Date: Sun, 27 Apr 2014 23:50:02 +0100 From: Jamie Landeg-Jones <jamie@dyslexicfish.net> To: swhetzel@gmail.com, jamie@dyslexicfish.net Cc: freebsd-security@freebsd.org Subject: Re: ports requiring OpenSSL not honouring OpenSSL from ports Message-ID: <201404272250.s3RMo2NZ095771@catnip.dyslexicfish.net> In-Reply-To: <CACdU%2Bf_Wo6VDcJkn6tmF8MTU49=rnJM7SB6XxofGZVdukSarHA@mail.gmail.com> References: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net> <CACdU%2Bf_Wo6VDcJkn6tmF8MTU49=rnJM7SB6XxofGZVdukSarHA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Scot Hetzel <swhetzel@gmail.com> wrote:
> The port should use the OpenSSL port if it is installed, unless the
> port sets one of these variables in it's Makefile:
>
> WITH_OPENSSL_BASE
> USE_OPENSSL_BASE
>
> The port shouldn't be setting these variables.
Thanks. As I expected.
> Do you have a list of which ports used the OpenSSL from base, instead
> of the installed OpenSSL port?
> Could you check if they set these variables.
Well, I can only check the ones I have installed. Here's a list of some
that link against /lib/libcrypto.so.7 and/or /lib/libssl.so.7 retrieved
using the following command:
# grep -EaHlr -D skip 'libssl\.so\.7|libcrypto\.so\.7' /usr/local | awk '{print "pkg which -oq " $1}' | sh | sort | uniq
[ N.B. 'grep -r' follows symlinks. You'd need to use 'find ... | grep ...'
instead to be more bulletproof ]
devel/android-tools-adb
net-p2p/transmission-cli
net-p2p/transmission-daemon
net/socat
net/svnup
ports-mgmt/pkg
security/john
security/scrypt
security/trousers
sysutils/tarsnap
Again, as expected, none of these contain references to WITH_OPENSSL_BASE or
USE_OPENSSL_BASE, though I do get some ld conflict warnings in some cases
(e.g. when linking to libcurl, which does do the right thing)
> This is more of a ports issue, than a security issue.
>
> Post the list of affected ports to ports@, and/or submit PRs to
> correct the them.
I wanted to discuss the issue and make aware the security community
before discussing actual changes with @ports
As I said. there could be security implications if someone thinks a
patched previously vulnerable openssl port has secured all of their
other ports.
Also, it's not reliably possible to check which ports are affected
without at least downloading the distfile - some of the ports make no
reference to ssl in their ports template.
Cheers, Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404272250.s3RMo2NZ095771>