From owner-freebsd-ports@FreeBSD.ORG Thu Sep 25 22:40:07 2014 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CFC87A48; Thu, 25 Sep 2014 22:40:07 +0000 (UTC) Received: from mail-lb0-x234.google.com (mail-lb0-x234.google.com [IPv6:2a00:1450:4010:c04::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 141D6BA0; Thu, 25 Sep 2014 22:40:06 +0000 (UTC) Received: by mail-lb0-f180.google.com with SMTP id f15so32034lbj.11 for ; Thu, 25 Sep 2014 15:40:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=cTxH6TCP0ht6zH1Akxh9sxz11BBsqNtDKRk8CB++P0s=; b=Eu/jh36jZa6hd4qyI098b+UT1fZ8/+hSBGcp+OA9NAihGQGZji9McXAA/DMoHRY/pU dA1NDLXz2ozFkveDhn3o0es4VJI7qrabAfO1ufUw/YrxOoAOeERUuF5NfIIgOu0LiYyS bGN2HL64pxSjBJvZgqLOs8gRfMplrCwW959qaFLlmA/BsOQY16p7g4jFWbEAEpCiQ/zN CqHj2BuVUClrRngqNqMVGt+NxljmE7dRedLV91J78WTvZwy0RniFeXV0AJwNHMNBidl0 AmJ3cNUjrS4RywU1ROsTuke1Uh2Zf3JRTXx6x2RpnBdiiAHfddvraTuHaxm6MONGh2La gMUw== MIME-Version: 1.0 X-Received: by 10.112.149.36 with SMTP id tx4mr15516384lbb.79.1411684804956; Thu, 25 Sep 2014 15:40:04 -0700 (PDT) Sender: vrwmiller@gmail.com Received: by 10.112.202.225 with HTTP; Thu, 25 Sep 2014 15:40:04 -0700 (PDT) In-Reply-To: References: <54233850.2070807@FreeBSD.org> <54242A0E.6000507@madpilot.net> <54246761.8060405@madpilot.net> Date: Thu, 25 Sep 2014 18:40:04 -0400 X-Google-Sender-Auth: CtTTl82Xc4Z42ax0QDtl-snAySc Message-ID: Subject: Re: Poudriere Build of pkg_* repos? From: Rick Miller To: Guido Falsi Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-ports , Bryan Drewery X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2014 22:40:08 -0000 On Thu, Sep 25, 2014 at 5:09 PM, Rick Miller wrote: > > > On Thu, Sep 25, 2014 at 4:51 PM, Rick Miller > wrote: > >> >> >> On Thu, Sep 25, 2014 at 3:05 PM, Guido Falsi wrote: >> >>> On 09/25/14 20:57, Rick Miller wrote: >>> > On Thu, Sep 25, 2014 at 10:43 AM, Guido Falsi >>> wrote: >>> > [snip] >>> >> > >>> > =======================>> >============================ >>> > ===> Patching for bash-4.3.24 >>> > ===> Applying distribution patches for bash-4.3.24 >>> > ===> Applying extra patch >>> /distfiles/local-patches/8_4-amd64/bash.patch >>> > ===> Applying extra patch >>> > /usr/ports/shells/bash/files/extrapatch-colonbreakswords >>> > ===> Applying extra patch >>> > /usr/ports/shells/bash/files/extrapatch-implicitcd >>> > ===> Applying FreeBSD patches for bash-4.3.24 >>> > >>> =========================================================================== >>> > >>> > The first sign that something didn't appear to have gone as expected >>> was >>> > that the package was built as bash-4.3.24.tbz as opposed to >>> > bash-4.3.25.tbz. The above test was executed observing the behavior >>> of a >>> > still vulnerable binary. >>> >>> The way you are applying the patch simply modifies the code being >>> compiled by the port, you're not patching the port itself, so the port >>> maintains the same version number. >>> >> >> Makes sense >> >> >> >>> > The test was performed on an 8.4 host with a [unpatched] bash-4.3.24 >>> after >>> > forcefully removing the package and adding the new, patched package. >>> It >>> > complained of dependencies on packages that were already installed, >>> but not >>> > up to the version of the dependency. After manually fixing these >>> > dependencies (forcefully deleting the existing dependencies and >>> installing >>> > the new ones), the test was executed once again to the same results. >>> > >>> > Could this be an issue of the order the patches were applied in or ?? >>> >>> You should check the build log and see if in the patching phase there >>> was any error. >>> >> >> The above log snippet is from the patch phase of the build indicating >> success (well, at least no error). A build with the wrong patch was >> attempted that did indicate errors, as expected. >> >> The full log can be viewed at http://pastebin.com/hwHwJAKK >> >> Is there some way in the log to identify if the source was patched and >> built correctly? Does Poudriere [ I say Poudriere realizing that it likely >> does not, but perhaps the system does? ] provide the ability to review the >> source code after patching to actually verify the patch was applied? A >> cursory search of the filesystem where Poudriere stores the jail turned up >> no leads. >> > > The patch does apply to evalstring.c which shows the following warnings in > the build log though I am unfamiliar enough to know whether or not this > would apply to this particular scenario. > > cc -c -DHAVE_CONFIG_H -DSHELL -I. -I.. -I.. -I../include -I../lib -I. > -I/usr/local/include -O2 -pipe -fno-strict-aliasing evalstring.c > evalstring.c: In function 'parse_and_execute': > evalstring.c:208: warning: passing argument 1 of 'sigemptyset' discards > qualifiers from pointer target type > evalstring.c:209: warning: passing argument 3 of 'sigprocmask' discards > qualifiers from pointer target type > evalstring.c:288: warning: passing argument 2 of 'sigprocmask' discards > qualifiers from pointer target type > evalstring.c: In function 'parse_string': > evalstring.c:444: warning: passing argument 1 of 'sigemptyset' discards > qualifiers from pointer target type > evalstring.c:445: warning: passing argument 3 of 'sigprocmask' discards > qualifiers from pointer target type > evalstring.c:497: warning: passing argument 2 of 'sigprocmask' discards > qualifiers from pointer target type > After reading an extensive thread about this, I was able to "reliably" test the immediate threat which does mitigate the initial risk. Having said that, there is ongoing discussion about a more long term solution. -- Take care Rick Miller