Re: portupgrade refusin to upgrade a port .. when it shouldn't imho
On Wed, 6 Dec 2006 16:46:24 -0800, Josh Carroll wrote ** Port marked as IGNORE: multimedia/win32-codecs: is forbidden: Remote code execution: http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html Isn't this behaviour flawed ?? Or am I missing something ? You need to make config in /usr/ports/multimedia/win32-codecs, and unselect quicktime. Then the port should install. This is assuming, of course, that you can live without the QT codec(s). Josh OK, I will try it.. Thank you all. But the question remains -- if new port version is not vulnerable why i cannot upgrade to it ?? Cheers, Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portupgrade refusin to upgrade a port .. when it shouldn't imho
mato wrote: On Wed, 6 Dec 2006 16:46:24 -0800, Josh Carroll wrote ** Port marked as IGNORE: multimedia/win32-codecs: is forbidden: Remote code execution: http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html Isn't this behaviour flawed ?? Or am I missing something ? You need to make config in /usr/ports/multimedia/win32-codecs, and unselect quicktime. Then the port should install. This is assuming, of course, that you can live without the QT codec(s). Josh OK, I will try it.. Thank you all. But the question remains -- if new port version is not vulnerable why i cannot upgrade to it ?? Its only not vulnerable if you unselect the quicktime codec. the vulnerability is in the quicktime codec. The port will by default use the stored config in /var/db/ports/win32-codecs/options and if this says to use the quicktime codec then it will not upgrade. This seems pretty sensible to me. Vince Cheers, Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portupgrade refusin to upgrade a port .. when it shouldn't imho
On Thu, 07 Dec 2006 13:46:18 +, Vince wrote mato wrote: On Wed, 6 Dec 2006 16:46:24 -0800, Josh Carroll wrote ** Port marked as IGNORE: multimedia/win32-codecs: is forbidden: Remote code execution: http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html Isn't this behaviour flawed ?? Or am I missing something ? You need to make config in /usr/ports/multimedia/win32-codecs, and unselect quicktime. Then the port should install. This is assuming, of course, that you can live without the QT codec(s). Josh OK, I will try it.. Thank you all. But the question remains -- if new port version is not vulnerable why i cannot upgrade to it ?? Its only not vulnerable if you unselect the quicktime codec. the vulnerability is in the quicktime codec. The port will by default use the stored config in /var/db/ports/win32-codecs/options and if this says to use the quicktime codec then it will not upgrade. This seems pretty sensible to me. Vince I cannot access and check the port's Makefile right now ... Is it Makefile which says (conditionally) hey i'm vulnerable or is it portaudit/VuXML database which says that. I guess the former, otherwise freshports.org should mark the port as vulnerable. Right? Cheers, Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portupgrade refusin to upgrade a port .. when it shouldn't imho
mato wrote: On Thu, 07 Dec 2006 13:46:18 +, Vince wrote mato wrote: On Wed, 6 Dec 2006 16:46:24 -0800, Josh Carroll wrote ** Port marked as IGNORE: multimedia/win32-codecs: is forbidden: Remote code execution: http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html Isn't this behaviour flawed ?? Or am I missing something ? You need to make config in /usr/ports/multimedia/win32-codecs, and unselect quicktime. Then the port should install. This is assuming, of course, that you can live without the QT codec(s). Josh OK, I will try it.. Thank you all. But the question remains -- if new port version is not vulnerable why i cannot upgrade to it ?? Its only not vulnerable if you unselect the quicktime codec. the vulnerability is in the quicktime codec. The port will by default use the stored config in /var/db/ports/win32-codecs/options and if this says to use the quicktime codec then it will not upgrade. This seems pretty sensible to me. Vince I cannot access and check the port's Makefile right now ... Is it Makefile which says (conditionally) hey