From owner-freebsd-security@FreeBSD.ORG Sun Apr 27 17:00:17 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0EB85A1B for ; Sun, 27 Apr 2014 17:00:17 +0000 (UTC) Received: from mail-lb0-f175.google.com (mail-lb0-f175.google.com [209.85.217.175]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 76EF9AB5 for ; Sun, 27 Apr 2014 17:00:15 +0000 (UTC) Received: by mail-lb0-f175.google.com with SMTP id p9so1400792lbv.20 for ; Sun, 27 Apr 2014 10:00:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=spZq2r0GndThaKwOv6QSgAZSe8zfR4nHr5eesubcie8=; b=IJ6gFnIw3/Jgs0UQjMS1OX76fkh+4oDbTdLesZuMYxX4dSQjUtI2ACEtc7ecIUYy+H ccE7K2iMP0iqjRAgHICEoguDAcVmYMZxFuxWsV3X8zi+mnTblZib30BJYrco8YqnvMt7 JaBvvG4r87mMRX63Xk0krIxMTVAHoMbmc89HcG7vu+RV5pnyxidSSn9xE7mq0aYFWD+P 8oehjc0zH9AJW9u5B5Qtf+oUcleZAdjiFPh8Fl0YLoz+xv3G/qoNNT/e8z7SVO+xU79k 7TCILA63VqERzcMAenDh/TkPLtQg1ymjr8K3z1hMoPaV0sO7RiZhvBWgD2EPrbJzqJJk IRyg== X-Gm-Message-State: ALoCoQkJv+jUtKwOwzVI7ojiVpmCzxe0c2Ydwu9lQF+GGk+sLtQ8xv4xTqtSLwG0ns3YymHdcEiz MIME-Version: 1.0 X-Received: by 10.112.173.196 with SMTP id bm4mr1990168lbc.38.1398617650459; Sun, 27 Apr 2014 09:54:10 -0700 (PDT) Received: by 10.112.39.71 with HTTP; Sun, 27 Apr 2014 09:54:10 -0700 (PDT) X-Originating-IP: [208.54.40.253] Received: by 10.112.39.71 with HTTP; Sun, 27 Apr 2014 09:54:10 -0700 (PDT) In-Reply-To: References: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net> Date: Sun, 27 Apr 2014 11:54:10 -0500 Message-ID: Subject: Re: ports requiring OpenSSL not honouring OpenSSL from ports From: Leif Pedersen To: Paul Hoffman Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Apr 2014 17:00:17 -0000 I realized that we don't really need any extravagance from ld at all. Move the files for the base version of openssl to a different location, and replace them with symlinks. Then when installing the port/pkg, change those symlinks to point to the newly installed version. Include an uninstall script to put them back. It's kind of like how having multiple versions of perl installed works. This would also fix the problem that if you have both installed then which openssl executables you get depends on $PATH. Thoughts? On 2014-04-27 11:36 AM, "Leif Pedersen" wrote: > With respect that there are valid reasons to have port build options, I > kind of hate them. You can't choose them with pkg, and if you pick the > wrong one changing it later is a fragile process, and there's no indication > if a dependency needs options set a particular way. > > I'm not bashing the necessary ones, just agonizing against adding more > unless it's *really* necessary. > > Are there any ld tricks one could use to make everything use > /usr/local/lib/openssl or /usr/lib/openssl at runtime, system wide, > including base tools? Or are the ABIs different? Then ports could always > build against the base version all the time, and you could switch the whole > system cleanly to the ported version when needed. > > It seems to me that picking one or the other per port is never desirable > and means base tools cannot use an upgraded version. Such a strategy would > fix that, if it's possible. But I admit I'm not an ld expert. > > Is this strategy possible? > On 2014-04-27 10:52 AM, "Paul Hoffman" wrote: > >> On Apr 27, 2014, at 8:08 AM, Jamie Landeg-Jones >> wrote: >> >> > Basically what I'm asking: Shouldn't a port that uses OpenSSL *always* >> > build against the port if it's installed? >> >> Yes, that is a reasonable expectation. I certainly had it in my head when >> I rebuilt Sendmail+TLS after heartbleed, but I didn't think of checking it. >> >> > I realise this isn't always possible to test, especially if the port >> Makefile >> > doesn't have any openSSL configuration options, but I'd like to hear >> > others opinions on the matter. >> >> It would be good to add such options to as many ports as possible if it >> can be done cleanly. >> >> Also, note that this is not bashing on OpenSSL: given their new >> significant funding, I would certainly expect the OpenSSL project to be >> finding-and-fixing Heartbleed-level bugs repeatedly in the coming years. It >> is basically impossible to fix such a bug without bad actors being able to >> determine and exploit some of the fixes in unpatched systems. >> >> --Paul Hoffman >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to " >> freebsd-security-unsubscribe@freebsd.org" >> >