# Newbie: Updating libtool 2.2.6a



## baodad (Dec 21, 2009)

I'm a FreeBSD newbie and this is my first post to the forums.  So as they say in Japanese: "Yoroshiku!"

I took the recommended course of installing portaudit so I could make sure my system is secure.  It immediately found a vulnerability in libtool 2.2.6a, and recommended that I update or deinstall immediately.

My questions are:
1. How should I go about updating libtool?
2. How can I be sure that the old vulnerable libtool is gone when I'm done?

Any links to helpful sites would be appreciated.  If CVSup is the answer, I'd really like to just update my ports collection, and not download all the source for everything.


----------



## bjs (Dec 21, 2009)

use portupgrade, it will install the a newer version if one is available and remove the previous one for you


----------



## mickey (Dec 21, 2009)

Start reading here:
Using the Ports collection

Section 4.5.1 shows you methods to obtain and update your ports tree

Section 4.5.4 covers the topic of updating your installed software


----------



## baodad (Dec 22, 2009)

I compiled portupgrade and portmanager.  I tried

portmanager -u

but it told me that all my ports are up-to-date, including the libtool-2.2.6a which portaudit told me was a security risk.

Then I tried

portupgrade -a

but that didn't do much of anything except rebuild my pkgdb and then quit.


----------



## DutchDaemon (Dec 22, 2009)

You'll need to update your ports tree, or portupgrade/portmanager (choose *one* tool for upgrading your ports, don't use them together) won't find anything to update.


----------



## baodad (Dec 22, 2009)

I would have hoped that portupgrade or portmanager would check against an online database of most current versions.  I would think that is what it's doing.  But then it's disappointing that portaudit would find a vulnerability that portmanager wouldn't know to upgrade.

In any case, I appreciate all of your help.  I'm just stumbling along as best I can.  If portupgrade and portmanager are not the answers, I can start looking in to CVSup...  Then I would be getting libtool source that I would need to build myself, right?


----------



## DutchDaemon (Dec 22, 2009)

Look into portsnap(8), the preferred tool. That is a tool to update your ports _tree_. Tools like portupgrade are for upgrading your _installed_ ports. And you can use pkg_version(1) to see which ports actually need upgrading. It's all in The Handbook, really.


----------



## baodad (Dec 22, 2009)

I know it's all in the Handbook, but it helps to have the voice of experience.  For instance, you just told me that portsnap is the preferred tool for updating my ports tree.  The Handbook can't tell me that - reading the Handbook had me trying portupgrade, portmanager, and CVSup.

I love The Handbook!  And I'm very thankful it's available.  It's a great resource.  I don't mean to ask questions that I should look up myself.  I just wanted a little confirmation from some of you who have "been there, done that."

THANKS!

I hope I can get the next secure version of libtool using portsnap.  I'll let you know, but I'll have to try again later on tonight.


----------



## baodad (Dec 25, 2009)

OK, here's my update.

I ran portsnap, but it didn't fetch the newest secure version of libtool-2.2.6b.

I tried pkg_add libtool, but that installs the problematic 2.2.6a version as well.

I was able to ftp the new libtool-2.2.6.tbz from ftp.FreeBSD.org, but that contains the binaries, which I don't know what to do with.  I could just go ahead and copy them to my bin directory, but would portaudit know what I have done?

The only thing I've yet to do is run csup, which is kind of scary because I don't exactly know where to point it, and all I really want is libtool right now.  But csup makes it really hard to just get one port.


----------



## DutchDaemon (Dec 25, 2009)

You must be doing something wrong with portsnap, because libtool 2.2.6b has been in the ports tree since Nov 28.


```
$ head -9 /usr/ports/devel/libtool22/Makefile
# New ports collection makefile for:	libtool
# Date created:		6 May 1998
# Whom:			Motoyuki Kasahara <m-kasahr@sra.co.jp>
#
# $FreeBSD: ports/devel/libtool22/Makefile,v 1.3 2009/11/28 20:32:29 kwm Exp $
#

PORTNAME?=	libtool
PORTVERSION=	2.2.6b
```

What portsnap commands do you use?


----------



## zeiz (Dec 25, 2009)

It's not a great practice to update just 1 port. It may have dependencies sometimes in surprising categories. Your whole work may be not just useless but destructive and then you may post weird error messages nobody can understand. Updating all the tree takes a few minutes and a few MB on disk, why not update everything? I'm doing it daily some others put this task on cron that is more professional but I enjoy updating.

