NetBSD Problem Report #50412
From www@NetBSD.org Sat Nov 7 02:02:43 2015
Received: from mail.netbsd.org (mail.netbsd.org [220.127.116.11])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 03AC6A65BA
for <gnats-bugs@gnats.NetBSD.org>; Sat, 7 Nov 2015 02:02:43 +0000 (UTC)
Date: Sat, 7 Nov 2015 02:02:41 +0000 (UTC)
Subject: Many packages to be built from source require nbpatch-20100124 which has vulnerability
>Synopsis: Many packages to be built from source require nbpatch-20100124 which has vulnerability
>Arrival-Date: Sat Nov 07 02:05:00 +0000 2015
>Closed-Date: Thu May 25 04:53:13 +0000 2017
>Last-Modified: Thu May 25 04:53:13 +0000 2017
>Originator: Daniel Glueck
>Release: Trunk (which I assume is similar to 2015Q3)
Darwin Kernel Version 15.0.0: Sat Sep 19 15:53:46 PDT 2015; root:xnu-3247.10.11~1/RELEASE_X86_64 x86_64
I am just getting started with pkgsrc on Mac OS X, and did a bootstrap installation from the git trunk branch using ABI=64 and unprivileged. The bootstrap went fine, but many, if not all, packages seem to require nbpatch-20100124 which has a security vulnerability. If I try to "bmake" that package, I get this error:
===> Checking for vulnerabilities in nbpatch-20100124
Package nbpatch-20100124 has a arbitrary-code-execution vulnerability, see https://www.freebsd.org/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc
ERROR: Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URL in pkg_install.conf(5) if this package is absolutely essential.
*** Error code 1
Should I just make the selection to allow vulnerable packages, or is there some preferred way to proceed? Some web searching did not turn up a preferred solution.
Responsible-Changed-When: Sat, 07 Nov 2015 09:27:04 +0000
Responsible-Changed-When: Sat, 07 Nov 2015 11:11:10 +0000
Over to maintainer.
State-Changed-When: Mon, 30 May 2016 04:15:50 +0000
nbpatch has been fixed; are you still having problems?
State-Changed-When: Thu, 25 May 2017 04:53:13 +0000
1-year feedback timeout
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.