Bug 263930

Summary: www/firefox build failure
Product: Ports & Packages Reporter: andy
Component: Individual Port(s)Assignee: freebsd-gecko (Nobody) <gecko>
Status: Closed Works As Intended    
Severity: Affects Only Me CC: cmt, shige
Priority: --- Flags: bugzilla: maintainer-feedback? (gecko)
Version: Latest   
Hardware: amd64   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263590

Description andy 2022-05-11 21:47:38 UTC 
# uname -aK
FreeBSD FBSD14 14.0-CURRENT FreeBSD 14.0-CURRENT #3 main-n255391-c6df2176038: Sun May  8 16:58:58 EDT 2022     root@FBSD14:/usr/obj/usr/src/amd64.amd64/sys/MYKERNEL amd64 1400058



--->  Upgrade of www/firefox started at: Wed, 11 May 2022 17:30:55 -0400
--->  Upgrading 'firefox-99.0.1_2,2' to 'firefox-100.0_4,2' (www/firefox)
--->  Build of www/firefox started at: Wed, 11 May 2022 17:30:55 -0400
--->  Building '/usr/ports/www/firefox'
===>  Cleaning for firefox-100.0_4,2
pkg-static: Bad argument on pkg_set 554281361
===>   firefox-100.0_4,2 depends on file: /usr/local/sbin/pkg - found
===> Fetching all distfiles required by firefox-100.0_4,2 for building
===>  Extracting for firefox-100.0_4,2
=> SHA256 Checksum OK for firefox-100.0.source.tar.xz.
===>  Patching for firefox-100.0_4,2
===>  Applying FreeBSD patches for firefox-100.0_4,2 from /usr/ports/www/firefox/files
===>   firefox-100.0_4,2 depends on package: nspr>=4.32 - found
===>   firefox-100.0_4,2 depends on package: nss>=3.76 - found
===>   firefox-100.0_4,2 depends on package: icu>=70.1 - found
===>   firefox-100.0_4,2 depends on package: libevent>=2.1.8 - found
===>   firefox-100.0_4,2 depends on package: harfbuzz>=4.1.0 - found
===>   firefox-100.0_4,2 depends on package: graphite2>=1.3.14 - found
===>   firefox-100.0_4,2 depends on package: png>=1.6.37 - found
===>   firefox-100.0_4,2 depends on package: dav1d>=1.0.0 - found
===>   firefox-100.0_4,2 depends on package: libvpx>=1.8.2 - found
===--->  Upgrade of www/firefox started at: Wed, 11 May 2022 17:30:55 -0400
--->  Upgrading 'firefox-99.0.1_2,2' to 'firefox-100.0_4,2' (www/firefox)
--->  Build of www/firefox started at: Wed, 11 May 2022 17:30:55 -0400
--->  Building '/usr/ports/www/firefox'
===>  Cleaning for firefox-100.0_4,2
pkg-static: Bad argument on pkg_set 554281361
===>   firefox-100.0_4,2 depends on file: /usr/local/sbin/pkg - found
===> Fetching all distfiles required by firefox-100.0_4,2 for building
===>  Extracting for firefox-100.0_4,2
=> SHA256 Checksum OK for firefox-100.0.source.tar.xz.
===>  Patching for firefox-100.0_4,2
===>  Applying FreeBSD patches for firefox-100.0_4,2 from /usr/ports/www/firefox/files
===>   firefox-100.0_4,2 depends on package: nspr>=4.32 - found
===>   firefox-100.0_4,2 depends on package: nss>=3.76 - found
===>   firefox-100.0_4,2 depends on package: icu>=70.1 - found
===>   firefox-100.0_4,2 depends on package: libevent>=2.1.8 - found
===>   firefox-100.0_4,2 depends on package: harfbuzz>=4.1.0 - found
===>   firefox-100.0_4,2 depends on package: graphite2>=1.3.14 - found
===>   firefox-100.0_4,2 depends on package: png>=1.6.37 - found
===>   firefox-100.0_4,2 depends on package: dav1d>=1.0.0 - found
===>   firefox-100.0_4,2 depends on package: libvpx>=1.8.2 - found
===>   firefox-100.0_4,2 depends on package: py38-sqlite3>0 - found
===>   firefox-100.0_4,2 depends on package: v4l_compat>0 - found
===>   firefox-100.0_4,2 depends on executable: autoconf-2.13 - found
===>   firefox-100.0_4,2 depends on executable: nasm - found
===>   firefox-100.0_4,2 depends on executable: yasm - found
===>   firefox-100.0_4,2 depends on executable: zip - found
===>   firefox-100.0_4,2 depends on file: /usr/local/share/wasi-sysroot/lib/wasm32-wasi/libc++abi.a - found
===>   firefox-100.0_4,2 depends on file: /usr/local/share/wasi-sysroot/lib/wasm32-wasi/libc.a - found
===>   firefox-100.0_4,2 depends on file: /usr/local/llvm13/lib/clang/13.0.1/lib/wasi/libclang_rt.builtins-wasm32.a - found
===>   firefox-100.0_4,2 depends on package: llvm13>0 - found
===>   firefox-100.0_4,2 depends on package: rust-cbindgen>=0.19.0 - found
===>   firefox-100.0_4,2 depends on package: rust>=1.60.0 - found
===>   firefox-100.0_4,2 depends on executable: node - not found
pkg-static: Bad argument on pkg_set 562391753
===>  node-17.0.1_1 has known vulnerabilities:
node-17.0.1_1 is vulnerable:
  Node.js -- January 2022 Security Releases
  CVE: CVE-2022-21824
  CVE: CVE-2021-44533
  CVE: CVE-2021-44532
  CVE: CVE-2021-44531
  WWW: https://vuxml.FreeBSD.org/freebsd/972ba0e8-8b8a-11ec-b369-6c3be5272acd.html

1 problem(s) in 1 installed package(s) found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update available.
=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
*** Error code 1

Stop.
make[3]: stopped in /usr/ports/www/node
*** Error code 1

Stop.
make[2]: stopped in /usr/ports/www/node
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/www/firefox
*** Error code 1



Please advise how to proceed, FF will not build because of node-17.0.1_1 is vulnerable:
Comment 1 Christoph Moench-Tegeder freebsd_committer freebsd_triage 2022-05-12 21:34:02 UTC 
- the error is from www/node, not firefox (it says so right in the error message)
- the workaround is right there in the message, too
- a bug has been filed against www/node (See Also) some time ago, but bhuges@ seems to be inactive since some time?
- nothing we can do in firefox
Comment 2 Shigeharu TAKENO 2022-05-16 03:44:55 UTC 
Try to use www/node16 instead of www/node.