Review a fix for OpenSSL3 CVE

Marius Schamschula lists at schamschula.com
Wed Nov 2 21:20:13 UTC 2022 

> 
> On Nov 2, 2022, at 2:56 PM, Clemens Lang <cal at macports.org <mailto:cal at macports.org>> wrote:
> 
> On Tue, Nov 01, 2022 at 07:04:40PM +0100, Kirill A. Korinsky via macports-dev wrote:
>> OpenSSL team released a fix for found CVE:
>> https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ <https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/>
>> 
>> 
>> May I ask someone to review a PR to fix this CVE?
>> 
>> https://github.com/macports/macports-ports/pull/16545
>> 
>> I think that this CVE should be a reason to merge such PR ASAP without
>> maintainers confirmation.
> 
> I deal with OpenSSL for a living at my day job, so I was aware of this.
> 
> November 1st was a public holiday where I live, so I did not spend the
> entire day at my desk. I had planned to do the update in the CET evening
> hours of November 1st, but your PR beat me to it.
> 
> 
> On Tue, Nov 01, 2022 at 04:45:26PM -0400, Daniel J. Luke wrote:
>> I don't mind waiting a bit for the maintainer for this one (especially
>> since it looks like it's already been approved and merged by the
>> maintainer :) ), but the policy that allows waiving maintainer
>> permission was intended to specifically cover security issues (ie. we
>> discussed this when creating the policy and decided that point that
>> says 'A critical port is broken that affects many users' covered
>> security fixes to ports).
> 
> This is correct. We have previously merged security fixes without
> waiting for the maintainer. This would also have been OK in this
> instance.
> 
> Speaking of this CVE… we don't actually build with the common set of
> security flags in MacPorts, do we? We should probably look into getting
> the common set -fstack-protector-strong -fstack-clash-protection -fPIE
> (probably not required on modern macOS?) -D_FORTIFY_SOURCE=3
> -fcf-protection=full (on x86_64) and maybe -Wl,-bind_at_load
> -Wl,-read_only_stubs.

I’ve been thinking the same thing as I compile packages on my FreeBSD machines and see these flags over and over again.

> Does anybody have a good overview of what the recommended set of
> security compiler flags is on macOS? Quick testing suggests everything
> but -fstack-protector-strong and -D_FORTIFY_SOURCE is already on by
> default.

Marius
--
Marius Schamschula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20221102/2e48a864/attachment.htm>

More information about the macports-dev mailing list