pdflib for php

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Jan 20 06:14:14 PST 2005

On Thu, Jan 20, 2005 at 12:38:01PM +0000, Chris Hodgins wrote:
> Thanos Tsouanas wrote:
> >On Thu, Jan 20, 2005 at 12:11:04PM +0200, Cristi Tauber wrote:
> >
> >>===>  pdflib-6.0.1 is forbidden: 
> >>http://vuxml.freebsd.org/fc7e6a42-6012-11d9-a9e7-0001020eed82.html.
> >>
> >>        Forbidden ? Why ? anyone ...
> >
> >
> >Yes this one:  just follow the link.  (pretty obvious ;))
> >
> >If you insist in installing the port, 'un' break it manually.
> >
> >HTH
> >
> Purely out of curiosity.. when a possible exploit such as this is
> discovered in a port and a patch is provided, why is it not patched
> immediately?  I understand that when a vulnerability is discovered it is
> important to look for similar bugs in the file and also the entire port.
>  Is this what takes the time or is it purely a maintainer finding the
> time to update it?
> Again this is just out of curiosity and not related to this port in
> particular.

Yes -- it's just waiting for the maintainer to provide an update.
Most maintainers in this situation will send-pr(1) a fix within a day
or so.  The security team will generally prod (via e-mail) any port
maintainer when they add a VuXML entry concerning their port -- unless
it was the port maintainer that told them about the problem in the
first place, which does happen occasionally.

PRs applying updates to ports and marked 'Security' and/or CC'd to the
security team tend to get committed PDQ, even during the middle of a
ports freeze.

Depending on the responsiveness of the maintainer and/or the severity
of the vulnerability and/or availability of patches a port may either
be marked 'FORBIDDEN' or pre-emptively patched without the
maintainer's involvement, but those are both quite rare events.

You can always override the vulnerability checking by setting
'DISABLE_VULNERABILITIES=yes' in the environment.  Often this makes
sense to do, but only once you've read through the background material
from the VuXML document -- eg. the vulnerability may permit privilege
escalation for local users, which would be bad ju-ju if you were
running a public access shell server, but no biggie if it was on your
personal desktop box that only you would ever use.



Dr Matthew J Seaman MA, D.Phil.                       8 Dane Court Manor
                                                      School Rd
PGP: http://www.infracaninophile.co.uk/pgpkey         Tilmanstone
Tel: +44 1304 617253                                  Kent, CT14 0JL UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050120/3ccd62a1/attachment.bin

More information about the freebsd-questions mailing list