Created attachment 230274 [details] Patch against current Update to v11 - Fix possible NULL pointer dereference in find_by_thp() (262d98f) - Fix issues reported by shellcheck (3d770c6) - Make sure keys are created with 0440 mode (81cb455) - Man page updates (#80) - Improve FreeBSD support (#73) - Move signing part out of find_by_thp() and to find_jws() - CVE-2021-4076 (#81)
Please use upstream release archive instead as suggested by Porters Handbook 5.4.3 "If the distribution file comes from a specific commit or tag on GitHub for which there is _no officially released file_" https://github.com/latchset/tang/releases/download/v11/tang-11.tar.xz
(In reply to Daniel Engberg from comment #1) I'm confused by your comment. The patch was to pull the v11 tag from upstream latchset. What should I have done differently?
When you use USE_GITHUB it'll pull a generated archive instead of a static one (later one is preferred). It just makes sure we do it in a consistent way in the tree (short version). https://cgit.freebsd.org/ports/tree/Mk/bsd.sites.mk#n340 In this case you should drop USE_GITHUB (and variables used for it) and use MASTER_SITES instead. The only exception in general is when upstream distribution archive isn't usable for some reason. MASTER_SITES= https://github.com/latchset/${PORTNAME}/releases/download/v${DISTVERSION}/ USES= ... tar:xz
Created attachment 231034 [details] Updated patch against current
Comment on attachment 231034 [details] Updated patch against current Thanks for the explanation. I think this new patch should address the concern.
I know people are busy, but this closes a CVE. Is there something additional I need to do to get this committed?
I'll give it a go during next week
I'm sorry for the delay, one of the HDDs in my buildbox died last week and new hardware arrived by the weekend. I'm on this but the box needs a bit of time to transfer data but I'll get to it asap.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=21ea51a6ef6e711990ca91e5000d05a28bba345d commit 21ea51a6ef6e711990ca91e5000d05a28bba345d Author: Howard Holm <hdholm@alumni.iastate.edu> AuthorDate: 2022-02-09 21:58:10 +0000 Commit: Daniel Engberg <diizzy@FreeBSD.org> CommitDate: 2022-02-09 22:06:51 +0000 security/tang: Update to v11 Changelog: https://github.com/latchset/tang/releases/tag/v11 Fixes CVE-2021-4076 PR: 260574 security/tang/Makefile | 11 +++-------- security/tang/distinfo | 6 +++--- security/tang/pkg-plist | 1 + 3 files changed, 7 insertions(+), 11 deletions(-)
Committed, sorry for the wait. I made a few changes to the port to make portlint happy and fixed some issues. Move CATEGORIES entry (portlint) USES= meson implies ninja so no need to specify it https://cgit-beta.freebsd.org/ports/tree/Mk/Uses/meson.mk#n31 INSTALL_TARGET= install-strip isn't needed, this is more or less only used (if needed) for projects that uses GNU Autotools USE_LDCONFIG is only used for shared libraries which this port doesn't install. (portlint) Section "6.3. Shared Libraries" in Porters Handbook Best regards, Daniel
Thanks. I noted the changes for future updates. I appreciate the feedback.