portupgrade refusin to upgrade a port .. when it shouldn't imho

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Dec 7 06:37:34 PST 2006


mato wrote:
> On Thu, 07 Dec 2006 13:46:18 +0000, Vince wrote
>> mato wrote:
>>> On Wed, 6 Dec 2006 16:46:24 -0800, Josh Carroll wrote
>>>>>>> ** Port marked as IGNORE: multimedia/win32-codecs:
>>>>>>>         is forbidden: Remote code execution:
>>>>>>> http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html
>>>>>>>
>>>>>>> Isn't this behaviour flawed ??  Or am I missing something ?
>>>> You need to make config in /usr/ports/multimedia/win32-codecs, and
>>>> unselect quicktime. Then the port should install. This is assuming,
>>>>  of course, that you can live without the QT codec(s).
>>>>
>>>> Josh
>>>
>>> OK, I will try it..  Thank you all.
>>>
>>> But the question remains -- if new port version is not vulnerable why i cannot
>>> upgrade to it ??
>>>
>> Its only not vulnerable if you unselect the quicktime codec. the
>> vulnerability is in the quicktime codec.
>>
>> The port will by default use the stored config in
>> /var/db/ports/win32-codecs/options and if this says to use the quicktime
>> codec then it will not upgrade. This seems pretty sensible to me.
>>
>> Vince
>>
> 
> 
> I cannot access and check the port's Makefile right now ... Is it Makefile
> which says (conditionally) "hey i'm vulnerable" or is it portaudit/VuXML
> database which says that.  I guess the former, otherwise freshports.org should
> mark the port as vulnerable.  Right?

In general, this sort of security flagging is done via portaudit's own database
which is derived mostly from VuXML.  To get around the lockout imposed by portaudit
you can do:

     make DISABLE_VULNERABILITIES=yes

but a) this doesn't disable any actual vulnerabilities, just the checking
for their presence, and b) on your own head be it.

Now, in the case of the win32-codecs port, it is done differently.  The port
Makefile says this:

.if defined(WITH_QUICKTIME)
FORBIDDEN=      Remote code execution: http://vuxml.FreeBSD.org/24f6b1eb-43d5-11
db-81e1-000e0c2e438a.html
ADDITIONAL_CODECS_DISTFILES+=   qt63dlls-20050115.tar.bz2 \
                                qtextras-20041107.tar.bz2
PLIST_SUB+=     QUICKTIME=""
.else
PLIST_SUB+=     QUICKTIME="@comment "
.endif

ie. selecting the Quicktime plugins in the OPTIONS dialog, which causes
WITH_QUICKTIME to be defined, means that the port will be marked forbidden,
and any attempt to install it will be blocked.

A simple 'make config' and unchecking that option will let you install
the port with all of the other codecs.

Freshports parses the VuXML database to mark ports as vulnerable -- the VuXML
data contains a listing of the vulnerable package names and ranges of version
numbers.  VuXML doesn't actually have a way of distinguishing what options are
enabled for the port, although the textual note in the entry explains the situation
fairly clearly.  It doesn't say "Users are advised to reinstall the port with the
Quicktime support turned off" which might be a nice addition.  The system will
however prompt users to upgrade to a version of the port after the code to
forbid installation with Quicktime stuff enabled was added.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       Flat 3
                                                      7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW, UK

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20061207/1e9bb775/signature.pgp


More information about the freebsd-ports mailing list