Lynx -vulnerabilities- is this permanent?
Simon L. Nielsen
simon at FreeBSD.org
Thu Apr 19 17:41:11 UTC 2007
On 2007.04.19 19:01:39 +0800, Foxfair Hu wrote:
> Kris Kennaway wrote:
> >On Thu, Apr 19, 2007 at 10:10:41AM +0800, Foxfair Hu wrote:
> >>Lowell Gilbert wrote:
> >>>David Southwell <david at vizion2000.net> writes:
> >>>
> >>>>portupgrade -a produces following output for lynx on cvsup from today.
> >>>>freebsd 6.1
> >>>>-----------------------------------------
> >>>>---> Upgrading 'lynx-2.8.5_2' to 'lynx-2.8.6_4' (www/lynx)
> >>>>---> Building '/usr/ports/www/lynx'
> >>>>===> Cleaning for lynx-2.8.6_4
> >>>>===> lynx-2.8.6_4 has known vulnerabilities:
> >>>>=> lynx -- remote buffer overflow.
> >>>> Reference:
> >>>><http://www.FreeBSD.org/ports/portaudit/c01170bf-4990-11da-a1b8-000854d03344.html>
> >>>>=> Please update your ports tree and try again.
> >>>>*** Error code 1
> >>>>
> >>>>Stop in /usr/ports/www/lynx.
> >>>>
> >>>>Any news or advice forthcoming?
> >>>That doesn't *seem* to be applicable to the current version.
> >>>It looks like a version-number parsing problem producing a false warning.
> >>>I don't have access to my build machine to check more closely, though...
> >>>
> >>Definitely a false alert, lynx 2.8.5rel4 had fixed the problem, and it
> >>was rev1.112 of Makefile
> >>in www/lynx. If no one objects, I'll put this diff to prevent portaudit
> >>send wrong warning again:
> >
> >Wrong fix, fix the vuxml instead of hacking around it.
>
> vuxml -> security-team's baby.
> Cc added.
The problem is caused by interesting version numbering in the
www/lynx-current port which now conflicts with www/lynx:
[simon at zaphod:lynx-current] make -V PKGNAME
lynx-2.8.7d4
Basically the problem was fixed in lynx-current (I assume, I haven't
checked) 2.8.6d14 which really should have been 2.8.6.d14 to avoid
problems like this.
[simon at zaphod:~] pkg_version -t 2.8.6d14 2.8.6_4
>
[simon at zaphod:~] pkg_version -t 2.8.6.d14 2.8.6_4
<
I will try to have a look at how to work around this tonight, but I
don't know if I will get to it today.
--
Simon L. Nielsen
FreeBSD Security Team
More information about the freebsd-ports
mailing list