options and if this says to use the quicktime
> codec then it will not upgrade. This seems pretty sensible to me.
I cannot access and check the port's Makefile right now ... Is it Makefile
which says (conditionally) "hey i'm vulnerable" or is it portaudit/VuXML
database which says that. I guess the former, otherwise freshports.org should
mark the port as vulnerable. Right?
More information about the freebsd-ports