ports/66007: [PATCH] bsd.openssl.mk: more consistent security check
Oliver Eikemeier
eikemeier at fillmore-labs.com
Tue Apr 27 00:40:24 UTC 2004
>Number: 66007
>Category: ports
>Synopsis: [PATCH] bsd.openssl.mk: more consistent security check
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Apr 26 17:40:23 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator: Oliver Eikemeier
>Release: FreeBSD 4.10-STABLE i386
>Organization:
Fillmore Labs - http://www.fillmore-labs.com
>Environment:
System: FreeBSD nuuk.fillmore-labs.com 4.10-STABLE
>Description:
The current security check in bsd.openssl.mk ha some deficiencies:
- it installs an OpenSSL port even when not necessary or not desired
by the systems adminstrator:
<http://lists.freebsd.org/pipermail/freebsd-ports/2004-April/011540.html>
- it is disabled by WITH_OPENSSL_BASE=yes, which is the recommended workaround
for this situation
- it completely ignores vulnerable OpenSSL versions installed from ports,
which makes the check somewhat pointless (why is a vulnerable base more of
a problem than a vulnerable port?)
Either the check should be eliminated or used consistently on the used OpenSSL
version, no matter if it is from the base or a port, which is what the attached
patch does.
>How-To-Repeat:
>Fix:
--- Mk/bsd.openssl.mk 8 Apr 2004 10:01:53 -0000 1.15
+++ Mk/bsd.openssl.mk 27 Apr 2004 00:20:50 -0000
@@ -42,19 +42,12 @@
WITH_OPENSSL_PORT=yes
.endif
-# if no preference was set, check for an up to date base version
+# if no preference was set, check for an base version
# but give an installed port preference over it.
.if !defined(WITH_OPENSSL_BASE) && \
!defined(WITH_OPENSSL_BETA) && \
!defined(WITH_OPENSSL_PORT) && \
- !exists(${LOCALBASE}/lib/libcrypto.so) && \
- exists(/usr/include/openssl/opensslv.h)
-# Security: version in base must be 0.9.7d or have fixes
-# http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssl/crypto/opensslv.h
-OPENSSLVER!= ${AWK} '/OPENSSL_VERSION_TEXT/ { print $$4; exit }' \
- /usr/include/openssl/opensslv.h
-# check for safe versions in the base
-.if ${OPENSSLVER} == "0.9.7a-p1" || ${OPENSSLVER} == "0.9.7c-p1" || ${OPENSSLVER} == "0.9.7d"
+ !exists(${LOCALBASE}/lib/libcrypto.so)
WITH_OPENSSL_BASE=yes
.endif
.endif
@@ -136,6 +129,17 @@
MAKE_ENV+= LDFLAGS="${LDFLAGS}"
MAKE_ENV+= OPENSSLLIB=${OPENSSLLIB} OPENSSLINC=${OPENSSLINC} \
OPENSSLBASE=${OPENSSLBASE} OPENSSLDIR=${OPENSSLDIR}
+
+.if exists(${OPENSSLINC}/openssl/opensslv.h)
+# Security: version must be 0.9.7d or have fixes
+# http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssl/crypto/opensslv.h
+OPENSSLVER!= ${AWK} '/OPENSSL_VERSION_TEXT/ { print $$4; exit }' \
+ ${OPENSSLINC}/openssl/opensslv.h
+# check for safe versions
+.if ${OPENSSLVER} != "0.9.7a-p1" && ${OPENSSLVER} != "0.9.7c-p1" && ${OPENSSLVER} != "0.9.7d"
+check-depends::
+ @${ECHO_CMD} "Dependency warning: used OpenSSL version contains known vulnerabilities"
+.endif
### crypto
#RESTRICTED= "Contains cryptography."
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list