Subject: Re: pkgsrc gnome nss PKG_VUL..
To: None <agtdino@teleline.es>
From: David H. Gutteridge <dhgutteridge@sympatico.ca>
List: pkgsrc-users
Date: 03/15/2007 22:45:23
>Hello List,
>
>I'm newbi for netbsd and I'm reading the pkgsrc guide, but I'm trouble
>with making gnome desktop, I will recibe ALLOW_VULNERABLE_PACKAGES with
>the pakage nss the exact output is
>
>---
>
>WARN: Makefile:3: This package should be updated to 3.11.4.
>WARN: Makefile:5: Please use
>${MASTER_SITE_MOZILLA:=security/nss/releases/NSS_3_11_RTM/src/} instead
>of
>"ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_RTM/src/".
>NOTE: Makefile:45: Trailing white-space.
>NOTE: Makefile:48: Trailing white-space.
>WARN: Makefile:49: Please don't use @comment in SUNOS_FALSE.
>WARN: Makefile:66: Please don't use @comment in SUNOS_TRUE.
>NOTE: Makefile:67: Trailing white-space.
>WARN: patches/patch-ab:13: Found absolute pathname: /bin/tar
>0 errors and 5 warnings found.
>=> Required installed package digest>=20010302: digest-20060826 found
>===> Checking for vulnerabilities in nss-3.11
>ERROR: ssl-buffer-overflow vulnerability in nss-3.11 - see
>http://www.mozilla.org/security/announce/2007/mfsa2007-06.html for more
>information
>nss
>
>Stop.
>make: stopped in /usr/pkgsrc/devel/nss
>
>----
>
>I update the pkgsrc cvs -P pkgsrc, but not change
>
>how can I must proced for to download the update and compiled ? I so
>confuse so I hope anybody can help me.

Hello,

Yes, nss 3.11.4 has a vulnerability listed in pkg-vulnerabilities.  It
hasn't been updated in pkgsrc yet, that's why you're not seeing a
change when you update via CVS.  I have filed a PR on this, it's here:
http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=35982

If you want to get around this, defining the variable you mentioned
above will do the trick, e.g. (in ksh):

export ALLOW_VULNERABLE_PACKAGES=yes

You will get nss 3.11.4 as a result.  The thing to watch out for when
doing this is of course that you could end up with a bunch of
vulnerable packages.  If only nss is the problem, I'd recommend
building nss on its own with that variable set to "yes", then change
the variable to "no" afterward (or just do away with it).

I take it from the nss documentation that 3.11.5 should be backwards-
compatible with 3.11.4, so you could build 3.11.4 now, then use
"make replace" to bump versions later.

Regards,

Dave

PS I've posted this to pkgsrc-users@netbsd.org instead of netbsd-help@
netbsd.org, as the former list is the one you want for pkgsrc questions.