i'm vulnerable or is it portaudit/VuXML database which says that. I guess the former, otherwise freshports.org should mark the port as vulnerable. Right? In general, this sort of security flagging is done via portaudit's own database which is derived mostly from VuXML. To get around the lockout imposed by portaudit you can do: make DISABLE_VULNERABILITIES=yes but a) this doesn't disable any actual vulnerabilities, just the checking for their presence, and b) on your own head be it. Now, in the case of the win32-codecs port, it is done differently. The port Makefile says this: .if defined(WITH_QUICKTIME) FORBIDDEN= Remote code execution: http://vuxml.FreeBSD.org/24f6b1eb-43d5-11 db-81e1-000e0c2e438a.html ADDITIONAL_CODECS_DISTFILES+= qt63dlls-20050115.tar.bz2 \ qtextras-20041107.tar.bz2 PLIST_SUB+= QUICKTIME= .else PLIST_SUB+= QUICKTIME=@comment .endif ie. selecting the Quicktime plugins in the OPTIONS dialog, which causes WITH_QUICKTIME to be defined, means that the port will be marked forbidden, and any attempt to install it will be blocked. A simple 'make config' and unchecking that option will let you install the port with all of the other codecs. Freshports parses the VuXML database to mark ports as vulnerable -- the VuXML data contains a listing of the vulnerable package names and ranges of version numbers. VuXML doesn't actually have a way of distinguishing what options are enabled for the port, although the textual note in the entry explains the situation fairly clearly. It doesn't say Users are advised to reinstall the port with the Quicktime support turned off which might be a nice addition. The system will however prompt users to upgrade to a version of the port after the code to forbid installation with Quicktime stuff enabled was added. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK signature.asc Description: OpenPGP digital signature
Re: portupgrade refusin to upgrade a port .. when it shouldn't imho
Matthew Seaman wrote: mato wrote: On Thu, 07 Dec 2006 13:46:18 +, Vince wrote mato wrote: On Wed, 6 Dec 2006 16:46:24 -0800, Josh Carroll wrote ** Port marked as IGNORE: multimedia/win32-codecs: is forbidden: Remote code execution: http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html Isn't this behaviour flawed ?? Or am I missing something ? You need to make config in /usr/ports/multimedia/win32-codecs, and unselect quicktime. Then the port should install. This is assuming, of course, that you can live without the QT codec(s). Josh OK, I will try it.. Thank you all. But the question remains -- if new port version is not vulnerable why i cannot upgrade to it ?? Its only not vulnerable if you unselect the quicktime codec. the vulnerability is in the quicktime codec. The port will by default use the stored config in /var/db/ports/win32-codecs/options and if this says to use the quicktime codec then it will not upgrade. This seems pretty sensible to me. Vince I cannot access and check the port's Makefile right now ... Is it Makefile which says (conditionally) hey i'm vulnerable or is it portaudit/VuXML database which says that. I guess the former, otherwise freshports.org should mark the port as vulnerable. Right? In general, this sort of security flagging is done via portaudit's own database which is derived mostly from VuXML. To get around the lockout imposed by portaudit you can do: make DISABLE_VULNERABILITIES=yes but a) this doesn't disable any actual vulnerabilities, just the checking for their presence, and b) on your own head be it. Now, in the case of the win32-codecs port, it is done differently. The port Makefile says this: .if defined(WITH_QUICKTIME) FORBIDDEN= Remote code execution: http://vuxml.FreeBSD.org/24f6b1eb-43d5-11 db-81e1-000e0c2e438a.html ADDITIONAL_CODECS_DISTFILES+= qt63dlls-20050115.tar.bz2 \ qtextras-20041107.tar.bz2 PLIST_SUB+= QUICKTIME= .else PLIST_SUB+= QUICKTIME=@comment .endif ie. selecting the Quicktime plugins in the OPTIONS dialog, which causes WITH_QUICKTIME to be defined, means that the port will be marked forbidden, and any attempt to install it will be blocked. A simple 'make config' and unchecking that option will let you install the port with all of