Review a fix for OpenSSL3 CVE

[Clemens Lang]

On Tue, Nov 01, 2022 at 07:04:40PM +0100, Kirill A. Korinsky via macports-dev wrote:
> OpenSSL team released a fix for found CVE:
> https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
> 
> 
> May I ask someone to review a PR to fix this CVE?
> 
> https://github.com/macports/macports-ports/pull/16545
> 
> I think that this CVE should be a reason to merge such PR ASAP without
> maintainers confirmation.

I deal with OpenSSL for a living at my day job, so I was aware of this.

November 1st was a public holiday where I live, so I did not spend the
entire day at my desk. I had planned to do the update in the CET evening
hours of November 1st, but your PR beat me to it.


On Tue, Nov 01, 2022 at 04:45:26PM -0400, Daniel J. Luke wrote:
> I don't mind waiting a bit for the maintainer for this one (especially
> since it looks like it's already been approved and merged by the
> maintainer :) ), but the policy that allows waiving maintainer
> permission was intended to specifically cover security issues (ie. we
> discussed this when creating the policy and decided that point that
> says 'A critical port is broken that affects many users' covered
> security fixes to ports).

This is correct. We have previously merged security fixes without
waiting for the maintainer. This would also have been OK in this
instance.

Speaking of this CVE… we don't actually build with the common set of
security flags in MacPorts, do we? We should probably look into getting
the common set -fstack-protector-strong -fstack-clash-protection -fPIE
(probably not required on modern macOS?) -D_FORTIFY_SOURCE=3
-fcf-protection=full (on x86_64) and maybe -Wl,-bind_at_load
-Wl,-read_only_stubs.

Does anybody have a good overview of what the recommended set of
security compiler flags is on macOS? Quick testing suggests everything
but -fstack-protector-strong and -D_FORTIFY_SOURCE is already on by
default.