Date: Mon, 17 Mar 2014 17:40:41 GMT From: Horia Racoviceanu <horia@racoviceanu.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/187667: [MAINTAINER] security/libscrypt: proper ssp usage and security improvements Message-ID: <201403171740.s2HHefRr011189@cgiserv.freebsd.org> Resent-Message-ID: <201403171750.s2HHo0mh038331@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 187667 >Category: ports >Synopsis: [MAINTAINER] security/libscrypt: proper ssp usage and security improvements >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Mon Mar 17 17:50:00 UTC 2014 >Closed-Date: >Last-Modified: >Originator: Horia Racoviceanu >Release: 9.2-RELEASE >Organization: >Environment: FreeBSD aitch 9.2-RELEASE FreeBSD 9.2-RELEASE #0 r255898: Fri Sep 27 03:52:52 UTC 2013 root@bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC i386 >Description: >How-To-Repeat: >Fix: - Bump PORTREVISION - Simulate SSP_NEED_NONSHARED for gcc - Add stack-protector-all to Options - Move CC and LIBDIR from REINPLACE to MAKE_ARGS - Remove duplicate -02 CFLAGS - Change strcpy() to strlcpy(), patch from OpenBSD - Move STRIP_CMD before installing DOCS Build log: https://redports.org/buildarchive/20140317173640-60963/ Patch attached with submission follows: Index: Makefile =================================================================== --- Makefile (revision 348426) +++ Makefile (working copy) @@ -3,6 +3,7 @@ PORTNAME= libscrypt PORTVERSION= 1.18 +PORTREVISION= 1 CATEGORIES= security MAINTAINER= horia@racoviceanu.com @@ -17,30 +18,48 @@ GH_TAGNAME= ${GH_COMMIT} GH_COMMIT= 35b6894 +MAKE_ARGS+= CC=${CC} LIBDIR=${PREFIX}/lib + PLIST_FILES= include/libscrypt.h \ lib/libscrypt.so \ lib/libscrypt.so.0 PORTDOCS= README.md + OPTIONS_DEFINE= DOCS +OPTIONS_DEFAULT=STACKPROTECTOR +OPTIONS_SINGLE= BUFFER_OVERFLOW_PROTECTION +OPTIONS_SINGLE_BUFFER_OVERFLOW_PROTECTION= STACKPROTECTOR STACKPROTECTORALL + +STACKPROTECTOR_DESC= Protect functions with vulnerable objects +STACKPROTECTORALL_DESC= Protect all functions + .include <bsd.port.pre.mk> post-patch: - @${REINPLACE_CMD} -e 's|CC?=gcc|CC?=${CC}|; s|CFLAGS?=|CFLAGS+=|; \ - s|LIBDIR ?|LIBDIR |' ${WRKSRC}/Makefile + @${REINPLACE_CMD} -e 's|?=-|+=-|; s|-O2 ||' ${WRKSRC}/Makefile -.if ${ARCH} == i386 && ${COMPILER_TYPE} == gcc - @${REINPLACE_CMD} -e 's|stack-protector|no-&|' ${WRKSRC}/Makefile +.if ${PORT_OPTIONS:MSTACKPROTECTORALL} + @${REINPLACE_CMD} -e 's|stack-protector|&-all|' ${WRKSRC}/Makefile .endif +.if ${ARCH} == i386 && ${COMPILER_TYPE} == gcc && ${OSVERSION} < 1000036 + @${REINPLACE_CMD} -e 's|-lscrypt|& -lssp_nonshared|; \ + s|\.version|&,-lssp_nonshared|' ${WRKSRC}/Makefile +.endif + + @${REINPLACE_CMD} -e \ + 's|strcpy(mcf2, mcf);|strlcpy(mcf2, mcf, SCRYPT_MCF_LEN);|' \ + ${WRKSRC}/main.c + regression-test: build (cd ${WRKSRC} && ${SETENV} ${MAKE_ENV} ${MAKE} check) post-install: + ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/${PORTNAME}.so.0 + @${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${PORTDOCS:S|^|${WRKSRC}/|} ${STAGEDIR}${DOCSDIR} - ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/${PORTNAME}.so.0 - .include <bsd.port.post.mk> >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403171740.s2HHefRr011189>