How portaudit knows that something is not quite secure? Because a dev put the info in db after some other devs discovered and confirmed the vulnerability. Well I know that my car is broken but I must bring it to a mechanic to fix. It takes time. Same here. I wouldn't be surprised if tomorrow you update your ports again and this time you get new improved version. Perhaps not tomorrow but 2-3 days later but do you really believe that somebody will hack exactly your box with all your top secrets in these 2-3 days? Do you also believe that `portaudit` is so genious that "knows" ALL the vulnerabilities?

Back to libtool. I'm opening a terminal and type:

```
$ ls /var/db/pkg |grep libtool
libtool-2.2.6b
```
Looks like I got rid of problematic "a" version without even knowing that it's problematic (thanks devs! oh, thanks a lot!).
I use `portsnap` to update my port tree. Some others use `csup`. What is the difference? Csup pulls DELTAS from online port tree, please note: not all from scratch again but only differences if any. That's great but sometimes if you are not lucky you may get a "snapshot-of-your-own" that is incomplete: something already updated but some important depend will be committed in 2 sec after you already got you "snapshot" as is.
Portsnap searches for latest snapshot done professionally without such a 2 sec surprises. Yes, it's 1-2 hour older that what you can get with csup but it's complete. Another good news is that portsnap also pulls only deltas and not everything from scratch. Why *DD* called it "preferred"? Because it's complete and fast. In 10 sec you can update your entire port tree, that's what you want, don't you?
Both csup and portsnap create their own INDEX-N file (where N is FreeBSD branch number, INDEX-8 for instance). If you use csup and then portsnap you may have some problems, tell us if you already did so.
I didn't work with portmanager but portmaster and portupgrade look in that INDEX file instead of looking for something online.
So if you have outdated port tree those great tools will show you what you have in that outdated INDEX. 
Update your port tree, get new INDEX and run `# pkg_version -vIL=` you will be given all your ports to be updated with old version and new version each. Then you may want to run `# portupgrade -a` and sit on back (not quite smart) or analyze the list given and choose what to update first for example libtool 
Summary:

```
# portsnap fetch update ## note1
# pkg_version -vIL=     ## note2
# portupgrade -a        ## note3
```
note1: if you use `portsnap` for the first time run `# portsnap fetch extract` yes, this first time it'll take a while
note2: you may want to run `# pkg_version -v` to see all your ports including up-to-date ones.
note3: explained above.

PS. For sure all of that is from Handbook that also has links to manpages although you can invoke a manpage by running `man <command>` for example `man portsnap` or `man portupgrade`.


----------



## baodad (Dec 25, 2009)

Once again, thank you all for your time and patience.  It may not seem like it, but I am referencing the man pages and the Handbook.  It's just that I haven't read EVERY man pages or ALL the Handbook.  When I read man pages, I usually just search for what I'm looking for, because there's so much information there and a lot of it I just can't understand the application of at this point.  That's why I appreciate your tips and guidance.

DD, I ran portsnap fetch.
What I did NOT do was run portsnap extract.  I am using the ports collection I installed from the 8.0 RELEASE CD, and correct me if I am wrong but I am starting to think this is not the "preferred" way of getting the ports collection.  I should have skipped the install from the CD, and just used portsnap, right?

It's getting late, and I need to be in bed because Santa won't come until we're asleep, right?  But my next step will be to follow zeiz's directions to portsnap fetch extract (that's what you mean when you say "updating the ports tree," right?) and your subsequent steps.

Merry Christmas!


----------



## zeiz (Dec 25, 2009)

> I am using the ports collection I installed from the 8.0 RELEASE CD, and correct me if I am wrong but I am starting to think this is not the "preferred" way of getting the ports collection. I should have skipped the install from the CD, and just used portsnap, right?



Depends. Some people have bad or none internet access or slow processor etc. 
It's also not bad idea to anybody to just update ports from internet instead of downloading them all. 
In your case just update your existing ports and that is it. 
However if you suspect you've made a mess there delete all ports first:
`# rm -rf /usr/ports/*`
then fetch and extract new ports: 
`# portsnap fetch extract`
then next time you only need to update ports:
`# portsnap fetch update`


And don't worry: we work for Santa part time


----------



## Pegasus711 (Mar 15, 2010)

Hello guys,

I have an issue in this regard as well. Now I want to install _open-vm-tools_ on my vmware box (windows host). The thing is that the installation fails at libnotify since the version of libtools installed is (_I think_) the latest one available with version 7.2. Well, Ive done _portupgrade -R libtool_ and it basically tells me that it is excluding up-to-date packages. I followed it up with _pkg_add -rv libtool_ which gives me libtool-1.5.26 or its older version already installed.

