security/libressl: Fix memory leak and buffer overflow DoS vulnerability
ClosedPublic
Actions

Authored by brnrd on Oct 16 2015, 6:30 AM.

Details

Reviewers

vsevolod
delphij
koobs

Summary

Proposed commit log

security/libressl: Fix memory leak and buffer overflow DoS vulnerability

  * Update to 2.2.4 (fixing vulnerabilities)
  * Create vuxml entry

DiffRevision: https://reviews.freebsd.org/D
Submitted by:	Bernard Spil <brnrd@freebsd.org>
Reviewed_by:	vsevolod (maintainer, mentor), koobs (mentor)
Approved by:	
MFC after:	2015Q4
Security:	CVE-2015-5333, CVE-2015-5334, vuxml

Test Plan

portlint -AC (no change)
poudriere testport

Diff Detail

Repository

rP FreeBSD ports repository

Lint

No Lint Coverage

Unit

No Test Coverage

Build Status

Buildable 778
Build 778: arc lint + arc unit

Event Timeline

brnrd updated this revision to Diff 9443.Oct 16 2015, 6:30 AM

brnrd retitled this revision from to security/libressl: Fix memory leak and buffer overflow DoS vulnerability.

brnrd updated this object.

brnrd edited the test plan for this revision. (Show Details)

brnrd added reviewers: koobs, vsevolod.

The vuxml portion of change looks fine and please go ahead and commit it. Please see my comments in the port part of change.

security/libressl/Makefile
17	Maybe use DOCS instead? (DOCS_DESC can be omitted as the ports infrastructure already provided it).
40	I'd suggest using DOCS here too.

brnrd marked 2 inline comments as done.Oct 16 2015, 7:04 AM

brnrd added inline comments.

security/libressl/Makefile
17	This is implemented just as in security/openssl, in D3585 this seems to be OK.
40	This is implemented just as in security/openssl, in D3585 this seems to be OK.

brnrd edited reviewers, added: delphij; removed: vsevolod, koobs.Oct 16 2015, 7:48 AM

brnrd added reviewers: koobs, vsevolod.Oct 16 2015, 8:12 AM

Minor nits with proposed commit log

The title is longer than the full desc. Do instead:

security/libressl: Update to 2.2.4 (Security Update)

* Update to 2.2.4 

This fixes memory leak and buffer overflow DoS vulnerabilities

Note: the (Security Update) in the first line of commit log is optional. The key point is, first line summarises only what the change does, where the rest of the commit log (after a blank line) can explain the detail, why, how, etc. TLDR: This change just Updates the port to version 2.2.4

MAN changes/additions, and Update distinfo are not mentioned in your itemized changes

@delphij Do you (we/ports-secteam)) prefer both port/vuxml in a single commit, or vuxml before port update?

security/libressl/Makefile
17	Should all manual pages (1,3,x) be conditionally installed under a MAN option? Yes man pages are docs, are are these (the files were talking about) more 'just docs' or more 'man pages'.
37	You can use the new test framework bits for this block
42	Whats the purpose/rationale for this? Does libre have man and man3's backwards? Are man pages duplicate in man/man3? Not mentioned in your itemized changes so we cant know