Problem installing nspluginwrapper (pango security issue)

tim-m89

• Jan 19, 2010

• #1

Code:

===>>> Starting check for build dependencies
===>>> Gathering dependency list for x11-toolkits/linux-f10-pango from ports
===>>> Starting dependency check
===>>> Dependency check complete for x11-toolkits/linux-f10-pango
	www/nspluginwrapper >> x11-toolkits/linux-f10-gtk2 >> x11-toolkits/linux-f10-pango
===>  Cleaning for linux-f10-pango-1.22.3

===>  linux-f10-pango-1.22.3 has known vulnerabilities:
=> pango -- integer overflow.
   Reference: <http://portaudit.FreeBSD.org/4b172278-3f46-11de-becb-001cc0377035.html>
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/x11-toolkits/linux-f10-pango.

===>>> make failed for x11-toolkits/linux-f10-pango
===>>> Aborting update

===>>> Update for x11-toolkits/linux-f10-pango failed
===>>> Aborting update

===>>> Update for x11-toolkits/linux-f10-gtk2 failed
===>>> Aborting update

It depends on something insecure. I've been updating my ports every few weeks hoping for the secure updated pango. It was apparently fixed in 1.24 but port is forever staying at 1.22.3?

 

sixtydoses

• Jan 19, 2010

• #2

Disable vulnerabilities:

export DISABLE_VULNERABILITIES=yes (if you use bash), or setenv DISABLE_VULNERABILITIES=yes (for csh and the likes).

 

catdog

• Jan 26, 2010

• #3

sixtydoses said:

Disable vulnerabilities:

setenv DISABLE_VULNERABILITIES=yes (for csh and the likes).

Click to expand...

without "=" for csh, actually

 

sixtydoses

• Jan 26, 2010

• #4

Ah yea, thanks

 

catdog

• Jan 27, 2010

• #5

which of the mans contain all available variables for setenv command?

 

sixtydoses

• Jan 27, 2010

• #6

environ(7)?

 

catdog

• Jan 27, 2010

• #7

environ(7) does not contain VULNERABILITIES var =)

 

sixtydoses

• Jan 27, 2010

• #8

You meant like stuff inside /usr/ports/Mk/bsd.port.mk?

 

catdog

• Jan 27, 2010

• #9

this is it, thx

 

nu2fbsd

• Mar 23, 2010

• #10

nspluginwrapper

sixtydoses said:

Disable vulnerabilities:

export DISABLE_VULNERABILITIES=yes (if you use bash), or setenv DISABLE_VULNERABILITIES=yes (for csh and the likes).

Click to expand...

Since I am new to FBSD I need a little more help, as to how to use this command or where to I need to append it?
I only know that I did [CMD="cd /usr/ports/www/nspluginwrapper && make install clean"][/CMD] and got the security issue about pango

 

sixtydoses

• Mar 23, 2010

• #11

Before running # make install clean, disable the vulnerabilities by running the following command:
# setenv DISABLE_VULNERABILITIES yes

That command should work unless you've modified your root's shell to something else, like bash, for instance. If the latter is the case then you'd have to opt for this command:
# export DISABLE_VULNERABILITIES=yes

After exporting DISABLE_VULNERABILITIES in your environment, proceed with installation as normal.

Or, another option is, do it altogether on the fly, by running the following command:
# make -DDISABLE_VULNERABILITIES install clean

HTH.

 

F

finndo

• Apr 4, 2010

• #12

I really dissagree with the closure of this issue as resolved. I do not think that telling people to disable vulnerability checking is a solution to the issue. It might be better to direct them to a website with an updated version available for *BSD, like

http://openports.se/devel/pango

I do not recommend disabling vulnerability checking for anybody, ever.

 

sixtydoses

• Apr 4, 2010

• #13

While I agree disabling/ignoring vulnerabilities is not an elegant solution, it is, one of the way to get x11-toolkits/linux-f10-pango installed. If the OP feels it's not the right solution to opt for, he/she is free to either not install it, or deinstall ports-mgmt/portaudit, contact the maintainer, or find other way to fix it. Even if he/she is my next door neighbour, I won't force him to opt my way.

 

OP

tim-m89

• Apr 5, 2010

• Thread Starter
• #14

I was surprised when I re bumped into this port myself that it is still this way. The maintainer is the emulation community and I hope they don't update the port too quickly. (some of the posts)

This is apparently the way to do things theses days: when the alarm finally does sound just hit the override button. :OOO

 

gilinko

• Apr 5, 2010

• #15

tim-m89 said:

This is apparently the way to do things theses days: when the alarm finally does sound just hit the override button. :OOO

Click to expand...

More to the point that F10 is no longer supported by the fedora community as each release only lives for 2 releases + one month, and with one release every 6 months that gives 13 months of "support" which ended on the last of December 2009 due to the release of F12 in November.

As noted in you last link, the problem of getting a F10+ port is in the linux emulation layer, so it's not just an update of the port that is needed. And it's not a requirement to use portaudit(I personally don't) that will block some things, so at the moment you have to hit that override button or as I do not have a button to press at all.

 

OP

tim-m89

• Apr 5, 2010

• Thread Starter
• #16

gilinko said:

... so at the moment you have to hit that override button or as I do not have a button to press at all.

Click to expand...

You consider not using port audit superior? Correct me if I'm wrong but isn't it there to allow increased security? I consider increased security superior and hence why I choose to use it. By default it's not setup so having it setup on my system was entirely intentional no accident.

 

gilinko

• Apr 5, 2010

• #17

There is a difference between adding security and notifying about security. portaudit only notifies about the security issues, and in some cases there aren't a fix for a particular software available yet. Hence it keeps notifying me that a vulnerability in a software that may not yet have a patched release that's incorporated into ports yet. So the "option" then is to either shut the service down or know if I'm vulnerable for that particular bug, and in general to shut down a service is not an option(mailserver, webserver etc).

Also for the few software services that I do use, I follow their bug reports instead as they turn up there before they turn up in the portaudit system. It's all about information and in that sense portaudit adds nothing but frustration for me. But that's only for me, you have to make your own choice.

 

sidetone

• Aug 13, 2016

• #18

Only doing this after it being a port needed by most other ports, and that the security risk is low.
Then after that's done, immediately revert back. by setting setenv ENABLE_VULNERABILITIES=yes.

Don't bring up how this thread is from 2010! I choose to respond here.

 

Last edited: Aug 15, 2016

wblock@

Developer

• Aug 15, 2016

• #19

sidetone said:

ENABLE_VULNERABILITIES

Click to expand...

That variable does not actually exist. There is only DISABLE_VULNERABILITIES, which can be set or unset. That is best done along with the make(1) command, so it is not set permanently or even temporarily. Then there is no need to undo it. For example, after making really, really sure that the known vulnerabilities do not apply in a particular case:

make DISABLE_VULNERABILITIES=yes ...

The variable is set only for the duration of that command.