Steinar Bormer wrote: > Greetings, > > > On 2007-04-13 astro/google-earth was updated. See: > > <URL: http://www.freebsd.org/cgi/query-pr.cgi?pr=108864 > > > > The Makefile now says nothing about FORBIDDEN, but 'make' still gives > the following output: > > ,---- > | # make > | ===> google-earth-4.0.2735 has known vulnerabilities: > | => google-earth -- heap overflow in the KML engine. > | Reference: > <http://www.FreeBSD.org/ports/portaudit/5c9a2769-5ade-11db-a5ae-00508d6a62df.html> > | => Please update your ports tree and try again. > | *** Error code 1 > | > | Stop in /usr/ports/astro/google-earth. > `---- > > Needless to say I've updated the ports tree twice today, and Makefile, > distinfo and pkg-plist have been updated.
You question boils down to: why does the ports system still think Google Earth v. 4.0.2735 is still vulnerable when portaudit and VuXML say that only versions earlier than 4.0.2414 are vulnerable? Ports certainly shouldn't do that given this: happy-idiot-talk:~:% pkg_version -t 4.0.2414 4.0.2735 < Looks like a bug to me. > What I really don't understand is where this message quoted above is > coming from. It's not included in any of the four files in > /usr/ports/astro/google-earth, so it must be stored somewhere else. Any > pointers on how to proceed from here are appreciated. > This message comes from portaudit(1). There's a steaming great clue to that effect in the URL you quote. A good thing to try is downloading a new portaudit database: portaudit -F Then retry the update. Perhaps there was an error in the version numbering in the version of the portaudit database you had originally, which has since been fixed. This would have fixed it for me, if I had Google Earth installed: happy-idiot-talk:...ports/astro/google-earth:% portaudit -C Affected package: google-earth-4.0.2735 Type of problem: google-earth -- heap overflow in the KML engine. Reference: <http://www.FreeBSD.org/ports/portaudit/5c9a2769-5ade-11db-a5ae-00508d6a62df.html> happy-idiot-talk:...ports/astro/google-earth:% sudo portaudit -F Password: auditfile.tbz 100% of 41 kB 49 kBps New database installed. happy-idiot-talk:...ports/astro/google-earth:% portaudit -C If you absolutely have to upgrade straight away and cannot, for some unimaginable reason, download a fresh portaudit database, then you can define the somewhat misnamed 'DISABLE_VUNERABILITIES' variable in your make environment. It doesn't disable any vulnerabilities per se -- much as we might desire that it should -- rather it disables all the warnings and lock-outs of installing ports with known vulnerabilities. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature