SA-04:05 single patch && bsd.openssl.mk problem

[Oliver Eikemeier]

Dirk Meyer wrote:
> Bjoern A. Zeeb schrieb:,
> 
>>when applying the patch from SA-04:05[1] and re-building changed parts
>>of the base system  opensslv.h does not get altered with the update
>>like it did with the commits to the various branches [2].
> 
>>bsd.openssl.mk now doing a string compare on p.ex. "0.9.7a-p1" which
>>will fail.  Thus ports that set USE_OPENSSL will depend on the
>>openssl package.
> 
> Previously the version numer alone was checked,
> 
>>This logic is broken as the base system is patched and the openssl
>>package is not needed.
> 
> But there is no safe way to detect this in your setup.
> 
>>What short term solutions are there for people building ports
>>
>>- setting USE_OPENSSL_BASE=yes seems to be a possible workaround
>>  forcing the version of the base system and not the port to be used.
> 
> This is the setup I recommend:
> put in /etc/make.conf:
> WITH_OPENSSL_BASE=yes
> 
> and no autodection will take place.
> 
>>- would it be possible to make the check in bsd.openssl.mk somehow
>>  more intelligent to better detect a patched version ?
> 
> There is no safe way in this case.
> If I could not detect 0.9.7a-p1, I will assume an outdated base.

What's the point of all this autodetection anyway? It gives you a false sense
of security, since it catches only the first vulnerability (in the base), but
will happily accept any further vulnerable version installed from ports.

I asume it is appropriate to issue a warning if a vulnerable version is used
(from the base or from ports), but I do not se the benfits of the semi-automatic
dependency.

How about making USE_OPENSSL_BASE=yes the default if the base has an OpenSSL
version, and rely on the user to install OpenSSL from ports (and recompile all
affected ports)?

-Oliver