mato wrote:
> On Thu, 07 Dec 2006 13:46:18 +0000, Vince wrote
>> mato wrote:
>>> On Wed, 6 Dec 2006 16:46:24 -0800, Josh Carroll wrote
>>>>>>> ** Port marked as IGNORE: multimedia/win32-codecs:
>>>>>>>         is forbidden: Remote code execution:
>>>>>>> Isn't this behaviour flawed ??  Or am I missing something ?
>>>> You need to make config in /usr/ports/multimedia/win32-codecs, and
>>>> unselect quicktime. Then the port should install. This is assuming,
>>>>  of course, that you can live without the QT codec(s).
>>>> Josh
>>> OK, I will try it..  Thank you all.
>>> But the question remains -- if new port version is not vulnerable why i 
>>> cannot
>>> upgrade to it ??
>> Its only not vulnerable if you unselect the quicktime codec. the
>> vulnerability is in the quicktime codec.
>> The port will by default use the stored config in
>> /var/db/ports/win32-codecs/options and if this says to use the quicktime
>> codec then it will not upgrade. This seems pretty sensible to me.
>> Vince
> I cannot access and check the port's Makefile right now ... Is it Makefile
> which says (conditionally) "hey i'm vulnerable" or is it portaudit/VuXML
> database which says that.  I guess the former, otherwise should
> mark the port as vulnerable.  Right?

In general, this sort of security flagging is done via portaudit's own database
which is derived mostly from VuXML.  To get around the lockout imposed by 
you can do:


but a) this doesn't disable any actual vulnerabilities, just the checking
for their presence, and b) on your own head be it.

Now, in the case of the win32-codecs port, it is done differently.  The port
Makefile says this:

.if defined(WITH_QUICKTIME)
FORBIDDEN=      Remote code execution:
ADDITIONAL_CODECS_DISTFILES+=   qt63dlls-20050115.tar.bz2 \
PLIST_SUB+=     QUICKTIME="@comment "

ie. selecting the Quicktime plugins in the OPTIONS dialog, which causes
WITH_QUICKTIME to be defined, means that the port will be marked forbidden,
and any attempt to install it will be blocked.

A simple 'make config' and unchecking that option will let you install
the port with all of the other codecs.

Freshports parses the VuXML database to mark ports as vulnerable -- the VuXML
data contains a listing of the vulnerable package names and ranges of version
numbers.  VuXML doesn't actually have a way of distinguishing what options are
enabled for the port, although the textual note in the entry explains the 
fairly clearly.  It doesn't say "Users are advised to reinstall the port with 
Quicktime support turned off" which might be a nice addition.  The system will
however prompt users to upgrade to a version of the port after the code to
forbid installation with Quicktime stuff enabled was added.



Dr Matthew J Seaman MA, D.Phil.                       Flat 3
                                                      7 Priory Courtyard
PGP:         Ramsgate
                                                      Kent, CT11 9PW, UK

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to