Poudriere Build of pkg_* repos?

Thu Sep 25 19:05:28 UTC 2014

On 09/25/14 20:57, Rick Miller wrote:
> On Thu, Sep 25, 2014 at 10:43 AM, Guido Falsi <mad at madpilot.net> wrote:
> 
>> On 09/25/14 14:56, Rick Miller wrote:
>>> On Wed, Sep 24, 2014 at 5:32 PM, Bryan Drewery <bdrewery at freebsd.org>
>> wrote:
>>>
>> [ snip ]
>>>
>>> After creating an 8.4-RELEASE jail and an older, equivalent Ports tree as
>>> follows...
>>>
>>> # poudriere jail -c -j 8_4-amd64 -v 8.4-RELEASE -a amd64
>>> # poudriere ports -c -p 8_4-amd64 -m svn+http -B branches/RELEASE_8_4_0
>>
>> I think you should grab ports with the tag PKG_INSTALL_EOL (-B
>> tag/PKG_INSTALL_EOL)
>>
>> That's the last revision at which the ports tree supported old pkg_tools.
>>
>>>
>>> /usr/local/etc/poudriere.d/8_4-amd64-make.conf:
>>>
>>> WITHOUT_PKGNG=yes
>>> PERL_VERSION=5.14.4
>>> OPTIONS_UNSET="X11 GTK2"
>>>
>>> .if ${.CURDIR:M*/shells/bash}
>>> EXTRA_PATCHES+= /distfiles/local-patches/8_4-amd64/bash.patch
>>> .endif
>>>
>>> note: above .if added to the make.conf according to the link provided
>> below
>>>
>>> Executing poudriere bulk, as follows, results in no packages built due to
>>> numerous stage failures subsequently resulting in a bunch of skipped
>> builds
>>> due to these failures.
>>>
>>> # poudriere bulk -j 8_4-amd64 -f $package_file -p 8_4-amd64
>>>
>>> =======================<phase: stage
>>> ============================
>>> make: don't know how to make stage. Stop
>>>
>>
>> You took ports tagged for 8.4 release, which happened quite some time
>> ago, I don't think the ports tree had stage support at the time.
>>
> 
> 
> Thanks!  That put me on the right track and a bash package was built, but
> does not appear to have mitigated the vulnerability...
> 
> $ foo='() { echo "hi mom"; }' bash -c 'foo'
> hi mom

I've not studied the vulnerability and can't really help you analyzing that.

I don't think the fix is going to completely disable such construct
though. But as I said I don't know the details right now.

> 
> The 4.3.25 patch[1] was downloaded and, with the above changes to the
> make.conf, it appears to have applied cleanly according to the Poudriere
> logs (note: this patch is the second patch application, bash.patch).
> 
> =======================<phase: patch          >============================
> ===>  Patching for bash-4.3.24
> ===>  Applying distribution patches for bash-4.3.24
> ===>  Applying extra patch /distfiles/local-patches/8_4-amd64/bash.patch
> ===>  Applying extra patch
> /usr/ports/shells/bash/files/extrapatch-colonbreakswords
> ===>  Applying extra patch
> /usr/ports/shells/bash/files/extrapatch-implicitcd
> ===>  Applying FreeBSD patches for bash-4.3.24
> ===========================================================================
> 
> The first sign that something didn't appear to have gone as expected was
> that the package was built as bash-4.3.24.tbz as opposed to
> bash-4.3.25.tbz.  The above test was executed observing the behavior of a
> still vulnerable binary.

The way you are applying the patch simply modifies the code being
compiled by the port, you're not patching the port itself, so the port
maintains the same version number.

> 
> The test was performed on an 8.4 host with a [unpatched] bash-4.3.24 after
> forcefully removing the package and adding the new, patched package.  It
> complained of dependencies on packages that were already installed, but not
> up to the version of the dependency.  After manually fixing these
> dependencies (forcefully deleting the existing dependencies and installing
> the new ones), the test was executed once again to the same results.
> 
> Could this be an issue of the order the patches were applied in or ??

You should check the build log and see if in the patching phase there
was any error.

-- 
Guido Falsi <mad at madpilot.net>