From owner-freebsd-security@FreeBSD.ORG Mon Jun 1 16:17:44 2015 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4F59A305; Mon, 1 Jun 2015 16:17:44 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CB2051F28; Mon, 1 Jun 2015 16:17:43 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 1209190d-f79526d000000ed5-ef-556c859ec676 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 0B.54.03797.E958C655; Mon, 1 Jun 2015 12:17:34 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t51GHXh9031792; Mon, 1 Jun 2015 12:17:34 -0400 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t51GHWUd019512 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 1 Jun 2015 12:17:33 -0400 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t51GHVbC024695; Mon, 1 Jun 2015 12:17:31 -0400 (EDT) Date: Mon, 1 Jun 2015 12:17:31 -0400 (EDT) From: Benjamin Kaduk To: Don Lewis cc: freebsd-security@FreeBSD.org Subject: Re: avoiding base openssl when building ports In-Reply-To: <201506010138.t511cp2P088983@gw.catspoiler.org> Message-ID: References: <201506010138.t511cp2P088983@gw.catspoiler.org> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrOIsWRmVeSWpSXmKPExsUixG6nojuvNSfUYOYcfYueTU/YLE42NbM6 MHnM+DSfJYAxissmJTUnsyy1SN8ugSuj8a1ywQKuiuPbpzM1MC7m6GLk5JAQMJHYseYfO4Qt JnHh3nq2LkYuDiGBxUwSR2ZeZIFwNjBKnG5aBpU5yCTx/Pl0JpAWIYF6ibmTu9lAbBYBLYn9 XyaD2WwCKhIz32wEs0WA7Ik9f1lAbGYBBYlZr76BxYUFzCRO/vjDCmJzCthIPFl7BCzOK+Ao 0bv3FTPEfGuJriWzwGpEBXQkVu+fwgJRIyhxcuYTqJlaEsunb2OZwCg4C0lqFpLUAkamVYyy KblVurmJmTnFqcm6xcmJeXmpRbpGermZJXqpKaWbGEHhySnJu4Px3UGlQ4wCHIxKPLwZ3dmh QqyJZcWVuYcYJTmYlER5nStzQoX4kvJTKjMSizPii0pzUosPMUpwMCuJ8Mo2AeV4UxIrq1KL 8mFS0hwsSuK8m37whQgJpCeWpGanphakFsFkZTg4lCR47VqAGgWLUtNTK9Iyc0oQ0kwcnCDD eYCGl4DU8BYXJOYWZ6ZD5E8xKkqJ8y4ESQiAJDJK8+B6YenjFaM40CvCvNuagap4gKkHrvsV 0GAmoMHtAmCDSxIRUlINjL7WvXnX91xfu7Fq+9F9nGL7d3YV5B678+t4YnaLWuDFn+fZFD6e f+gvudViswjHXz+GrXOnJanuSYz8/MDutar5sg9f9BaHrjjoJXJC2fXhepcTDafuKB+0vSwb HLjdLTEx3EXM/KSDX+BpMd+Zdt9X1mX+el/M++DTnEAG8RDZt28PSl5f6qLEUpyRaKjFXFSc CABZwFOB+gIAAA== X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2015 16:17:44 -0000 On Sun, 31 May 2015, Don Lewis wrote: > The big culprit turned out to be ftp/curl. Even though > WITH_OPENSSL_PORT=yes caused it to add the openssl port as a build and > run dependency, it was silently getting linked to openssl from base. The > cause of that problem is that the default GSSAPI_BASE option adds > -L/usr/lib near the start of LDFLAGS, so the linker finds the base > openssl libraries instead of the ones from the port. I worked around > that problem by switching to GSSAPI_NONE, though I tested that the other > GSSAPI_* options also work correctly. There is a sanity check in the > Makefile that attempts to catch this conflict, but it does not work > correctly. See > . My apologies for semi-hijacking your thread, but I am starting to wonder whether the base Heimdal (and GSSAPI) should be converted to be a private library. Since I am living in a MIT krb5 world, which is incompatible with the Heimdal libraries, I end up having some trouble trying to force various things to be used from base vs. ports. Making the Heimdal in base into private libraries would "solve" the problem with ftp/curl, but only insamuch as it would make the GSSAPI_BASE option useless and require a GSSAPI from ports. -Ben