Page MenuHomeFreeBSD

security/libressl: Fix memory leak and buffer overflow DoS vulnerability
ClosedPublic

Authored by brnrd on Oct 16 2015, 6:30 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Nov 24, 9:20 PM
Unknown Object (File)
Sun, Nov 24, 5:06 AM
Unknown Object (File)
Sat, Nov 23, 2:57 PM
Unknown Object (File)
Fri, Nov 22, 4:39 PM
Unknown Object (File)
Tue, Nov 19, 7:32 AM
Unknown Object (File)
Fri, Nov 15, 4:05 AM
Unknown Object (File)
Thu, Nov 7, 8:43 PM
Unknown Object (File)
Wed, Nov 6, 10:31 PM
Subscribers

Details

Summary

Proposed commit log

security/libressl: Fix memory leak and buffer overflow DoS vulnerability

  * Update to 2.2.4 (fixing vulnerabilities)
  * Create vuxml entry

DiffRevision: https://reviews.freebsd.org/D
Submitted by:	Bernard Spil <brnrd@freebsd.org>
Reviewed_by:	vsevolod (maintainer, mentor), koobs (mentor)
Approved by:	
MFC after:	2015Q4
Security:	CVE-2015-5333, CVE-2015-5334, vuxml
Test Plan
  • portlint -AC (no change)
  • poudriere testport

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 778
Build 778: arc lint + arc unit

Event Timeline

brnrd retitled this revision from to security/libressl: Fix memory leak and buffer overflow DoS vulnerability.
brnrd updated this object.
brnrd edited the test plan for this revision. (Show Details)
brnrd added reviewers: koobs, vsevolod.

The vuxml portion of change looks fine and please go ahead and commit it. Please see my comments in the port part of change.

security/libressl/Makefile
17

Maybe use DOCS instead? (DOCS_DESC can be omitted as the ports infrastructure already provided it).

40

I'd suggest using DOCS here too.

brnrd added inline comments.
security/libressl/Makefile
17

This is implemented just as in security/openssl, in D3585 this seems to be OK.

40

This is implemented just as in security/openssl, in D3585 this seems to be OK.

koobs requested changes to this revision.Oct 16 2015, 8:30 AM
koobs edited edge metadata.

Minor nits with proposed commit log

  • The title is longer than the full desc. Do instead:
security/libressl: Update to 2.2.4 (Security Update)

* Update to 2.2.4 

This fixes memory leak and buffer overflow DoS vulnerabilities

Note: the (Security Update) in the first line of commit log is optional. The key point is, first line summarises only what the change does, where the rest of the commit log (after a blank line) can explain the detail, why, how, etc. TLDR: This change just Updates the port to version 2.2.4

  • MAN changes/additions, and Update distinfo are not mentioned in your itemized changes

@delphij Do you (we/ports-secteam)) prefer both port/vuxml in a single commit, or vuxml before port update?

security/libressl/Makefile
17

Should all manual pages (1,3,x) be conditionally installed under a MAN option?

Yes man pages are docs, are are these (the files were talking about) more 'just docs' or more 'man pages'.

37

You can use the new test framework bits for this block

42

Whats the purpose/rationale for this?

Does libre have man and man3's backwards? Are man pages duplicate in man/man3?

Not mentioned in your itemized changes so we cant know

This revision now requires changes to proceed.Oct 16 2015, 8:30 AM

Oh, this was already committed in rP399426 but wasn't references (closed) correctly because Differential Revision wasn't on the last line

This was also missing a make validate on vuxml format validation

In D3916#81246, @koobs wrote:

@delphij Do you (we/ports-secteam)) prefer both port/vuxml in a single commit, or vuxml before port update?

svn commit forces splitting the vuxml commit from the other commit.

koobs edited edge metadata.

Accept because its been committed. The outstanding changes can go into the next libressl update

This revision is now accepted and ready to land.Oct 16 2015, 9:31 AM