kdenlive port installation failed for gstreamer-ffmpeg vulnerability

Hello world!,

I tried to install kdenlive on my FreeBSD 12.0 but it failed at installing gstreamer-ffmpeg-0.10.13_6 because it seems gstreamer-ffmpeg is vulnerable. Tried to rerun the command and I got this:

Code:
root@freebsd:/usr/ports/multimedia/kdenlive # cd /usr/ports/multimedia/kdenlive/ && make install clean
===>   kdenlive-18.12.1_1 depends on file: /usr/local/include/linux/input.h - found
===>   kdenlive-18.12.1_1 depends on file: /usr/local/include/linux/videodev2.h - found
===>   kdenlive-18.12.1_1 depends on file: /usr/local/bin/cmake - found
===>   kdenlive-18.12.1_1 depends on executable: ninja - found
===>   kdenlive-18.12.1_1 depends on executable: update-desktop-database - found
===>   kdenlive-18.12.1_1 depends on executable: msgfmt - found
===>   kdenlive-18.12.1_1 depends on package: pkgconf>=1.3.0_1 - found
===>   kdenlive-18.12.1_1 depends on executable: update-mime-database - found
===>   kdenlive-18.12.1_1 depends on file: /usr/local/share/ECM/cmake/ECMConfig.cmake - found
===>   kdenlive-18.12.1_1 depends on file: /usr/local/bin/kbuildsycoca5 - found
===>   kdenlive-18.12.1_1 depends on package: xorgproto>=0 - found
===>   kdenlive-18.12.1_1 depends on package: xorgproto>=0 - found
===>   kdenlive-18.12.1_1 depends on file: /usr/local/libdata/pkgconfig/x11.pc - found
===>   kdenlive-18.12.1_1 depends on file: /usr/local/lib/qt5/bin/moc - found
===>   kdenlive-18.12.1_1 depends on file: /usr/local/lib/qt5/bin/qmake - found
===>   kdenlive-18.12.1_1 depends on shared library: libmlt.so - not found
===>   mlt-6.12.0_2 depends on file: /usr/local/include/frei0r.h - found
===>   mlt-6.12.0_2 depends on file: /usr/local/bin/sdl-config - found
===>   mlt-6.12.0_2 depends on file: /usr/local/libdata/pkgconfig/eigen3.pc - found
===>   mlt-6.12.0_2 depends on executable: gmake - found
===>   mlt-6.12.0_2 depends on package: pkgconf>=1.3.0_1 - found
===>   mlt-6.12.0_2 depends on package: libiconv>=1.14_11 - found
===>   mlt-6.12.0_2 depends on package: xorgproto>=0 - found
===>   mlt-6.12.0_2 depends on package: xorgproto>=0 - found
===>   mlt-6.12.0_2 depends on file: /usr/local/libdata/pkgconfig/x11.pc - found
===>   mlt-6.12.0_2 depends on shared library: libfftw3.so - found (/usr/local/lib/libfftw3.so)
===>   mlt-6.12.0_2 depends on shared library: libavformat.so - found (/usr/local/lib/libavformat.so)
===>   mlt-6.12.0_2 depends on shared library: libexif.so - found (/usr/local/lib/libexif.so)
===>   mlt-6.12.0_2 depends on shared library: libfontconfig.so - found (/usr/local/lib/libfontconfig.so)
===>   mlt-6.12.0_2 depends on shared library: libepoxy.so - found (/usr/local/lib/libepoxy.so)
===>   mlt-6.12.0_2 depends on shared library: libmovit.so - found (/usr/local/lib/libmovit.so)
===>   mlt-6.12.0_2 depends on shared library: libsamplerate.so - found (/usr/local/lib/libsamplerate.so)
===>   mlt-6.12.0_2 depends on shared library: libsox.so - found (/usr/local/lib/libsox.so)
===>   mlt-6.12.0_2 depends on shared library: libswfdec-0.8.so - not found
===>   swfdec-0.8.4_6 depends on package: pkgconf>=1.3.0_1 - found
===>   swfdec-0.8.4_6 depends on package: gstreamer-ffmpeg>=0.10.0 - not found
===>  gstreamer-ffmpeg-0.10.13_6 has known vulnerabilities:
gstreamer-ffmpeg-0.10.13_6 is vulnerable:
ffmpeg -- multiple vulnerabilities
CVE: CVE-2015-8663
CVE: CVE-2015-8662
WWW: https://vuxml.FreeBSD.org/freebsd/4bae544d-06a3-4352-938c-b3bcbca89298.html

