Page MenuHomeFreeBSD

security/libressl: Fix memory leak and buffer overflow DoS vulnerability
ClosedPublic

Authored by brnrd on Oct 16 2015, 6:30 AM.

Details

Summary

Proposed commit log

security/libressl: Fix memory leak and buffer overflow DoS vulnerability

  * Update to 2.2.4 (fixing vulnerabilities)
  * Create vuxml entry

DiffRevision: https://reviews.freebsd.org/D
Submitted by:	Bernard Spil <brnrd@freebsd.org>
Reviewed_by:	vsevolod (maintainer, mentor), koobs (mentor)
Approved by:	
MFC after:	2015Q4
Security:	CVE-2015-5333, CVE-2015-5334, vuxml
Test Plan
  • portlint -AC (no change)
  • poudriere testport

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 778
Build 778: arc lint + arc unit

Event Timeline

brnrd retitled this revision from to security/libressl: Fix memory leak and buffer overflow DoS vulnerability.Oct 16 2015, 6:30 AM
brnrd updated this object.
brnrd edited the test plan for this revision. (Show Details)
brnrd added reviewers: koobs, vsevolod.
brnrd updated this revision to Diff 9443.

The vuxml portion of change looks fine and please go ahead and commit it. Please see my comments in the port part of change.

security/libressl/Makefile
17

Maybe use DOCS instead? (DOCS_DESC can be omitted as the ports infrastructure already provided it).

40

I'd suggest using DOCS here too.

brnrd marked 2 inline comments as done.Oct 16 2015, 7:04 AM
brnrd added inline comments.
security/libressl/Makefile
17

This is implemented just as in security/openssl, in D3585 this seems to be OK.

40

This is implemented just as in security/openssl, in D3585 this seems to be OK.

brnrd edited reviewers, added: delphij; removed: vsevolod, koobs.Oct 16 2015, 7:48 AM
koobs edited edge metadata.Oct 16 2015, 8:30 AM
koobs requested changes to this revision.

Minor nits with proposed commit log

  • The title is longer than the full desc. Do instead:
security/libressl: Update to 2.2.4 (Security Update)

* Update to 2.2.4 

This fixes memory leak and buffer overflow DoS vulnerabilities

Note: the (Security Update) in the first line of commit log is optional. The key point is, first line summarises only what the change does, where the rest of the commit log (after a blank line) can explain the detail, why, how, etc. TLDR: This change just Updates the port to version 2.2.4

  • MAN changes/additions, and Update distinfo are not mentioned in your itemized changes

@delphij Do you (we/ports-secteam)) prefer both port/vuxml in a single commit, or vuxml before port update?

security/libressl/Makefile
17

Should all manual pages (1,3,x) be conditionally installed under a MAN option?

Yes man pages are docs, are are these (the files were talking about) more 'just docs' or more 'man pages'.

37

You can use the new test framework bits for this block

42

Whats the purpose/rationale for this?

Does libre have man and man3's backwards? Are man pages duplicate in man/man3?

Not mentioned in your itemized changes so we cant know

This revision now requires changes to proceed.Oct 16 2015, 8:30 AM
koobs added a comment.Oct 16 2015, 8:31 AM

Oh, this was already committed in rP399426 but wasn't references (closed) correctly because Differential Revision wasn't on the last line

koobs added a comment.Oct 16 2015, 8:35 AM

This was also missing a make validate on vuxml format validation

brnrd marked 2 inline comments as done.Oct 16 2015, 9:14 AM
In D3916#81246, @koobs wrote:

@delphij Do you (we/ports-secteam)) prefer both port/vuxml in a single commit, or vuxml before port update?

svn commit forces splitting the vuxml commit from the other commit.

koobs edited edge metadata.Oct 16 2015, 9:31 AM
koobs accepted this revision.

Accept because its been committed. The outstanding changes can go into the next libressl update

This revision is now accepted and ready to land.Oct 16 2015, 9:31 AM
koobs closed this revision.Oct 16 2015, 9:32 AM