ports/187667: [MAINTAINER] security/libscrypt: proper ssp usage and security improvements
Horia Racoviceanu
horia at racoviceanu.com
Mon Mar 17 17:50:00 UTC 2014
>Number: 187667
>Category: ports
>Synopsis: [MAINTAINER] security/libscrypt: proper ssp usage and security improvements
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Mon Mar 17 17:50:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator: Horia Racoviceanu
>Release: 9.2-RELEASE
>Organization:
>Environment:
FreeBSD aitch 9.2-RELEASE FreeBSD 9.2-RELEASE #0 r255898: Fri Sep 27 03:52:52 UTC 2013 root at bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC i386
>Description:
>How-To-Repeat:
>Fix:
- Bump PORTREVISION
- Simulate SSP_NEED_NONSHARED for gcc
- Add stack-protector-all to Options
- Move CC and LIBDIR from REINPLACE to MAKE_ARGS
- Remove duplicate -02 CFLAGS
- Change strcpy() to strlcpy(), patch from OpenBSD
- Move STRIP_CMD before installing DOCS
Build log:
https://redports.org/buildarchive/20140317173640-60963/
Patch attached with submission follows:
Index: Makefile
===================================================================
--- Makefile (revision 348426)
+++ Makefile (working copy)
@@ -3,6 +3,7 @@
PORTNAME= libscrypt
PORTVERSION= 1.18
+PORTREVISION= 1
CATEGORIES= security
MAINTAINER= horia at racoviceanu.com
@@ -17,30 +18,48 @@
GH_TAGNAME= ${GH_COMMIT}
GH_COMMIT= 35b6894
+MAKE_ARGS+= CC=${CC} LIBDIR=${PREFIX}/lib
+
PLIST_FILES= include/libscrypt.h \
lib/libscrypt.so \
lib/libscrypt.so.0
PORTDOCS= README.md
+
OPTIONS_DEFINE= DOCS
+OPTIONS_DEFAULT=STACKPROTECTOR
+OPTIONS_SINGLE= BUFFER_OVERFLOW_PROTECTION
+OPTIONS_SINGLE_BUFFER_OVERFLOW_PROTECTION= STACKPROTECTOR STACKPROTECTORALL
+
+STACKPROTECTOR_DESC= Protect functions with vulnerable objects
+STACKPROTECTORALL_DESC= Protect all functions
+
.include <bsd.port.pre.mk>
post-patch:
- @${REINPLACE_CMD} -e 's|CC?=gcc|CC?=${CC}|; s|CFLAGS?=|CFLAGS+=|; \
- s|LIBDIR ?|LIBDIR |' ${WRKSRC}/Makefile
+ @${REINPLACE_CMD} -e 's|?=-|+=-|; s|-O2 ||' ${WRKSRC}/Makefile
-.if ${ARCH} == i386 && ${COMPILER_TYPE} == gcc
- @${REINPLACE_CMD} -e 's|stack-protector|no-&|' ${WRKSRC}/Makefile
+.if ${PORT_OPTIONS:MSTACKPROTECTORALL}
+ @${REINPLACE_CMD} -e 's|stack-protector|&-all|' ${WRKSRC}/Makefile
.endif
+.if ${ARCH} == i386 && ${COMPILER_TYPE} == gcc && ${OSVERSION} < 1000036
+ @${REINPLACE_CMD} -e 's|-lscrypt|& -lssp_nonshared|; \
+ s|\.version|&,-lssp_nonshared|' ${WRKSRC}/Makefile
+.endif
+
+ @${REINPLACE_CMD} -e \
+ 's|strcpy(mcf2, mcf);|strlcpy(mcf2, mcf, SCRYPT_MCF_LEN);|' \
+ ${WRKSRC}/main.c
+
regression-test: build
(cd ${WRKSRC} && ${SETENV} ${MAKE_ENV} ${MAKE} check)
post-install:
+ ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/${PORTNAME}.so.0
+
@${MKDIR} ${STAGEDIR}${DOCSDIR}
${INSTALL_DATA} ${PORTDOCS:S|^|${WRKSRC}/|} ${STAGEDIR}${DOCSDIR}
- ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/${PORTNAME}.so.0
-
.include <bsd.port.post.mk>
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list