Vulnerability linux-c6-expat!

teo · Jul 6, 2018

I already updated the ports and packages, and the port failed in FreeBSD 11.2 for 64 bits.

# pkg audit -F

Code:

vulnxml file up-to-date
linux-c6-expat-2.0.1_5 is vulnerable:
expat -- multiple vulnerabilities
CVE: CVE-2017-9233
CVE: CVE-2016-9063
WWW: https://vuxml.FreeBSD.org/freebsd/e375ff3f-7fec-11e8-8088-28d244aee256.html

1 problem(s) in the installed packages found.
#

# portmaster textproc/linux-c6-expat

Code:

===>>> Currently installed version: linux-c6-expat-2.0.1_5
===>>> Port directory: /usr/ports/textproc/linux-c6-expat

===>>> Gathering distinfo list for installed ports

===>>> Launching 'make checksum' for textproc/linux-c6-expat in background
===>>> Gathering dependency list for textproc/linux-c6-expat from ports
===>>> Initial dependency check complete for textproc/linux-c6-expat


===>>> Starting build for textproc/linux-c6-expat <<<===

===>>> All dependencies are up to date

===>  Cleaning for linux-c6-expat-2.0.1_5
===>  linux-c6-expat-2.0.1_5 has known vulnerabilities:
linux-c6-expat-2.0.1_5 is vulnerable:
expat -- multiple vulnerabilities
CVE: CVE-2017-9233
CVE: CVE-2016-9063
WWW: https://vuxml.FreeBSD.org/freebsd/e375ff3f-7fec-11e8-8088-28d244aee256.html

1 problem(s) in the installed packages found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update available.
=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
*** Error code 1

Stop.
make: stopped in /usr/ports/textproc/linux-c6-expat

===>>> make build failed for textproc/linux-c6-expat
===>>> Aborting update


===>>> You can restart from the point of failure with this command line:
       portmaster <flags> textproc/linux-c6-expat

This command has been saved to /tmp/portmasterfail.txt
#

shkhln · Jul 6, 2018

And your issue is?

teo · Jul 7, 2018

shkhln said:
And your issue is?

That generates vulnerability the system in that port, and cannot be updated because it gives error.

Look what would happen if that port was removed:

# pkg delete linux-c6-expat

Code:

Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 10 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
    linux-c6-expat-2.0.1_5
    linux-c6-fontconfig-2.8.0_3
    linux-c6-dri-11.0.7_5
    linux-c6-xorg-libs-7.4_10
    linux-c6-cairo-1.8.8_8
    linux-c6-pango-1.28.1_7
    linux-flashplayer-30.0.0.113
    linux-c6-gdk-pixbuf2-2.24.1_5
    linux-c6-gtk2-2.24.23_7
    nspluginwrapper-1.4.4_7

Number of packages to be removed: 10

The operation will free 125 MiB.

Proceed with deinstalling packages? [y/N]:

shkhln · Jul 7, 2018

teo said:
That generates vulnerability the system in that port

That's not how it works.

teo said:
and cannot be updated because it gives error.

The port cannot be updated because there is no update available.

teo · Jul 7, 2018

shkhln said:
That's not how it works.

And how do you proceed so that it does not fail and works well? At first when I tried to install the emulators/linux_base-c7 port, I got an error, so I installed the emulators/linux_base-c6 port.