NetBSD Problem Report #50412

From www@NetBSD.org  Sat Nov  7 02:02:43 2015
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 03AC6A65BA
	for <gnats-bugs@gnats.NetBSD.org>; Sat,  7 Nov 2015 02:02:43 +0000 (UTC)
Message-Id: <20151107020241.F32C1A65BA@mollari.NetBSD.org>
Date: Sat,  7 Nov 2015 02:02:41 +0000 (UTC)
From: swimbunny2000@gmail.com
Reply-To: swimbunny2000@gmail.com
To: gnats-bugs@NetBSD.org
Subject: Many packages to be built from source require nbpatch-20100124 which has vulnerability
X-Send-Pr-Version: www-1.0

>Number:         50412
>Category:       pkg
>Synopsis:       Many packages to be built from source require nbpatch-20100124 which has vulnerability
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    joerg
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Nov 07 02:05:00 +0000 2015
>Closed-Date:    Thu May 25 04:53:13 +0000 2017
>Last-Modified:  Thu May 25 04:53:13 +0000 2017
>Originator:     Daniel Glueck
>Release:        Trunk (which I assume is similar to 2015Q3)
>Organization:
>Environment:
Darwin Kernel Version 15.0.0: Sat Sep 19 15:53:46 PDT 2015; root:xnu-3247.10.11~1/RELEASE_X86_64 x86_64
>Description:
I am just getting started with pkgsrc on Mac OS X, and did a bootstrap installation from the git trunk branch using ABI=64 and unprivileged. The bootstrap went fine, but many, if not all, packages seem to require nbpatch-20100124 which has a security vulnerability. If I try to "bmake" that package, I get this error: 

===> Checking for vulnerabilities in nbpatch-20100124
Package nbpatch-20100124 has a arbitrary-code-execution vulnerability, see https://www.freebsd.org/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc
ERROR: Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URL in pkg_install.conf(5) if this package is absolutely essential.
*** Error code 1

Should I just make the selection to allow vulnerable packages, or is there some preferred way to proceed? Some web searching did not turn up a preferred solution.
>How-To-Repeat:
cd ~/pkgsrc/devel/nbpatch
bmake

>Fix:

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: misc-bug-people->pkg-manager
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Sat, 07 Nov 2015 09:27:04 +0000
Responsible-Changed-Why:
pkgsrc issue


Responsible-Changed-From-To: pkg-manager->joerg
Responsible-Changed-By: wiz@NetBSD.org
Responsible-Changed-When: Sat, 07 Nov 2015 11:11:10 +0000
Responsible-Changed-Why:
Over to maintainer.


State-Changed-From-To: open->feedback
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 30 May 2016 04:15:50 +0000
State-Changed-Why:
nbpatch has been fixed; are you still having problems?


State-Changed-From-To: feedback->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Thu, 25 May 2017 04:53:13 +0000
State-Changed-Why:
1-year feedback timeout


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.