# Can't update some ports



## xy16644 (Nov 8, 2009)

I updated my port tree today and when I updated the ports that were out of date (there were many!) 2 of them would not update. These were wordpress-2.8.4,1 and  php5-gd-5.2.11.

Wordpress wouldn't update because it first needed to have  php5-gd-5.2.11 updated to  php5-gd-5.2.11_1. The only problem is, when I try to update php5-gd it says:


```
alpha# make install
===>  php5-gd-5.2.11_1 has known vulnerabilities:
=> gd -- '_gdGetColors' remote buffer overflow vulnerability.
   Reference: <http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html>
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/graphics/php5-gd.
*** Error code 1

Stop in /usr/ports/graphics/php5-gd.
```

I understand now why Wordpress won't update but how do I update php5-gd first? My ports tree is up to date as of 10min ago!

Can someone help? This has me baffled! :\


----------



## mickey (Nov 8, 2009)

The port graphics/gd is marked as having known vulnerabilities. Either these issues are yet unsolved, or the vulnerability database has not yet been updated. You may use this command to check for an updated database:


```
portaudit -Fa
```


----------



## xy16644 (Nov 8, 2009)

mickey said:
			
		

> The port graphics/gd is marked as having known vulnerabilities. Either these issues are yet unsolved, or the vulnerability database has not yet been updated. You may use this command to check for an updated database:
> 
> 
> ```
> ...



I just ran that command and it said:

```
alpha# portaudit -Fa
auditfile.tbz                                 100% of   58 kB 5363  Bps 00m00s
New database installed.
Affected package: php5-gd-5.2.11
Type of problem: gd -- '_gdGetColors' remote buffer overflow vulnerability.
Reference: <http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html>

1 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.
```

But when I try to run:

```
portmanager -u
```

I still get the same error saying it won't update due to the vulnerability in it.

Anything else I can do/try? :e


----------



## mickey (Nov 8, 2009)

xy16644 said:
			
		

> Anything else I can do/try? :e



I had this once with another port, and am currently having the same issue with gd on all of my machines.
If you are certain that, the updated version in the ports tree has fixed the vulnerability, you could disable the vulnerability check, and install the updated version. Otherwise just wait a few days, until someone has updated the vulnerability database, I'm sure the problem will then go away.


----------



## xy16644 (Nov 8, 2009)

Thanks mickey.

I will wait another week and update the ports tree and then try again.

I don't really want to disable vulnerability checking...


----------



## DutchDaemon (Nov 8, 2009)

Well, if you can't deinstall php5-gd anyway (which means you're prepared to live with the vulnerability in whatever version), you might as well overrule the vulnerability check and at least upgrade it and Wordpress (which should be at the latest version).

Run [cmd=]export/setenv DISABLE_VULNERABILITIES=yes[/cmd] (depending on your shell), and run the upgrade the ports again.


----------



## xy16644 (Nov 8, 2009)

DutchDaemon said:
			
		

> Well, if you can't deinstall php5-gd anyway (which means you're prepared to live with the vulnerability in whatever version), you might as well overrule the vulnerability check and at least upgrade it and Wordpress (which should be at the latest version).
> 
> Run [cmd=]export/setenv DISABLE_VULNERABILITIES=yes[/cmd] (depending on your shell), and run the upgrade the ports again.



If I run setenv I get the following:

```
alpha# setenv DISABLE_VULNERABILITIES=yes
setenv: Syntax Error.
```

I can type setenv and it returns many values. I am running the /bin/csh shell.


----------



## DutchDaemon (Nov 8, 2009)

Try 'set' then.


----------



## vitek16 (Nov 8, 2009)

DutchDaemon said:
			
		

> Try 'set' then.



try setenv DISABLE_VULNERABILITIES =yes


----------



## DutchDaemon (Nov 8, 2009)

Should all work 


```
setenv DISABLE_VULNERABILITIES =yes
setenv DISABLE_VULNERABILITIES yes
set DISABLE_VULNERABILITIES=yes
```


----------



## mickey (Nov 8, 2009)

DutchDaemon said:
			
		

> Should all work
> 
> 
> ```
> ...



