Bug 218988 - security/libressl: r439797 broke build in the 2017Q2 branch
Summary: security/libressl: r439797 broke build in the 2017Q2 branch
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Bernard Spil
URL:
Keywords: regression
: 219005 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-05-01 10:45 UTC by Fabian Keil
Modified: 2017-05-02 21:59 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (brnrd)
koobs: merge-quarterly?


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Fabian Keil 2017-05-01 10:45:42 UTC
r439797 added security/libressl/files/patch-CVE-2017-8301 which doesn't apply cleanly to libressl 2.4.5.
As a result the security/libressl build build fails at the patch stage when using the 2017Q2 branch.

Backporting the libressl update to  2.5.3 (r438307) solved the problem for me,
therefore I haven't checked whether or not 2.4.5 is acutally affected by
CVE-2017-8301.
Comment 1 Xavier Garcia 2017-05-02 13:47:59 UTC
*** Bug 219005 has been marked as a duplicate of this bug. ***
Comment 2 Xavier Garcia 2017-05-02 13:58:23 UTC
(In reply to Fabian Keil from comment #0)

I understand only 2.5.x is affected according to the following report: 

http://seclists.org/oss-sec/2017/q2/145


I manually deleted the patch file in the SVN checkout to rebuild my Poudriere repo.
Comment 3 commit-hook freebsd_committer 2017-05-02 14:32:37 UTC
A commit references this bug:

Author: brnrd
Date: Tue May  2 14:31:54 UTC 2017
New revision: 439948
URL: https://svnweb.freebsd.org/changeset/ports/439948

Log:
  security/libressl: Revert previous commit

   - Big fail on my part, required revert
   - Version 2.4.5 not vulnerable to CVE-2017-8301

  PR:             218988 219005
  Reported by:    Xavier Garcia <vi.garcia@gmail.com>
  Reported by:    Fabian Keil <fk@fabiankeil.de>

  Approved by:	ports-secteam (broken quarterly blanket)

Changes:
  branches/2017Q2/security/libressl/Makefile
  branches/2017Q2/security/libressl/files/patch-CVE-2017-8301
  branches/2017Q2/security/libressl-devel/Makefile
  branches/2017Q2/security/libressl-devel/files/patch-CVE-2017-8301
Comment 4 Bernard Spil freebsd_committer 2017-05-02 14:35:26 UTC
Wow, that was a stellar stupid commit of mine.

Sorry for the inconvenience!

Fabian: Please only mark maintainer-feedback if a patch is attached. Maintainers get automatic notifications when bugs are reported on ports they maintain (see Assignee field).
Comment 5 Fabian Keil 2017-05-02 15:14:47 UTC
I don't remember setting the maintainer-feedback flag and suspect that it was
done automatically, just like the "Assignee" change supposedly done by myself.

Having said that, it's not obvious to me why you think the flag should only be
set for reports that contain patches.

BTW, did you intentionally revert the whole commit including the parts
that affect security/libressl-devel?
Comment 6 Victor 2017-05-02 21:59:54 UTC
Shouldn't the commit only be reverted for security/libressl, but not security/libressl-devel, to which the CVE still applies?