portupgrade refusin to upgrade a port .. when it shouldn't imho

Thu Dec 7 09:16:25 PST 2006

Matthew Seaman wrote:
> mato wrote:
>   
>> On Thu, 07 Dec 2006 13:46:18 +0000, Vince wrote
>>     
>>> mato wrote:
>>>       
>>>> On Wed, 6 Dec 2006 16:46:24 -0800, Josh Carroll wrote
>>>>         
>>>>>>>> ** Port marked as IGNORE: multimedia/win32-codecs:
>>>>>>>>         is forbidden: Remote code execution:
>>>>>>>> http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html
>>>>>>>>
>>>>>>>> Isn't this behaviour flawed ??  Or am I missing something ?
>>>>>>>>                 
>>>>> You need to make config in /usr/ports/multimedia/win32-codecs, and
>>>>> unselect quicktime. Then the port should install. This is assuming,
>>>>>  of course, that you can live without the QT codec(s).
>>>>>
>>>>> Josh
>>>>>           
>>>> OK, I will try it..  Thank you all.
>>>>
>>>> But the question remains -- if new port version is not vulnerable why i cannot
>>>> upgrade to it ??
>>>>
>>>>         
>>> Its only not vulnerable if you unselect the quicktime codec. the
>>> vulnerability is in the quicktime codec.
>>>
>>> The port will by default use the stored config in
>>> /var/db/ports/win32-codecs/options and if this says to use the quicktime
>>> codec then it will not upgrade. This seems pretty sensible to me.
>>>
>>> Vince
>>>
>>>       
>> I cannot access and check the port's Makefile right now ... Is it Makefile
>> which says (conditionally) "hey i'm vulnerable" or is it portaudit/VuXML
>> database which says that.  I guess the former, otherwise freshports.org should
>> mark the port as vulnerable.  Right?
>>     
>
> In general, this sort of security flagging is done via portaudit's own database
> which is derived mostly from VuXML.  To get around the lockout imposed by portaudit
> you can do:
>
>      make DISABLE_VULNERABILITIES=yes
>
> but a) this doesn't disable any actual vulnerabilities, just the checking
> for their presence, and b) on your own head be it.
>
> Now, in the case of the win32-codecs port, it is done differently.  The port
> Makefile says this:
>
> .if defined(WITH_QUICKTIME)
> FORBIDDEN=      Remote code execution: http://vuxml.FreeBSD.org/24f6b1eb-43d5-11
> db-81e1-000e0c2e438a.html
> ADDITIONAL_CODECS_DISTFILES+=   qt63dlls-20050115.tar.bz2 \
>                                 qtextras-20041107.tar.bz2
> PLIST_SUB+=     QUICKTIME=""
> .else
> PLIST_SUB+=     QUICKTIME="@comment "
> .endif
>
> ie. selecting the Quicktime plugins in the OPTIONS dialog, which causes
> WITH_QUICKTIME to be defined, means that the port will be marked forbidden,
> and any attempt to install it will be blocked.
>
> A simple 'make config' and unchecking that option will let you install
> the port with all of the other codecs.
>
> Freshports parses the VuXML database to mark ports as vulnerable -- the VuXML
> data contains a listing of the vulnerable package names and ranges of version
> numbers.  VuXML doesn't actually have a way of distinguishing what options are
> enabled for the port, although the textual note in the entry explains the situation
> fairly clearly.  It doesn't say "Users are advised to reinstall the port with the
> Quicktime support turned off" which might be a nice addition.  The system will
> however prompt users to upgrade to a version of the port after the code to
> forbid installation with Quicktime stuff enabled was added.
>
> 	Cheers,
>
> 	Matthew
>
>   

Matthew, that is a great answer!!
Thank you! :-)

The last question would be how to make make(1) /portupgrade/portsystem
to ignore FORBIDDEN.

Anyway, thanks again.

Martin