mato wrote: > On Thu, 07 Dec 2006 13:46:18 +0000, Vince wrote >> mato wrote: >>> On Wed, 6 Dec 2006 16:46:24 -0800, Josh Carroll wrote >>>>>>> ** Port marked as IGNORE: multimedia/win32-codecs: >>>>>>> is forbidden: Remote code execution: >>>>>>> http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html >>>>>>> >>>>>>> Isn't this behaviour flawed ?? Or am I missing something ? >>>> You need to make config in /usr/ports/multimedia/win32-codecs, and >>>> unselect quicktime. Then the port should install. This is assuming, >>>> of course, that you can live without the QT codec(s). >>>> >>>> Josh >>> >>> OK, I will try it.. Thank you all. >>> >>> But the question remains -- if new port version is not vulnerable why i >>> cannot >>> upgrade to it ?? >>> >> Its only not vulnerable if you unselect the quicktime codec. the >> vulnerability is in the quicktime codec. >> >> The port will by default use the stored config in >> /var/db/ports/win32-codecs/options and if this says to use the quicktime >> codec then it will not upgrade. This seems pretty sensible to me. >> >> Vince >> > > > I cannot access and check the port's Makefile right now ... Is it Makefile > which says (conditionally) "hey i'm vulnerable" or is it portaudit/VuXML > database which says that. I guess the former, otherwise freshports.org should > mark the port as vulnerable. Right?
In general, this sort of security flagging is done via portaudit's own database which is derived mostly from VuXML. To get around the lockout imposed by portaudit you can do: make DISABLE_VULNERABILITIES=yes but a) this doesn't disable any actual vulnerabilities, just the checking for their presence, and b) on your own head be it. Now, in the case of the win32-codecs port, it is done differently. The port Makefile says this: .if defined(WITH_QUICKTIME) FORBIDDEN= Remote code execution: http://vuxml.FreeBSD.org/24f6b1eb-43d5-11 db-81e1-000e0c2e438a.html ADDITIONAL_CODECS_DISTFILES+= qt63dlls-20050115.tar.bz2 \ qtextras-20041107.tar.bz2 PLIST_SUB+= QUICKTIME="" .else PLIST_SUB+= QUICKTIME="@comment " .endif ie. selecting the Quicktime plugins in the OPTIONS dialog, which causes WITH_QUICKTIME to be defined, means that the port will be marked forbidden, and any attempt to install it will be blocked. A simple 'make config' and unchecking that option will let you install the port with all of the other codecs. Freshports parses the VuXML database to mark ports as vulnerable -- the VuXML data contains a listing of the vulnerable package names and ranges of version numbers. VuXML doesn't actually have a way of distinguishing what options are enabled for the port, although the textual note in the entry explains the situation fairly clearly. It doesn't say "Users are advised to reinstall the port with the Quicktime support turned off" which might be a nice addition. The system will however prompt users to upgrade to a version of the port after the code to forbid installation with Quicktime stuff enabled was added. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK
Description: OpenPGP digital signature