Bug 151181 - [patch] remove dependency of security/tor on security/openssl for > 8.1
Summary: [patch] remove dependency of security/tor on security/openssl for > 8.1
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Brendan Fabeny
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-10-03 23:40 UTC by Pascal Stumpf
Modified: 2011-01-17 18:41 UTC (History)
0 users

See Also:


Attachments
file.diff (753 bytes, patch)
2010-10-03 23:40 UTC, Pascal Stumpf
no flags Details | Diff
commit38_tor.diff (826 bytes, patch)
2010-10-04 10:17 UTC, b. f.
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Pascal Stumpf 2010-10-03 23:40:00 UTC
With the import of OpenSSL 0.9.8n into 8.1-RELEASE and subsequent 8-STABLE, it is no longer necessary to install the security/openssl port for versions >= 8.1.

Note that I had to set --with-openssl-dir="" manually in the patch because I need the OSVERSION variable from <bsd.port.pre.mk> in the conditional, which also assigns OPENSSLBASE based on the stuff that comes before the .include <bsd.port.pre.mk>, so I cannot use that.
Comment 1 Edwin Groothuis freebsd_committer 2010-10-03 23:40:06 UTC
Responsible Changed
From-To: freebsd-ports-bugs->miwi

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 b. f. 2010-10-04 10:17:39 UTC
On 10/4/10, b. f. <bf1783@googlemail.com> wrote:
> The patch in the PR is wrong, and so is my handling of a similar case
> in security/tor-devel.  I've got an updated patch, which I'll submit
> to you soon, after I try to fix my tinderbox, which keeps bringing my
> machine down.

Well, my @#@%$^$ tinderbox is still crashing in the regression-test
target when building lang/perl5.10.  Anyway, here is a patch that
ought to fix the issue in ports/151181.  The way to use openssl
conditionally is to include bsd.openssl.mk once, and only once, after
deciding whether WITH_OPENSSL_PORT needs to be set.  (This is similar
to other ports that use openssl conditionally, like, for example,
ftp/wget.) Otherwise, if you use the patch originally proposed in the
PR, you bypass safety checks, set a bunch of conflicting variables in
the build environment, prevent users on recent versions of the OS from
using openssl from ports if they want to do so, and fail to add
dependencies on the openssl port on older versions of the OS when the
user hasn't already installed the port beforehand, or defined
WITH_OPENSSL_PORT manually, among other problems.


b.
Comment 3 Pascal Stumpf 2010-10-24 14:43:27 UTC
I think b.f. is right. Since something similar is already up and working 
in tor-devel, can this please be committed as soon as possible?

Cheers,
Pascal
Comment 4 Pascal Stumpf 2010-11-26 19:28:02 UTC
Also, please note that Tor 0.2.1.26 is not compatible to OpenSSL 0.9.8p 
and 1.0.0b (for relays). Updating to 0.2.1.27 is trivial:

--- Makefile.old        2010-11-26 20:25:53.438853946 +0100
+++ Makefile    2010-11-26 20:21:28.561240507 +0100
@@ -6,8 +6,7 @@
 #
 
 PORTNAME=      tor
-DISTVERSION=   0.2.1.26
-PORTREVISION=  2
+DISTVERSION=   0.2.1.27
 CATEGORIES=    security net ipv6
 MASTER_SITES=  http://www.torproject.org/dist/ \
                http://tor.cypherpunks.at/dist/ \
@@ -23,8 +22,6 @@
 GNU_CONFIGURE= yes
 CPPFLAGS+=     -I${LOCALBASE}/include
 CONFIGURE_ENV+=        CPPFLAGS="${CPPFLAGS}"
-USE_OPENSSL=   yes
-WITH_OPENSSL_PORT=     yes
 CONFIGURE_ARGS+=       --with-openssl-dir="${OPENSSLBASE}"
 
 OPTIONS=       BUFFREELISTS "freelists for buffer RAM" on \
@@ -47,6 +44,12 @@
 
 .include <bsd.port.pre.mk>
 
+.if (${OSVERSION} < 801000 || (${OSVERSION} >= 900000 && ${OSVERSION} < 
900011))
+WITH_OPENSSL_PORT=     yes
+.endif
+
+.include "${PORTSDIR}/Mk/bsd.openssl.mk"
+
 .if defined(WITH_BUFFREELISTS)
 CONFIGURE_ARGS+=       --enable-buf-freelists
 .else



