next abort of perl upgrade encountered--linux-pango security problem :-(

Scott Bennett bennett at cs.niu.edu
Tue Jun 30 00:04:52 UTC 2009 

     On Thu, 25 Jun 2009 09:52:50 +0300 "Sergey V. Dyatko"
<sergey.dyatko at gmail.com> wrote:
>÷ Thu, 25 Jun 2009 09:37:52 +0300
>"Sergey V. Dyatko" <sergey.dyatko at gmail.com> ÐÉÛÅÔ:
>
>SVD> ÷ Thu, 25 Jun 2009 01:21:19 -0500 (CDT)
>SVD> Scott Bennett <bennett at cs.niu.edu> ÐÉÛÅÔ:
>SVD> 
>SVD> SB>      The saga of failures in the perl upgrade continues with
>SVD> SB> the following:
>SVD> SB> 
>SVD> SB> ===>   linux-gtk2-2.6.10_3 depends on
>SVD> SB> file: /compat/linux/usr/lib/libpango-1.0.so.0.1001.1 - not
>SVD> SB> found ===>    Verifying install
>SVD> SB> for /compat/linux/usr/lib/libpango-1.0.so.0.1001.1
>SVD> SB> in /usr/ports/x11-toolkits/linux-pango ===>
>SVD> SB> linux-pango-1.10.2_3 has known vulnerabilities: => pango --
>SVD> SB> integer overflow. Reference:
>SVD> SB> <http://www.FreeBSD.org/ports/portaudit/4b172278-3f46-11de-becb-001cc0377035.html>
>SVD> SB> => Please update your ports tree and try again. *** Error code
>SVD> SB> 1
>SVD> [skipped]
>SVD> SB> 
>SVD> SB>      There doesn't seem to be a more recent version of the
>SVD> SB> x11-toolkits/linux-pango port available.  What is the best way
>SVD> SB> to proceed? Will a "portmaster -fv x11-toolkits/linux-pango"
>SVD> SB> do the job for now?  (I'm not too worried about the security
>SVD> SB> bug for the moment.  Although I use mplayer to play files,
>SVD> SB> they don't generally involve .png files, and I don't use
>SVD> SB> mplayer to play streaming files.) Please copy me in on
>SVD> SB> responses, otherwise I won't see them till the next
>SVD> SB> freebsd-ports digest is sent out.  Thanks!
>SVD> SB> 
>SVD> SB> 
>SVD> SB>                                   Scott Bennett, Comm. ASMELG,
>SVD> SB> CFIAG
>SVD> 1) deinstall portaudit
>SVD> 2) upgrate all ports
>SVD> 3) install portaudit if you need it
>SVD> 
>SVD> or
>SVD> 
>SVD> 1)rm /var/db/portaudit/auditfile.tbz
>SVD> 2) upgrate all ports
>SVD> 3) portaudit -F
>SVD> 
>or set environment variable DISABLE_VULNERABILITIES and
>upgrade port(s)
>
     Sergey, thank you so much for pointing out the DISABLE_VULNERABILITIES
environment variable.  This is the method that got me past the problem, though
I used it to upgrade only linux-pango and those of its dependencies that hadn't
yet been upgraded.  After that, I unset that variable and resumed the upgrade
of the rest of the software dependent upon perl.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

More information about the freebsd-ports mailing list