From owner-freebsd-security@FreeBSD.ORG Sun Apr 27 22:50:07 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D96EFE3D for ; Sun, 27 Apr 2014 22:50:07 +0000 (UTC) Received: from pacha.mail.dyslexicfish.net (space.mail.dyslexicfish.net [91.109.5.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5BBAE9C2 for ; Sun, 27 Apr 2014 22:50:05 +0000 (UTC) Received: from catnip.dyslexicfish.net (space.mail.dyslexicfish.net [91.109.5.35]) by pacha.mail.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id s3RMo2rw095772; Sun, 27 Apr 2014 23:50:02 +0100 (BST) (envelope-from jamie@catnip.dyslexicfish.net) Received: (from jamie@localhost) by catnip.dyslexicfish.net (8.14.5/8.14.5/Submit) id s3RMo2NZ095771; Sun, 27 Apr 2014 23:50:02 +0100 (BST) (envelope-from jamie) From: Jamie Landeg-Jones Message-Id: <201404272250.s3RMo2NZ095771@catnip.dyslexicfish.net> Date: Sun, 27 Apr 2014 23:50:02 +0100 To: swhetzel@gmail.com, jamie@dyslexicfish.net Subject: Re: ports requiring OpenSSL not honouring OpenSSL from ports References: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net> In-Reply-To: User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (pacha.mail.dyslexicfish.net [91.109.5.35]); Sun, 27 Apr 2014 23:50:03 +0100 (BST) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Apr 2014 22:50:07 -0000 Scot Hetzel wrote: > The port should use the OpenSSL port if it is installed, unless the > port sets one of these variables in it's Makefile: > > WITH_OPENSSL_BASE > USE_OPENSSL_BASE > > The port shouldn't be setting these variables. Thanks. As I expected. > Do you have a list of which ports used the OpenSSL from base, instead > of the installed OpenSSL port? > Could you check if they set these variables. Well, I can only check the ones I have installed. Here's a list of some that link against /lib/libcrypto.so.7 and/or /lib/libssl.so.7 retrieved using the following command: # grep -EaHlr -D skip 'libssl\.so\.7|libcrypto\.so\.7' /usr/local | awk '{print "pkg which -oq " $1}' | sh | sort | uniq [ N.B. 'grep -r' follows symlinks. You'd need to use 'find ... | grep ...' instead to be more bulletproof ] devel/android-tools-adb net-p2p/transmission-cli net-p2p/transmission-daemon net/socat net/svnup ports-mgmt/pkg security/john security/scrypt security/trousers sysutils/tarsnap Again, as expected, none of these contain references to WITH_OPENSSL_BASE or USE_OPENSSL_BASE, though I do get some ld conflict warnings in some cases (e.g. when linking to libcurl, which does do the right thing) > This is more of a ports issue, than a security issue. > > Post the list of affected ports to ports@, and/or submit PRs to > correct the them. I wanted to discuss the issue and make aware the security community before discussing actual changes with @ports As I said. there could be security implications if someone thinks a patched previously vulnerable openssl port has secured all of their other ports. Also, it's not reliably possible to check which ports are affected without at least downloading the distfile - some of the ports make no reference to ssl in their ports template. Cheers, Jamie