Page MenuHomeFreeBSD
Differential D3916

security/libressl: Fix memory leak and buffer overflow DoS vulnerability
ClosedPublic
Actions

Authored by brnrd on Oct 16 2015, 6:30 AM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Apr 5, 5:26 AM
Unknown Object (File)
Fri, Apr 5, 5:25 AM
Unknown Object (File)
Fri, Apr 5, 5:21 AM
Unknown Object (File)
Fri, Mar 29, 12:07 PM
Unknown Object (File)
Feb 7 2024, 10:25 AM
Unknown Object (File)
Dec 28 2023, 1:00 PM
Unknown Object (File)
Dec 28 2023, 12:55 PM
Unknown Object (File)
Dec 25 2023, 3:35 PM
View All 79 Files
Subscribers
delphij

Details

Reviewers
vsevolod
delphij
koobs
Summary

Proposed commit log

security/libressl: Fix memory leak and buffer overflow DoS vulnerability

  * Update to 2.2.4 (fixing vulnerabilities)
  * Create vuxml entry

DiffRevision: https://reviews.freebsd.org/D
Submitted by:	Bernard Spil <brnrd@freebsd.org>
Reviewed_by:	vsevolod (maintainer, mentor), koobs (mentor)
Approved by:	
MFC after:	2015Q4
Security:	CVE-2015-5333, CVE-2015-5334, vuxml
Test Plan
  • portlint -AC (no change)
  • poudriere testport

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 778
Build 778: arc lint + arc unit

Event Timeline

brnrd updated this revision to Diff 9443.Oct 16 2015, 6:30 AM
brnrd retitled this revision from to security/libressl: Fix memory leak and buffer overflow DoS vulnerability.
brnrd updated this object.
brnrd edited the test plan for this revision. (Show Details)
brnrd added reviewers: koobs, vsevolod.
delphij added a subscriber: delphij.Oct 16 2015, 6:48 AM

The vuxml portion of change looks fine and please go ahead and commit it. Please see my comments in the port part of change.

security/libressl/Makefile
17

Maybe use DOCS instead? (DOCS_DESC can be omitted as the ports infrastructure already provided it).

40

I'd suggest using DOCS here too.

brnrd marked 2 inline comments as done.Oct 16 2015, 7:04 AM
brnrd added inline comments.
security/libressl/Makefile
17

This is implemented just as in security/openssl, in D3585 this seems to be OK.

40

This is implemented just as in security/openssl, in D3585 this seems to be OK.

brnrd edited reviewers, added: delphij; removed: vsevolod, koobs.Oct 16 2015, 7:48 AM
brnrd added reviewers: koobs, vsevolod.Oct 16 2015, 8:12 AM
koobs requested changes to this revision.Oct 16 2015, 8:30 AM
koobs edited edge metadata.

Minor nits with proposed commit log

  • The title is longer than the full desc. Do instead:
security/libressl: Update to 2.2.4 (Security Update)

* Update to 2.2.4 

This fixes memory leak and buffer overflow DoS vulnerabilities

Note: the (Security Update) in the first line of commit log is optional. The key point is, first line summarises only what the change does, where the rest of the commit log (after a blank line) can explain the detail, why, how, etc. TLDR: This change just Updates the port to version 2.2.4

  • MAN changes/additions, and Update distinfo are not mentioned in your itemized changes

@delphij Do you (we/ports-secteam)) prefer both port/vuxml in a single commit, or vuxml before port update?

security/libressl/Makefile
17

Should all manual pages (1,3,x) be conditionally installed under a MAN option?

Yes man pages are docs, are are these (the files were talking about) more 'just docs' or more 'man pages'.

37

You can use the new test framework bits for this block

42

Whats the purpose/rationale for this?

Does libre have man and man3's backwards? Are man pages duplicate in man/man3?

Not mentioned in your itemized changes so we cant know

This revision now requires changes to proceed.Oct 16 2015, 8:30 AM
koobs added a comment.Oct 16 2015, 8:31 AM

Oh, this was already committed in rP399426 but wasn't references (closed) correctly because Differential Revision wasn't on the last line

koobs added a comment.Oct 16 2015, 8:35 AM

This was also missing a make validate on vuxml format validation

brnrd marked 2 inline comments as done.Oct 16 2015, 9:14 AM
In D3916#81246, @koobs wrote:

@delphij Do you (we/ports-secteam)) prefer both port/vuxml in a single commit, or vuxml before port update?

svn commit forces splitting the vuxml commit from the other commit.

koobs accepted this revision.Oct 16 2015, 9:31 AM
koobs edited edge metadata.

Accept because its been committed. The outstanding changes can go into the next libressl update

This revision is now accepted and ready to land.Oct 16 2015, 9:31 AM
koobs closed this revision.Oct 16 2015, 9:32 AM

Revision Contents
Changeset List

PathSize
security/
libressl/
13 lines
4 lines
1 line
vuxml/
30 lines

Diff 9443

View Options

security/libressl/Makefile

Loading...
View Options

security/libressl/distinfo

Loading...
View Options

security/libressl/pkg-plist

Loading...
View Options

security/vuxml/vuln.xml

Loading...