From owner-freebsd-ports@FreeBSD.ORG Thu Sep 25 18:57:55 2014 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F39A9C95; Thu, 25 Sep 2014 18:57:54 +0000 (UTC) Received: from mail-ie0-x235.google.com (mail-ie0-x235.google.com [IPv6:2607:f8b0:4001:c03::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B5571EBB; Thu, 25 Sep 2014 18:57:54 +0000 (UTC) Received: by mail-ie0-f181.google.com with SMTP id tr6so13773824ieb.26 for ; Thu, 25 Sep 2014 11:57:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=QZKPa5xEbjl6hZX1yzR6S7xwbB8ixSbbpCK4fxCnwTQ=; b=tTWZ+7d21Lla5ry8+yXRcqn3Dx7gr/oIMZWc5KQZohf2UB31AF37KC1DeYtymOWAPA O1abSl40V2+lrYwMP9N5DRzJsmgEiVDEoVAtvar92ePDP8m21pk4x+GXVOhZrzKM294V GjPoQxE1oNtrL+6WZ/z0klGtu7Ywz+ZzYUeyw1r6VfWzhgBGZ6fkl3NX82eJmT1gVcV+ nMWMREZyh9lSux0OOuYAH1Qf3rT5dIhUGtC4svUSgZ9203JjjbmZz/T2YNpnGV0O5YfQ EHbTTLjtio6bTleQzEVQbxOqjF9LQk3fQYSnFEIe9dsE8f/cynYONpJvs0A9vkFuOW/9 KPpw== MIME-Version: 1.0 X-Received: by 10.50.66.141 with SMTP id f13mr24064256igt.10.1411671473941; Thu, 25 Sep 2014 11:57:53 -0700 (PDT) Sender: vrwmiller@gmail.com Received: by 10.64.165.73 with HTTP; Thu, 25 Sep 2014 11:57:53 -0700 (PDT) In-Reply-To: <54242A0E.6000507@madpilot.net> References: <54233850.2070807@FreeBSD.org> <54242A0E.6000507@madpilot.net> Date: Thu, 25 Sep 2014 14:57:53 -0400 X-Google-Sender-Auth: BHc6euYa8jjqJPiBBI_u5T-Sojw Message-ID: Subject: Re: Poudriere Build of pkg_* repos? From: Rick Miller To: Guido Falsi Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-ports , Bryan Drewery X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2014 18:57:55 -0000 On Thu, Sep 25, 2014 at 10:43 AM, Guido Falsi wrote: > On 09/25/14 14:56, Rick Miller wrote: > > On Wed, Sep 24, 2014 at 5:32 PM, Bryan Drewery > wrote: > > > [ snip ] > > > > After creating an 8.4-RELEASE jail and an older, equivalent Ports tree as > > follows... > > > > # poudriere jail -c -j 8_4-amd64 -v 8.4-RELEASE -a amd64 > > # poudriere ports -c -p 8_4-amd64 -m svn+http -B branches/RELEASE_8_4_0 > > I think you should grab ports with the tag PKG_INSTALL_EOL (-B > tag/PKG_INSTALL_EOL) > > That's the last revision at which the ports tree supported old pkg_tools. > > > > > /usr/local/etc/poudriere.d/8_4-amd64-make.conf: > > > > WITHOUT_PKGNG=yes > > PERL_VERSION=5.14.4 > > OPTIONS_UNSET="X11 GTK2" > > > > .if ${.CURDIR:M*/shells/bash} > > EXTRA_PATCHES+= /distfiles/local-patches/8_4-amd64/bash.patch > > .endif > > > > note: above .if added to the make.conf according to the link provided > below > > > > Executing poudriere bulk, as follows, results in no packages built due to > > numerous stage failures subsequently resulting in a bunch of skipped > builds > > due to these failures. > > > > # poudriere bulk -j 8_4-amd64 -f $package_file -p 8_4-amd64 > > > > ======================= >============================ > > make: don't know how to make stage. Stop > > > > You took ports tagged for 8.4 release, which happened quite some time > ago, I don't think the ports tree had stage support at the time. > Thanks! That put me on the right track and a bash package was built, but does not appear to have mitigated the vulnerability... $ foo='() { echo "hi mom"; }' bash -c 'foo' hi mom The 4.3.25 patch[1] was downloaded and, with the above changes to the make.conf, it appears to have applied cleanly according to the Poudriere logs (note: this patch is the second patch application, bash.patch). =================================================== ===> Patching for bash-4.3.24 ===> Applying distribution patches for bash-4.3.24 ===> Applying extra patch /distfiles/local-patches/8_4-amd64/bash.patch ===> Applying extra patch /usr/ports/shells/bash/files/extrapatch-colonbreakswords ===> Applying extra patch /usr/ports/shells/bash/files/extrapatch-implicitcd ===> Applying FreeBSD patches for bash-4.3.24 =========================================================================== The first sign that something didn't appear to have gone as expected was that the package was built as bash-4.3.24.tbz as opposed to bash-4.3.25.tbz. The above test was executed observing the behavior of a still vulnerable binary. The test was performed on an 8.4 host with a [unpatched] bash-4.3.24 after forcefully removing the package and adding the new, patched package. It complained of dependencies on packages that were already installed, but not up to the version of the dependency. After manually fixing these dependencies (forcefully deleting the existing dependencies and installing the new ones), the test was executed once again to the same results. Could this be an issue of the order the patches were applied in or ?? [1] http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-025 -- Take care Rick Miller