Matthew Seaman m.seaman at
Sat Apr 14 13:53:10 UTC 2007

Steinar Bormer wrote:
> Greetings,
> On 2007-04-13 astro/google-earth was updated.  See:
> <URL: >
> The Makefile now says nothing about FORBIDDEN, but 'make' still gives
> the following output:
> ,----
> | # make
> | ===>  google-earth-4.0.2735 has known vulnerabilities:
> | => google-earth -- heap overflow in the KML engine.
> |    Reference: <>
> | => Please update your ports tree and try again.
> | *** Error code 1
> | 
> | Stop in /usr/ports/astro/google-earth.
> `----
> Needless to say I've updated the ports tree twice today, and Makefile,
> distinfo and pkg-plist have been updated.

You question boils down to: why does the ports system still think
Google Earth v. 4.0.2735 is still vulnerable when portaudit and VuXML
say that only versions earlier than 4.0.2414 are vulnerable?  Ports
certainly shouldn't do that given this:

happy-idiot-talk:~:% pkg_version -t 4.0.2414 4.0.2735

Looks like a bug to me.

> What I really don't understand is where this message quoted above is
> coming from.  It's not included in any of the four files in
> /usr/ports/astro/google-earth, so it must be stored somewhere else.  Any
> pointers on how to proceed from here are appreciated.

This message comes from portaudit(1).  There's a steaming great clue to
that effect in the URL you quote.  A good thing to try is downloading a
new portaudit database:

    portaudit -F

Then retry the update.  Perhaps there was an error in the version numbering
in the version of the portaudit database you had originally, which has since
been fixed.  This would have fixed it for me, if I had Google Earth installed:

happy-idiot-talk:...ports/astro/google-earth:% portaudit -C
Affected package: google-earth-4.0.2735
Type of problem: google-earth -- heap overflow in the KML engine.
Reference: <>

happy-idiot-talk:...ports/astro/google-earth:% sudo portaudit -F 
auditfile.tbz                                 100% of   41 kB   49 kBps
New database installed.
happy-idiot-talk:...ports/astro/google-earth:% portaudit -C

If you absolutely have to upgrade straight away and cannot, for some
unimaginable reason, download a fresh portaudit database, then you can
define the somewhat misnamed 'DISABLE_VUNERABILITIES' variable in your
make environment.  It doesn't disable any vulnerabilities per se -- much
as we might desire that it should -- rather it disables all the warnings
and lock-outs of installing ports with known vulnerabilities.



Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP:         Ramsgate
                                                      Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-questions mailing list