the other codecs. Freshports parses the VuXML database to mark ports as vulnerable -- the VuXML data contains a listing of the vulnerable package names and ranges of version numbers. VuXML doesn't actually have a way of distinguishing what options are enabled for the port, although the textual note in the entry explains the situation fairly clearly. It doesn't say Users are advised to reinstall the port with the Quicktime support turned off which might be a nice addition. The system will however prompt users to upgrade to a version of the port after the code to forbid installation with Quicktime stuff enabled was added. Cheers, Matthew Matthew, that is a great answer!! Thank you! :-) The last question would be how to make make(1) /portupgrade/portsystem to ignore FORBIDDEN. Anyway, thanks again. Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portupgrade refusin to upgrade a port .. when it shouldn't imho
On Thu, Dec 07, 2006 at 06:16:18PM +0100, mato wrote: Matthew, that is a great answer!! Thank you! :-) The last question would be how to make make(1) /portupgrade/portsystem to ignore FORBIDDEN. make -DNO_IGNORE will get around this. But bypassing FORBIDDEN is generally not wise. -- Shaun Amott // PGP: 0x6B387A9A A foolish consistency is the hobgoblin of little minds. - Ralph Waldo Emerson pgpxsYrzg80hW.pgp Description: PGP signature
Re: portupgrade refusin to upgrade a port .. when it shouldn't imho
On Wed, Dec 06, 2006 at 10:55:40PM +0100, martinko wrote: Hello, According to freshports.org the newest multimedia/win32-codecs port (3.1.0.r1,1) is not vulnerable. I'm trying to upgrade version win32-codecs-3.1.0.p8,1 on my system but portupgrade + portaudit refuse me to do so: ** Port marked as IGNORE: multimedia/win32-codecs: is forbidden: Remote code execution: http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html Isn't this behaviour flawed ?? Or am I missing something ? Did you update your portaudit database? Kris pgpdbITuY9SZN.pgp Description: PGP signature
Re: portupgrade refusin to upgrade a port .. when it shouldn't imho
Kris Kennaway wrote: On Wed, Dec 06, 2006 at 10:55:40PM +0100, martinko wrote: Hello, According to freshports.org the newest multimedia/win32-codecs port (3.1.0.r1,1) is not vulnerable. I'm trying to upgrade version win32-codecs-3.1.0.p8,1 on my system but portupgrade + portaudit refuse me to do so: ** Port marked as IGNORE: multimedia/win32-codecs: is forbidden: Remote code execution: http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html Isn't this behaviour flawed ?? Or am I missing something ? Did you update your portaudit database? Kris Sure thing: mb-aw1n-bsd[/root]# portaudit -Fda New database installed. Database created: Thu Dec 7 01:10:04 CET 2006 Affected package: win32-codecs-3.1.0.p8,1 Type of problem: win32-codecs -- multiple vulnerabilities. Reference: http://www.FreeBSD.org/ports/portaudit/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html 1 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately. mb-aw1n-bsd[/root]# portupgrade -if win32-codecs --- Session started at: Thu, 07 Dec 2006 01:24:42 +0100 ** Port marked as IGNORE: multimedia/win32-codecs: is forbidden: Remote code execution: http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html --- ** Upgrade tasks 1: 0 done, 1 ignored, 0 skipped and 0 failed --- Listing the results (+:done / -:ignored / *:skipped / !:failed) - multimedia/win32-codecs (win32-codecs-3.1.0.p8,1) --- Packages processed: 0 done, 1 ignored, 0 skipped and 0 failed --- Session ended at: Thu, 07 Dec 2006 01:24:43 +0100 (consumed 00:00:01) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portupgrade refusin to upgrade a port .. when it shouldn't imho
** Port marked as IGNORE: multimedia/win32-codecs: is forbidden: Remote code execution: http://vuxml.FreeBSD.org/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html Isn't this behaviour flawed ?? Or am I missing something ? You need to make config in /usr/ports/multimedia/win32-codecs, and unselect quicktime. Then the port should install. This is assuming, of course, that you can live without the QT codec(s). Josh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]