Actually they don't :stud
At least if you're using tcsh:


```
$ setenv HONK=blah
setenv: Syntax Error.

$ setenv HONK =blah
$ echo $HONK
=blah
```

setenv in tcsh works without the '=' sign, like:


```
setenv DISABLE_VULNERABILITIES "yes"
```


----------



## crsd (Nov 8, 2009)

And usually ports system (and not only) doesn't check the value of variable, only if it's set, so

```
setenv DISABLE_VULNERABILITIES =yes
```
might work.


----------



## DutchDaemon (Nov 8, 2009)

Yeah, I tested in 'csh', not 'tcsh'. I know they're the same file, but they do behave differently when invoked from the console 

Anyhoo, we seem to have crossed some borders by now  Back on topic!


----------



## xy16644 (Nov 8, 2009)

crsd said:
			
		

> And usually ports system (and not only) doesn't check the value of variable, only if it's set, so
> 
> ```
> setenv DISABLE_VULNERABILITIES =yes
> ...



This seemed to do the trick, thanks everyone! I was now able to upgrade Wordpress. By enabling this vulnerability option, is my server at risk in anyway? Or should I set the option to no again?

Now if I could just get this port to update once and for all:

```
openssh-portable-overwrite-base-5.2.p1_1,1  <   needs updating (index has 5.2.p1_2,1)
```

I seem to have continual issues with this one. It allows seems to loop and then not update itself! Is there a way to up date it or get portmanager to ignore it (not sure if this is a good idea!)?


----------



## DutchDaemon (Nov 9, 2009)

As soon as you exit from that shell, this setting will be gone. Note that 'disable_vulnerabilities' only disables the _warnings_ from portaudit, nothing more. Note that the only real way to get rid of that warning is to deinstall that port, but that is simply not always possible. So you're not at any greater risk than before: you're simply still running a port that's vulnerable according to portaudit.

Wrt that openssh port: that depends on the error. Maybe it needs FORCE_PKG_REGISTER or something like that, but we won't know until we see the actual error ..


----------



## xy16644 (Nov 9, 2009)

DutchDaemon said:
			
		

> As soon as you exit from that shell, this setting will be gone. Note that 'disable_vulnerabilities' only disables the _warnings_ from portaudit, nothing more. Note that the only real way to get rid of that warning is to deinstall that port, but that is simply not always possible. So you're not at any greater risk than before: you're simply still running a port that's vulnerable according to portaudit.
> 
> Wrt that openssh port: that depends on the error. Maybe it needs FORCE_PKG_REGISTER or something like that, but we won't know until we see the actual error ..



After running portmanager it says:

00152 havepenssh-portable-5.2.p1_2,1         /security/openssh-portable          built with OLD dependency: openssl-0.9.8k_2
========================================================================
skipping openssh-portable-5.2.p1_2,1 /security/openssh-portable marked IGNORE reason: looping, 3rd attempt at make


----------



## DutchDaemon (Nov 9, 2009)

Ah, 'marked IGNORE':


```
/usr/ports/security/openssh-portable]$ make fetch
===>  openssh-portable-5.2.p1_2,1 is marked as broken: does not link.
```


```
.if ${OSVERSION} >= 800000
.if !defined(WITHOUT_KERBEROS)
BROKEN=         does not link
.endif
.endif
```


```
.if defined(WITH_X509) && ( defined(WITH_HPN) || defined(WITH_LPK))
BROKEN=         X509 patch incompatible with HPN and LPK patches
.endif
```
So it can't be updated right now. Wait for a patch or a new version.


----------



## xy16644 (Nov 9, 2009)

Thank you!


----------



## DutchDaemon (Nov 9, 2009)

By the way:

If you're on FreeBSD 8, choosing 'make config' and then disabling Kerberos (remove the [x]) will let it build. So if you don't need Kerberos, try that.

If you're not on FreeBSD 8, you'll need to uncheck X509 (which is not on by default).


----------



## DutchDaemon (Nov 9, 2009)

Note: a patched version of this port is coming soon.


----------



## mickey (Nov 10, 2009)

FWIW, yesterday evening, after pulling a fresh copy of the vulnerability database, i was able to update gd without having to disable vulnerability checks.

Looks as if someone has updated the database


----------



## DutchDaemon (Nov 10, 2009)

Yes, the old version of the vulnerability database said that _every_ version of php5-gd was vulnerable (to be specific "php5-gd > 0"), whereas now it reads:


```
php5-gd <5.2.11_2
```


----------

