VLC fails to compile after cvsuping

Joseph S. Atkinson jsatkinson at embarqmail.com
Mon Nov 10 23:18:22 PST 2008 

Rick Voland wrote:
> Rene Ladan wrote:
>> Eduardo Cerejo schreef:
>>> I just cvsuped my ports tree and vlc is the only port that it is
>>> failing to compile.  I'm using FBSD 7stable and this is the error that
>>> I'm getting:
>>>
>>> --->  Upgrading 'vlc-0.8.6.i,2' to 'vlc-0.8.6.i_2,2' (multimedia/vlc)
>>> --->  Building '/usr/ports/multimedia/vlc'
>>> ===>  Cleaning for vlc-0.8.6.i_2,2
>>> ===>  vlc-0.8.6.i_2,2 has known vulnerabilities:
>>> => vlc -- cue processing stack overflow.
>>>    Reference:
>>> <http://www.FreeBSD.org/ports/portaudit/4b09378e-addb-11dd-a578-0030843d3802.html>
>>>
>>> => Please update your ports tree and try again.
>>> *** Error code 1
>>>
>>> Stop in /usr/ports/multimedia/vlc.
>>> ** Command failed [exit code 1]: /usr/bin/script -qa
>>> /tmp/portupgrade.1384.0 env UPGRADE_TOOL=portupgrade
>>> UPGRADE_PORT=vlc-0.8.6.i,2 UPGRADE_PORT_VER=0.8.6.i,2 make
>>> ** Fix the problem and try again.
>>> ** Listing the failed packages (-:ignored / *:skipped / !:failed)
>>>         ! multimedia/vlc (vlc-0.8.6.i,2)        (unknown build error)
>> I don't know if this is a FAQ yet.  Add DISABLE_VULNERABILITIES=yes to your
>> /etc/make.conf and try again. This doesn't solve the vulnerabilities, so
>> IGNORE_VULNERABILITIES would be more appropriate in my opninion.
>>
>> Regards,
>> Rene
> 
> 
> I am confused.  The purpose of this update is to "solve the
> vulnerabilities" as indicated at:
> http://www.freshports.org/multimedia/vlc
> "Fix a stack overflow vulnerability...."
> 
> The security notice indicates that this version should be free of this
> particular issue.
> http://www.vuxml.org/freebsd/4b09378e-addb-11dd-a578-0030843d3802.html
> vlc -- cue processing stack overflow
> Affected packages
> vlc < 0.8.6i_2,2
> 
> So, why is portaudit preventing the updating to this version patched to
> solve the issue?
> 
> 
> Is the spelling difference important?
> 0.8.6i_2,2
> vs
> 0.8.6.i_2,2
> 
> 
> 
> Thanks,
> 
> Rick Voland
> rpvoland at spamcop.net
> 
> 
> 

The ".i" is done via the magic of the ports infrastructure. Took me a 
minute to realize where that came from.

It actually looks like the wrong port revision was entered into VuXML as 
vulnerable. 0.8.6.i_2,2 is the fixed version. You should be able to 
build it manually as a one off without modifying make.conf via:

# make build deinstall reinstall DISABLE_VULNERABILITIES=true

I am trying to find out what needs to be done to fix this proper currently.

Thanks for the heads up.

More information about the freebsd-ports mailing list