Vulnerability question
Gary Palmer
gpalmer at freebsd.org
Tue Jun 30 22:35:06 UTC 2009
On Tue, Jun 30, 2009 at 07:32:37PM +0200, Roland Smith wrote:
> On Tue, Jun 30, 2009 at 05:08:32PM +0200, Harald Weis wrote:
> > On Mon, Jun 29, 2009 at 08:40:52PM +0200, Roland Smith wrote:
> > > On Sun, Jun 28, 2009 at 10:56:54PM +0200, Harald Weis wrote:
> > > > Building lxdvdrip stops because linux-pango has known
> > > > vulnerabilities.
> > >
> > > You can ignore vulnerabilities by setting the environment variable
> > > DISABLE_VULNERABILITIES. See ports(7).
> >
> > Yes, I've done this already, but I've stepped back because I cannot
> > evaluate the risk.
> >
> > > Are you running a linux binary of mplayer? Because a native mplayer
> > > binary does not require linux-pango! It just uses the native pango.
> >
> > In fact, it's lxdvdrip which requires linux-pango [via linux-gtk2].
> > lxdvdrip is happy with the native mplayer.
>
> Looking at the port Makefile [/usr/ports/multimedia/lxdvdrip/Makefile]
> and Freshports entries [http://www.freshports.org/multimedia/lxdvdrip/]
> for lxdvdrip, there is no sign of it directly requiring pango, let alone
> the Linux version. It is mplayer that depends on pango:
>
> # cd /usr/ports/multimedia/lxdvdrip
> # make run-depends-list
> /usr/ports/misc/buffer
> /usr/ports/multimedia/dvdauthor
> /usr/ports/multimedia/libdvdnav
> /usr/ports/multimedia/libdvdread
> /usr/ports/multimedia/mpgtx
> /usr/ports/multimedia/mplayer
> /usr/ports/multimedia/transcode
> /usr/ports/sysutils/dvd+rw-tools
>
> # cd /usr/ports/multimedia/mplayer
> # make run-depends-list
> /usr/ports/accessibility/atk
> /usr/ports/audio/cdparanoia
> /usr/ports/audio/esound
> /usr/ports/audio/libvorbis
> /usr/ports/converters/libiconv
> /usr/ports/devel/gio-fam-backend
> /usr/ports/devel/glib20
> /usr/ports/devel/pkg-config
> /usr/ports/devel/sdl12
> /usr/ports/graphics/aalib
> /usr/ports/graphics/png
> /usr/ports/multimedia/libtheora
> /usr/ports/multimedia/mplayer-skins
> /usr/ports/multimedia/x264
> /usr/ports/print/freetype2
> /usr/ports/x11-toolkits/gtk20
> /usr/ports/x11-toolkits/pango
> /usr/ports/x11/libX11
> /usr/ports/x11/libXv
> /usr/ports/x11/libXxf86vm
>
> No linux-pango! I suspect that there is something wrong with your
> ports. Do you have the native version of pango installed?
>
I am not the OP, however I also ran into warnings about mplayer and
linux-pango. I believe the problem comes from linux-realplayer
# cd /usr/ports/multimedia/mplayer
# make run-depends-list
/usr/ports/accessibility/atk
/usr/ports/audio/arts
/usr/ports/audio/libvorbis
/usr/ports/converters/libiconv
/usr/ports/devel/gio-fam-backend
/usr/ports/devel/glib20
/usr/ports/devel/pkg-config
/usr/ports/graphics/libGL
/usr/ports/graphics/libungif
/usr/ports/graphics/png
/usr/ports/multimedia/libdv
/usr/ports/multimedia/linux-realplayer
/usr/ports/multimedia/mplayer-skins
/usr/ports/multimedia/win32-codecs
/usr/ports/multimedia/x264
/usr/ports/multimedia/xvid
/usr/ports/print/freetype2
/usr/ports/x11-toolkits/gtk20
/usr/ports/x11-toolkits/pango
/usr/ports/x11/libX11
/usr/ports/x11/libXinerama
/usr/ports/x11/libXv
/usr/ports/x11/libXxf86dga
/usr/ports/x11/libXxf86vm
# grep REAL /var/db/ports/mplayer/options
WITH_REALPLAYER=true
I don't have lxdvdrip installed so I don't think thats involved, at least
in my case. There may be more than one path to the linux-pango
dependency however :-(
Regards,
Gary
More information about the freebsd-stable
mailing list