https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8501 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8502 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8503
You have any patches to cleanup this port?
Not yet, I've unfortunately not had any time to look into this, yet. Too much going on, currently, sorry... Also, not sure if the importance needs to be set to "affects many people", as I doubt that. This port of binutils is only used for the psptoolchain, there are no other dependencies on it. I don't think a lot of people are actually using this. But, bigger question: Given that this port is actually port of an existing patchset against gnu binutils 2.22, adding PSP support, it's a bit of an undertaking to switch to a newer binutils version, b/c the source-patchset didn't, yet. Not sure how to handle this best - fork from the sources and maintain an own, newer version of binutils, or actually just add patches to fix those vulnerabilities? Input welcome.
I think it would be best and safest (for the future) to just link to the binutils port if possible. Given the maintainer seems not very active, feel free to try a port if time permits.
assigning to ports-secteam
I am not sure, but ===> Registering installation for psptoolchain-binutils-2.22_1 Installing psptoolchain-binutils-2.22_1... ===> Cleaning for psptoolchain-binutils-2.22_1 sudo pkg audit 0 problem(s) in the installed packages found. is it fixed?
(In reply to w.schwarzenfeld from comment #5) Unsure, but I don't think so. I'm still not sure how to best handle this. Ideally this would use binutils > 2.24, but upstream stays on 2.22, as their patches are for that version (the psptoolchain is basically a patchset itself, which are merely ported here). Also, given this is for building PSP binaries, this is not a security risk to FreeBSD. Maybe that's why pkg audit doesn't show any problems? The best way, IMHO is for me maybe to port their stuff to a newer binutils version, then share this work upstream. Thoughts?
I qualify this as upstream problem, so I'd close this PR and reopen it upstream (wherever it is).
Thanks for understanding. I have the same problem about not even knowing what upstream is. The old ps2dev.org went away, and some people seem to run different github repos now, the most likely being https://github.com/pspdev/psptoolchain/ However, there is no clarity IMHO whether this is the new de-facto official place or not, at least I cannot find any mention of ps2dev on there or the wiki they point to: http://www.darkhaven3.com/psp-dev/wiki/index.php/Main_Page Since this is the most complete/comprehensive, though, let's assume this is upstream. Please let me know if there is something for me to do, or if I can be helpful in any way. Thanks
WWW: http://www.ps2dev.org/ this website was not found. Maintainer: can you pls check, ist there a other Website? Otherwise I would suggest to delete the port. /add @rene (portmgr) because of possible deletion of the port - also because of these security Vulnerabilities and no new version (website down) joneum (ports-secteam)
(In reply to Jochen Neumeister from comment #9) I don't understand the suggestion to remove the port without neither having taken into account the discussion above, nor the fact that none of the sources even depend on www.ps2dev.org. If you want me to change the pkg-descr, I can do that. About the security question, please refer to the discussion above. So, what do you want me to do?
We have a security vulnerability in the port, it was reported in 2015. https://www.freshports.org/devel/psptoolchain-binutils show me this Info WWW: http://www.ps2dev.org This website is not accessible for me. As ports-secteam I have to make sure that ports with security holes are closed as soon as possible. What can you do as a maintainer? If the project has a new website, for example change this into port. And preferably a patch / update to finally solve the 2015 security problem. Ports that have a security hole for years that are not closed will be removed from the port-tree. It would be great if we can solve the problem soon :-)
Thank you for the input. I understand your role as a ports-secteam member, but I want to point out in this specific case, which is a dilemma: - there are hundreds of ports that have broken urls in the pkg-descr, so I really do not understand why this plays into security; however, sure, I can update this, it isn't sure whether this site will come back to life or not, I have no control over it - I was asking years ago already what to do, as this is an upstream problem, which include, so could you please provide input on this? To sum it up, this is not a security problem for FreeBSD, as it affects the cross-built psp binaries - you suggest "patching" it: yes, I can cherry pick the security fixes against binutils, but I'm sure that pkg-audit will not be happy after this, as it does a mere comparison of the binutils version number Believe me, I also would be very happy if this could be sorted, soon. I want to, but I either get no, or conflicting feedback here. I hope this makes sense