Bug 198813

Summary: devel/psptoolchain-binutils: Multiple security vulnerabilities
Product: Ports & Packages Reporter: Sevan Janiyan <venture37>
Component: Individual Port(s)Assignee: Ports Security Team <ports-secteam>
Status: Open ---    
Severity: Affects Some People CC: cs, feld, ports-secteam, tphilipp, w.schwarzenfeld
Priority: --- Keywords: needs-patch, security
Version: LatestFlags: bugzilla: maintainer-feedback? (tphilipp)
Hardware: Any   
OS: Any   

Comment 1 Carlo Strub freebsd_committer 2015-09-14 22:04:51 UTC
You have any patches to cleanup this port?
Comment 2 Tassilo Philipp 2015-09-15 13:30:06 UTC
Not yet, I've unfortunately not had any time to look into this, yet. Too much going on, currently, sorry...

Also, not sure if the importance needs to be set to "affects many people", as I doubt that. This port of binutils is only used for the psptoolchain, there are no other dependencies on it. I don't think a lot of people are actually using this.

But, bigger question: Given that this port is actually port of an existing patchset against gnu binutils 2.22, adding PSP support, it's a bit of an undertaking to switch to a newer binutils version, b/c the source-patchset didn't, yet. Not sure how to handle this best - fork from the sources and maintain an own, newer version of binutils, or actually just add patches to fix those vulnerabilities?

Input welcome.
Comment 3 Carlo Strub freebsd_committer 2015-09-15 17:14:28 UTC
I think it would be best and safest (for the future) to just link to the binutils port if possible. Given the maintainer seems not very active, feel free to try a port if time permits.
Comment 4 Mark Felder freebsd_committer 2016-01-08 18:00:30 UTC
assigning to ports-secteam
Comment 5 Walter Schwarzenfeld freebsd_triage 2018-01-09 09:41:41 UTC
I am not sure, but
===>   Registering installation for psptoolchain-binutils-2.22_1
Installing psptoolchain-binutils-2.22_1...
===>  Cleaning for psptoolchain-binutils-2.22_1

 sudo pkg audit
0 problem(s) in the installed packages found.

is it fixed?
Comment 6 Tassilo Philipp 2018-01-18 09:48:18 UTC
(In reply to w.schwarzenfeld from comment #5)

Unsure, but I don't think so. I'm still not sure how to best handle this. Ideally this would use binutils > 2.24, but upstream stays on 2.22, as their patches are for that version (the psptoolchain is basically a patchset itself, which are merely ported here).

Also, given this is for building PSP binaries, this is not a security risk to FreeBSD. Maybe that's why pkg audit doesn't show any problems?

The best way, IMHO is for me maybe to port their stuff to a newer binutils version, then share this work upstream.