How do I go about updating the libtool to 2.2b (as a seems to be  problematic)? Keen to hear from u people


----------



## DutchDaemon (Mar 15, 2010)

See entry 20090802 in /usr/ports/UPDATING.


----------



## baodad (Mar 17, 2010)

DutchDaemon knows what he's talking about.  But FWIW, as a BSD-newbie, I'll just tell you that I was never quite able to fix this problem.  However, here's what I learned from it:

Never install the ports collection from the install CD.  They are soon outdated after the release.  Now I do a basic install, and then I use portsnap fetch and extract to install the (most recent) ports collection.  Last time I did this, I got the most recent version of libtool (2.2b).

Of course, you're probably not wanting to do a complete reinstall...


----------



## Pegasus711 (Mar 17, 2010)

Well..to begin with, I changed the PACKAGESITE env variable to point to the latest directory in the freebsd ftp site. Then all went fine until pkg_add crashed saying something was wrong with getcwd(3). On googling realised its a bug.

Then I did see dutchdeamon's post above and realized I might as well uninstall libtool1.5 and then install libtool2.2 from the ports which I did. Seems to be working for now. I do not know if some earlier dependencies might be affected. Can I create a symlink for libtool1.5 to this later version or should it be a hardlink?

Keen to hear frm you guys,


----------



## moosejaw (Mar 17, 2010)

baodad said:
			
		

> DutchDaemon knows what he's talking about.  But FWIW, as a BSD-newbie, I'll just tell you that I was never quite able to fix this problem.



By "never able to fix this problem", do you mean that you still have libtool 2.2.6a installed?

I'm also a FreeBSD newb.  I've found ports lovely and simple to use, but its differences from, say, many Linux package management systems can present a basic conceptual challenge at first.  My advice as a fellow novice: keep in mind that keeping ports up to date involves two distinct processes with two distinct (sets of) tools: 

1. Updating your ports tree (e.g., with portsnap). 
2. Updating/upgrading installed ports (e.g., with portupgrade or portmanager).

Your ports tree is your system's (local) source of info about what the latest versions of ports are.  portupgrade and portmanager check your local ports tree when deciding what needs updating/upgrading; if they find out-of-date ports, they will automatically download and install the new software.  But they have to know that the ports are out of date to begin with, and they can only know this if you've kept your tree up to date, e.g. with portsnap.  By the same token, portsnap fetches up-to-date info about ports and updates your local ports tree, but it won't download or install any software on its own.

portaudit is a third kind of tool: it fetches info remotely about security vulnerabilities and reports back any known problems with ports that you have installed.  If portaudit tells you that you have a vulnerable port, then you must perform both steps above to update your system: 1. update your tree with portsnap (this gets the new and secure port info into your local tree), 2. update your vulnerable port(s) (or all your ports, as zeiz recommends above) with portupgrade or portmanager (this downloads and installs the new and secure software specified in your newly up-to-date ports tree).

I hope this is helpful (and apologies if any of it is wrong, which would be a shame; as I said, I'm also new at this).


----------



## baodad (Mar 19, 2010)

By "never was able to fix the problem," I mean I scrapped that install, started over.  That's kind of how I'm learning BSD.  I've probably done about 10+ installs in the past few years, just trying to learn how to setup and configure FreeBSD.

Thanks for the clarification about the ports collection.  I think I've finally come to understand it, and I'm starting to rely on searching the ports for what I need rather than use pkg_add -r.  I learned that you can search the ports collection by cd-ing to /usr/ports and then typing make search name="<<package>>" or else make search key="<<keyword>>"  Then all you have to do is cd to that port directory and type make install clean.

I've learned how to use portsnap and portaudit, but I've been frustrated at portupgrade because it makes me install ruby as a dependency (that just seems to me to go against the *nix philosophy of having small, powerful, independent apps).  I'd like to try portmanager and see if it's a little lighter.


----------



## DutchDaemon (Mar 19, 2010)

Most of us portupgrade converts switched to ports-mgmt/portmaster, I believe. You'll find much more knowledge about portmaster than about portmanager on these forums. For easy searching in the ports tree consider ports-mgmt/psearch.


----------



## baodad (Mar 20, 2010)

*Freshports?*

DD,

I noticed your portmaster link was to FreshPorts.org.  If I understand correctly, that is just a place to get more information about the ports in the ports tree, right?


----------



## DutchDaemon (Mar 20, 2010)

More or less, yes. Consider it a web-based front-end to the ports tree, which also tells you how to install the port (or the package) on your system.


----------