--- distinfo.old        2010-05-25 13:29:30.000000000 +0200
+++ distinfo    2010-11-26 20:23:06.991467916 +0100
@@ -1,3 +1,2 @@
-MD5 (tor-0.2.1.26.tar.gz) = f7b30a144e1da41aa43f496bd47ffba7
-SHA256 (tor-0.2.1.26.tar.gz) = 
6cdc60ed0b2e3eb790cbf37741a3c86a004f4f7c6678e25b9b936d6a340c7fa2
-SIZE (tor-0.2.1.26.tar.gz) = 2405749
+SHA256 (tor-0.2.1.27.tar.gz) = 
ec4d5c67231551d5ee3bf6cbccb87fccac3491fbe80f1d3fb778ad6b3d3f661c
+SIZE (tor-0.2.1.27.tar.gz) = 2484332
Comment 5 Pascal Stumpf 2010-12-20 19:19:01 UTC
Update to 0.2.1.28. Security update, remote heap overflow 
(CVE-2010-1676). Maybe even remote code execution, so this is urgent!

--- Makefile.orig       2010-12-20 20:11:22.000000000 +0100
+++ Makefile    2010-12-20 20:13:52.000000000 +0100
@@ -6,8 +6,7 @@
 #
 
 PORTNAME=      tor
-DISTVERSION=   0.2.1.26
-PORTREVISION=  2
+DISTVERSION=   0.2.1.28
 CATEGORIES=    security net ipv6
 MASTER_SITES=  http://www.torproject.org/dist/ \
                http://tor.cypherpunks.at/dist/ \
@@ -23,8 +22,6 @@
 GNU_CONFIGURE= yes
 CPPFLAGS+=     -I${LOCALBASE}/include
 CONFIGURE_ENV+=        CPPFLAGS="${CPPFLAGS}"
-USE_OPENSSL=   yes
-WITH_OPENSSL_PORT=     yes
 CONFIGURE_ARGS+=       --with-openssl-dir="${OPENSSLBASE}"
 
 OPTIONS=       BUFFREELISTS "freelists for buffer RAM" on \
@@ -47,6 +44,12 @@
 
 .include <bsd.port.pre.mk>
 
+.if (${OSVERSION} < 801000 || (${OSVERSION} >= 900000 && ${OSVERSION} < 
900011))
+WITH_OPENSSL_PORT=yes
+.endif
+
+.include "${PORTSDIR}/Mk/bsd.openssl.mk"
+
 .if defined(WITH_BUFFREELISTS)
 CONFIGURE_ARGS+=       --enable-buf-freelists
 .else


--- distinfo.orig       2010-05-25 13:29:30.000000000 +0200
+++ distinfo    2010-12-20 20:14:02.000000000 +0100
@@ -1,3 +1,2 @@
-MD5 (tor-0.2.1.26.tar.gz) = f7b30a144e1da41aa43f496bd47ffba7
-SHA256 (tor-0.2.1.26.tar.gz) = 
6cdc60ed0b2e3eb790cbf37741a3c86a004f4f7c6678e25b9b936d6a340c7fa2
-SIZE (tor-0.2.1.26.tar.gz) = 2405749
+SHA256 (tor-0.2.1.28.tar.gz) = 
fe9756bee3228bf01334f743b7c74dd1edc83e5489f032737ce24eb6bdb19cbf
+SIZE (tor-0.2.1.28.tar.gz) = 2471741
Comment 6 Martin Wilke freebsd_committer 2010-12-21 06:46:45 UTC
Responsible Changed
From-To: miwi->bf

plz take over :-)
Comment 7 dfilter service freebsd_committer 2011-01-01 18:36:06 UTC
bf          2011-01-01 18:36:01 UTC

  FreeBSD ports repository

  Modified files:
    security/tor         Makefile 
  Log:
  - update MASTER_SITES on the basis of distilator results and:
  http://www.torproject.org/getinvolved/mirrors.html.en
  - fix conditional openssl requirements [1] (thanks to Pascal Stumpf
  for raising this issue, and that of CVE 2010-1676)
  
  PR:             151181 [1]
  Approved by:    makc, miwi (mentors, implicit)
  
  Revision  Changes    Path
  1.60      +22 -5     ports/security/tor/Makefile
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 8 Brendan Fabeny freebsd_committer 2011-01-17 18:41:26 UTC
State Changed
From-To: open->closed

Committed, with minor changes. Thanks!