Date: Mon, 08 Aug 2016 08:31:54 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 211656] security/libressl builds arc4random in static libraries (its in libc.a) Message-ID: <bug-211656-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211656 Bug ID: 211656 Summary: security/libressl builds arc4random in static libraries (its in libc.a) Product: Ports & Packages Version: Latest Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: brnrd@freebsd.org Reporter: dewayne@heuristicsystems.com.au Flags: maintainer-feedback?(brnrd@freebsd.org) Assignee: brnrd@freebsd.org A convoluted path, but our destination is that libcrypto.a via libressl on = 10.3 Stable " r303712M: Thu Aug 4", generates the following errors when building ports-mgmt/pkg specifically pkg-static. # ar -t /usr/local/lib/libcrypto.a | grep arc4 arc4random.o # <=3D THIS IS THE PROBLEM arc4random_uniform.o which conflicts with (note this is libc) # ar -t /usr/lib/libc.a | grep arc4 arc4random.o If a user choices to confuse their builds by having /usr/lib/libcrypto.a (v= ia base openssl) with /usr/local/lib/libcrypto.a (via libressl port), then they won't notice the problem. However, I like a build to be self consistent (u= se one or the other) which is how I detected the error.=20=20 The base openssl (/usr/lib/libcrypto.a does not have arc4random) of course.= =20 [Aside, neither does the security/openssl port]=20 So checking further, I note that libressl 2.3.7 differs from 2.3.6 by # diff -urN libressl-2.3.6/configure libressl-2.3.7/configure --- libressl-2.3.6/configure 2016-06-07 22:17:41.000000000 +1000 +++ libressl-2.3.7/configure 2016-08-01 09:03:14.000000000 +1000 ... - VERSION=3D'2.3.6' + VERSION=3D'2.3.7' cat >>confdefs.h <<_ACEOF @@ -13232,7 +13232,7 @@ # Override arc4random_buf implementations with known issues - if test "x$USE_BUILTIN_ARC4RANDOM" !=3D yes \ + if test "x$USE_BUILTIN_ARC4RANDOM" !=3D xyes \ -a "x$ac_cv_func_arc4random_buf" =3D xyes; then ... Though this may simply be a red-herring (distracting & irrelevant). Unfortunately libressl does build arc4random in its static lib, which it shouldn't be doing, per=20 /var/ports/usr/ports/security/libressl/work/libressl-2.3.7/configure ... *freebsd*) HOST_OS=3Dfreebsd HOST_ABI=3Delf # fork detection missing, weak seed on failure # https://svnweb.freebsd.org/base/head/lib/libc/gen/arc4random.c?revision=3D2= 68642&view=3Dmarkup USE_BUILTIN_ARC4RANDOM=3Dyes PROG_LDADD=3D'-lthr' ... Any assistance appreciated. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-211656-13>