From owner-freebsd-ports@FreeBSD.ORG Wed Apr 14 13:45:33 2004 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A174A16A4CE for ; Wed, 14 Apr 2004 13:45:33 -0700 (PDT) Received: from postman.arcor.de (postman2.arcor-online.net [151.189.20.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E58143D31 for ; Wed, 14 Apr 2004 13:45:32 -0700 (PDT) (envelope-from eikemeier@fillmore-labs.com) Received: from fillmore.dyndns.org (port-212-202-49-130.reverse.qsc.de [212.202.49.130]) (authenticated bits=0)i3EKjSDc008688 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 14 Apr 2004 22:45:29 +0200 (MEST) Received: from [172.16.0.2] (helo=fillmore-labs.com) by fillmore.dyndns.org with esmtp (Exim 4.31; FreeBSD) id 1BDrFp-000DNx-FS; Wed, 14 Apr 2004 22:45:08 +0200 Message-ID: <407DA2D1.6070408@fillmore-labs.com> Date: Wed, 14 Apr 2004 22:45:05 +0200 From: Oliver Eikemeier Organization: Fillmore Labs GmbH - http://www.fillmore-labs.com/ MIME-Version: 1.0 To: Dirk Meyer References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: freebsd-ports@freebsd.org Subject: Re: SA-04:05 single patch && bsd.openssl.mk problem X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 20:45:33 -0000 Dirk Meyer wrote: > Bjoern A. Zeeb schrieb:, > >>when applying the patch from SA-04:05[1] and re-building changed parts >>of the base system opensslv.h does not get altered with the update >>like it did with the commits to the various branches [2]. > >>bsd.openssl.mk now doing a string compare on p.ex. "0.9.7a-p1" which >>will fail. Thus ports that set USE_OPENSSL will depend on the >>openssl package. > > Previously the version numer alone was checked, > >>This logic is broken as the base system is patched and the openssl >>package is not needed. > > But there is no safe way to detect this in your setup. > >>What short term solutions are there for people building ports >> >>- setting USE_OPENSSL_BASE=yes seems to be a possible workaround >> forcing the version of the base system and not the port to be used. > > This is the setup I recommend: > put in /etc/make.conf: > WITH_OPENSSL_BASE=yes > > and no autodection will take place. > >>- would it be possible to make the check in bsd.openssl.mk somehow >> more intelligent to better detect a patched version ? > > There is no safe way in this case. > If I could not detect 0.9.7a-p1, I will assume an outdated base. What's the point of all this autodetection anyway? It gives you a false sense of security, since it catches only the first vulnerability (in the base), but will happily accept any further vulnerable version installed from ports. I asume it is appropriate to issue a warning if a vulnerable version is used (from the base or from ports), but I do not se the benfits of the semi-automatic dependency. How about making USE_OPENSSL_BASE=yes the default if the base has an OpenSSL version, and rely on the user to install OpenSSL from ports (and recompile all affected ports)? -Oliver