gstreamer-ffmpeg-0.10.13_6 is vulnerable:
ffmpeg -- multiple vulnerabilities
CVE: CVE-2015-8365
CVE: CVE-2015-8364
CVE: CVE-2015-8363
CVE: CVE-2015-8219
CVE: CVE-2015-8218
CVE: CVE-2015-8217
CVE: CVE-2015-8216
CVE: CVE-2015-6761
WWW: https://vuxml.FreeBSD.org/freebsd/b0da85af-21a3-4c15-a137-fe9e4bc86002.html

gstreamer-ffmpeg-0.10.13_6 is vulnerable:
ffmpeg -- multiple vulnerabilities
CVE: CVE-2015-6826
CVE: CVE-2015-6825
CVE: CVE-2015-6824
CVE: CVE-2015-6823
CVE: CVE-2015-6822
CVE: CVE-2015-6821
CVE: CVE-2015-6820
CVE: CVE-2015-6819
CVE: CVE-2015-6818
WWW: https://vuxml.FreeBSD.org/freebsd/3d950687-b4c9-4a86-8478-c56743547af8.html

1 problem(s) in the installed packages found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update available.
=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
*** Error code 1

Stop.
make[7]: stopped in /usr/ports/multimedia/gstreamer-ffmpeg
*** Error code 1

Stop.
make[6]: stopped in /usr/ports/multimedia/gstreamer-ffmpeg
*** Error code 1

Stop.
make[5]: stopped in /usr/ports/graphics/swfdec
*** Error code 1

Stop.
make[4]: stopped in /usr/ports/graphics/swfdec
*** Error code 1

Stop.
make[3]: stopped in /usr/ports/multimedia/mlt
*** Error code 1

Stop.
make[2]: stopped in /usr/ports/multimedia/mlt
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/multimedia/kdenlive
*** Error code 1

Stop.
make: stopped in /usr/ports/multimedia/kdenlive
root@freebsd:/usr/ports/multimedia/kdenlive #
Is it possible to fix this in a secure way? without vulnerabilities? or I should wait for a fix by developers?
and is it possible to remove all the installed packages, installed during failed kdenlive port installation?

Thank you very much for your support
 
In a very secure context, as big corporation, one should remove any "insecure" packages...
But for most of us who are not dealing with sensitive data, who are not running some HTTP website...

So personally, and I warn you this is not a good advice at all, I override such messages and make force build with the option :

Code:
DISABLE_VULNERABILITIES=yes

In fact, the problem is probably located in FFMPEG (as a consequence, gstreamer-ffmpeg a forward dependency of FFMPEG is impacted) which has many many and many flaws since years now. At the beginning I was waiting for "fixes" but in fact fixes never come....

If you want to override theses flaws, you should deactivate many options in FFMPEG port, that restricting its use.
So I insert the following code in /etc/make.conf, to ignore vulnerabilities issues globally and transparently on every update.

Code:
.if ${.CURDIR:M*/*/*}

DISABLE_VULNERABILITIES=yes

.    endif

This is an HORRIBLE advice... yes, I assume that.
In order to limit the impact of this very bad advice, you can write in your /etc/make.conf

Code:
.if ${.CURDIR:M*/multimedia/ffmpeg}

DISABLE_VULNERABILITIES=yes

.    endif

But....you should also do that for all FFMPEG forward dependencies as gstreamer-ffmpeg, kdenlive....
This could be a painful work... this is the reason why I switched to the first solution

Vulnerabilities can be checked with :

pkg audit -F

And as a reminder if you are newbie... check FreeBSD Kernel/World vulnerabilities
Kernel/World security issues are reported on this site at the welcome page

freebsd-update fetch

As a common user, not an administrator supervising a company as Boeing, what is important to me are some programs I consider critical according to my use.
For example, if Chromium is marked as vulnerable, so I don't use Chromium until it is fixed.
For FFMPEG, programs as VLC making use of FFMPEG, have not a continous access to the web (in most of case I just run VLC to read local video files), so I don't consider that FFMPEG vulnerabilities are so critical.

