Poudriere Build of pkg_* repos?

Thu Sep 25 18:57:55 UTC 2014

On Thu, Sep 25, 2014 at 10:43 AM, Guido Falsi <mad at madpilot.net> wrote:

> On 09/25/14 14:56, Rick Miller wrote:
> > On Wed, Sep 24, 2014 at 5:32 PM, Bryan Drewery <bdrewery at freebsd.org>
> wrote:
> >
> [ snip ]
> >
> > After creating an 8.4-RELEASE jail and an older, equivalent Ports tree as
> > follows...
> >
> > # poudriere jail -c -j 8_4-amd64 -v 8.4-RELEASE -a amd64
> > # poudriere ports -c -p 8_4-amd64 -m svn+http -B branches/RELEASE_8_4_0
>
> I think you should grab ports with the tag PKG_INSTALL_EOL (-B
> tag/PKG_INSTALL_EOL)
>
> That's the last revision at which the ports tree supported old pkg_tools.
>
> >
> > /usr/local/etc/poudriere.d/8_4-amd64-make.conf:
> >
> > WITHOUT_PKGNG=yes
> > PERL_VERSION=5.14.4
> > OPTIONS_UNSET="X11 GTK2"
> >
> > .if ${.CURDIR:M*/shells/bash}
> > EXTRA_PATCHES+= /distfiles/local-patches/8_4-amd64/bash.patch
> > .endif
> >
> > note: above .if added to the make.conf according to the link provided
> below
> >
> > Executing poudriere bulk, as follows, results in no packages built due to
> > numerous stage failures subsequently resulting in a bunch of skipped
> builds
> > due to these failures.
> >
> > # poudriere bulk -j 8_4-amd64 -f $package_file -p 8_4-amd64
> >
> > =======================<phase: stage
> >============================
> > make: don't know how to make stage. Stop
> >
>
> You took ports tagged for 8.4 release, which happened quite some time
> ago, I don't think the ports tree had stage support at the time.
>

Thanks!  That put me on the right track and a bash package was built, but
does not appear to have mitigated the vulnerability...

$ foo='() { echo "hi mom"; }' bash -c 'foo'
hi mom

The 4.3.25 patch[1] was downloaded and, with the above changes to the
make.conf, it appears to have applied cleanly according to the Poudriere
logs (note: this patch is the second patch application, bash.patch).

=======================<phase: patch          >============================
===>  Patching for bash-4.3.24
===>  Applying distribution patches for bash-4.3.24
===>  Applying extra patch /distfiles/local-patches/8_4-amd64/bash.patch
===>  Applying extra patch
/usr/ports/shells/bash/files/extrapatch-colonbreakswords
===>  Applying extra patch
/usr/ports/shells/bash/files/extrapatch-implicitcd
===>  Applying FreeBSD patches for bash-4.3.24
===========================================================================

The first sign that something didn't appear to have gone as expected was
that the package was built as bash-4.3.24.tbz as opposed to
bash-4.3.25.tbz.  The above test was executed observing the behavior of a
still vulnerable binary.

The test was performed on an 8.4 host with a [unpatched] bash-4.3.24 after
forcefully removing the package and adding the new, patched package.  It
complained of dependencies on packages that were already installed, but not
up to the version of the dependency.  After manually fixing these
dependencies (forcefully deleting the existing dependencies and installing
the new ones), the test was executed once again to the same results.

Could this be an issue of the order the patches were applied in or ??

[1] http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-025

-- 
Take care
Rick Miller