Please help un-confuse me about vuxml

David Wolfskill david at catwhisker.org
Fri Jul 3 13:01:11 UTC 2015 

Before I get started on something that is likely to devolve into
something a bit "rant-ish," I will take this opportunity to thank the
folks who work on things such as maintaining ports, the port- and
package-building infrastructure, and maintaining the vulnerability
database(s).  (For about 3 decades of my career, I worked in
sysadmin(-like) positions; I'm familiar with the value of
well-maintained infrastructure... and that infrastructure and those who
maintain it usually get noticed when something is perceived to be
"wrong.")  That said, as the Subject indicates, I'm confused about
something....

Upon an initial successful smoke test after a src update of FreeBSD, it
is my practice to then update the installed ports.

As I do this moderately frequently (generally, daily), I build the ports
(rather than rely on externally-built packages).  I use portmaster(8) to
do this (and have been doing so for several years).

Today, the ports selected for update (after addressing the ffmpeg update)
were:

===>>> The following actions will be taken if you choose to proceed:
        Upgrade R-cran-stringi-0.5.2_1 to R-cran-stringi-0.5.5
        Upgrade harfbuzz-0.9.40_1 to harfbuzz-0.9.41
        Upgrade iso-codes-3.57 to iso-codes-3.59
        Upgrade netpbm-10.35.94_1 to netpbm-10.35.96
        Upgrade openjdk-7.80.15,1 to openjdk-7.80.15_1,1
        Upgrade p5-DateTime-1.19 to p5-DateTime-1.20
        Upgrade p5-DateTime-TimeZone-1.92 to p5-DateTime-TimeZone-1.92_1
        Upgrade mplayer-1.1.r20150403_2 to mplayer-1.1.r20150403_3
        Upgrade wireshark-1.12.5_1 to wireshark-1.12.6

===>>> Proceed? y/n [y] 


As indicated, I told it to proceed (while I directed my focus
elsewhere).

I was thus a bit startled (and yes, annoyed) a few minutes later to see:

| ...
| ===>>> Deleting stale distfile: iso-codes-3.57.tar.xz
| 0;portmaster: All (9)^G===>>> Returning to update check of installed ports
| 
| ===>>> Launching child to install graphics/netpbm
| 
| ===>>> All >> graphics/netpbm (4/9)
| 0;portmaster: All >> graphics/netpbm (4/9)^G
| ===>>> Currently installed version: netpbm-10.35.94_1
| ===>>> Port directory: /usr/ports/graphics/netpbm
| 
| ===>>> Starting check for build dependencies
| ===>>> Gathering dependency list for graphics/netpbm from ports
| ===>>> Dependency check complete for graphics/netpbm
| 
| ===>>> All >> netpbm-10.35.94_1 (4/9)
| 0;portmaster: All >> netpbm-10.35.94_1 (4/9)^G
| ===>  Cleaning for netpbm-10.35.96
| ===>  netpbm-10.35.96 has known vulnerabilities:
| netpbm-10.35.96 is vulnerable:
| dcraw -- integer overflow condition
| CVE: CVE-2015-3885
| WWW: https://vuxml.FreeBSD.org/freebsd/57325ecf-facc-11e4-968f-b888e347c638.html
| 
| 1 problem(s) in the installed packages found.
| => Please update your ports tree and try again.
| => Note: Vulnerable ports are marked as such even if there is no update available.
| => If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
| *** Error code 1
| 
| Stop.
| make[1]: stopped in /common/ports/graphics/netpbm
| *** Error code 1
| 
| Stop.
| make: stopped in /common/ports/graphics/netpbm
| 
| ===>>> make build failed for graphics/netpbm
| ===>>> Aborting update
| 
| ===>>> Update for graphics/netpbm failed
| ===>>> Aborting update
| 
| ===>>> The following actions were performed:
|         Upgrade of R-cran-stringi-0.5.2_1 to R-cran-stringi-0.5.5
|         Upgrade of harfbuzz-0.9.40_1 to harfbuzz-0.9.41
|         Upgrade of iso-codes-3.57 to iso-codes-3.59
| 
| ===>>> You can restart from the point of failure with this command line:
|        portmaster <flags> graphics/netpbm java/openjdk7 devel/p5-DateTime devel/p5-DateTime-TimeZone multimedia/mplayer net/wireshark 
| 


I then turned my attention to my /usr/ports SVN working copy to check
the update log for graphics/netpbm/Makefile; the most recent entry was:

| ------------------------------------------------------------------------
| r391058 | feld | 2015-07-01 06:28:35 -0700 (Wed, 01 Jul 2015) | 6 lines
| 
| Update to 10.35.96
| 
| CVE-2015-3885 fix is included
| 
| Approved by:    ports-secteam (with hat)
| 
| ------------------------------------------------------------------------

And that combination of things catalyzed this note.

Here's what I'm seeing:
- There is a claim that the port to which I was trying to update was
  "vulnerable" per vuxml.

- The vuxml entry effectively required human intervention to update
  the port.

- The most recent update to the port itself claimed that it had a
  fix to address said vulnerability.  (This gives one reason to
  wonder why *this* version of the port had a vuxml entry, then.)

- I had no feasible way to have a clue about any of this until the
  artificial failure disrupted the usual update process.

- As far as I can tell, there was no value in the existence of the vuxml
  entry for this port under these circumstances.  Rather, it was merely
  annoying and disruptive, for no gain whatsoever.  There wasn't even an
  UPDATING entry to warn a person about what was going on.

So... what am I missing?  How is a vuxml entry for ports/graphics/netpbm
@r391058 that claims it's vulnerable per CVE-2015-3885 useful or
helpful?

Thanks....

Peace,
david
-- 
David H. Wolfskill				david at catwhisker.org
Those who murder in the name of God or prophet are blasphemous cowards.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20150703/46278b91/attachment.bin>

More information about the freebsd-ports mailing list