So I try to evaluate the real probability that a given exploit may be used in my specific context.

Moreover... let's say .... your samba server is found vulnerable, will you deinstall it ?
No you can't because this is a critical process in your network. So waiting for fixes, you will attempt to take temporary measures as defining temporary restrictions to reduce the risk.

If we dig further, sometimes a specific new release fixes some vulnerabilities, but not all, so the port is still marked as vulnerable.
But... one can understand that replacing the current insecure package by a new "less insecure package" is a better solution than waiting 3 more weeks to install the future release fixing all the vulnerabilities.

For all theses reasons, long time ago, I decided to override globally the vulnerabilities messages that finally annoying me

What is important to me is :
  • always updating kernel/world on security issues
  • checking daily the vulnerabilities report, and deciding myself what to do, but NOT BLOCKING globally the update building process
In some case, yes I will decide to remove the package
In some case I choose to keep the package but not to run the program (I just quarantine the program)
In some case I can choose to block a new update (in /etc/make.conf I just add the line "IGNORE= Waiting for vulnerabilities fixes" for the specified port)
etc. etc.
 
SirDice, thank you very much! I tried the command you advice me and it seems to work really well.
Do you know any valid alternatives to kdenlive that can be installed using package?
Code:
$ pkg autoremove
pkg: Insufficient privileges to autoremove packages
$ sudo pkg autoremove
Updating database digests format: 100%
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 56 packages:

Installed packages to be REMOVED:
    automake-1.16.1_1
    autoconf-2.69_2
    autoconf-wrapper-20131203
    cmake-3.13.3
    movit-1.6.2_1
    eigen-3.3.7
    evdev-proto-4.19
    frei0r-1.6.1
    gmake-4.2.1_3
    help2man-1.47.8_1
    sox-14.4.2_3
    lame-3.100_2
    libid3tag-0.15.1b_1
    libtool-2.4.6_1
    libuv-1.25.0
    m4-1.4.18_1,1
    ninja-1.8.2_1,2
    opusfile-0.10
    p5-Locale-gettext-1.07
    texinfo-6.5_4,1
    p5-Locale-libintl-1.31
    p5-Text-Unidecode-1.30
    p5-Unicode-EastAsianWidth-1.40
    pkgconf-1.6.0,1
    py27-Jinja2-2.10
    py27-sphinx-1.6.5_1,1
    py27-Babel-2.6.0
    py27-MarkupSafe-1.0
    py27-alabaster-0.7.6
    py27-cryptography-2.3
    py27-openssl-18.0.0
    py27-urllib3-1.22,1
    py27-requests-2.21.0
    py27-asn1crypto-0.22.0
    py27-certifi-2018.11.29
    py27-cffi-1.11.5
    py27-chardet-3.0.4
    py27-cython-0.29
    py27-docutils-0.14_3
    py27-idna-2.7
    py27-imagesize-0.7.1
    py27-ipaddress-1.0.22
    py27-pycparser-2.18
    py27-pygments-2.3.0
    py27-pysocks-1.6.8
    py27-snowballstemmer-1.2.0_1
    py27-pystemmer-1.3.0_2
    py27-pytest-runner-2.11.1
    py27-pytz-2018.9,1
    py27-setuptools_scm-3.1.0
    py27-sphinx_rtd_theme-0.4.2
    py27-sphinxcontrib-websupport-1.1.0
    py27-typing-3.6.4
    qt5-buildtools-5.12.0_2
    qt5-qmake-5.12.0_2
    rhash-1.3.5

Number of packages to be removed: 56

The operation will free 177 MiB.

Proceed with deinstalling packages? [y/N]:

thanks Wozzeck.Live for the useful info
 
Back
Top