From nobody@FreeBSD.org  Sun Oct  3 22:35:25 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E50991065698
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  3 Oct 2010 22:35:25 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id D31EA8FC21
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  3 Oct 2010 22:35:25 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o93MZPEF025619
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 3 Oct 2010 22:35:25 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o93MZPmD025618;
	Sun, 3 Oct 2010 22:35:25 GMT
	(envelope-from nobody)
Message-Id: <201010032235.o93MZPmD025618@www.freebsd.org>
Date: Sun, 3 Oct 2010 22:35:25 GMT
From: Pascal Stumpf <Pascal.Stumpf@cubes.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] remove dependency of security/tor on security/openssl for > 8.1
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         151181
>Category:       ports
>Synopsis:       [patch] remove dependency of security/tor on security/openssl for > 8.1
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bf
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 03 22:40:00 UTC 2010
>Closed-Date:    Mon Jan 17 18:41:27 UTC 2011
>Last-Modified:  Mon Jan 17 18:41:27 UTC 2011
>Originator:     Pascal Stumpf
>Release:        8-STABLE
>Organization:
>Environment:
>Description:
With the import of OpenSSL 0.9.8n into 8.1-RELEASE and subsequent 8-STABLE, it is no longer necessary to install the security/openssl port for versions >= 8.1.

Note that I had to set --with-openssl-dir="" manually in the patch because I need the OSVERSION variable from <bsd.port.pre.mk> in the conditional, which also assigns OPENSSLBASE based on the stuff that comes before the .include <bsd.port.pre.mk>, so I cannot use that.
>How-To-Repeat:

>Fix:
--- Makefile.orig       2010-10-03 23:32:50.000000000 +0200
+++ Makefile    2010-10-04 00:27:11.000000000 +0200
@@ -24,8 +24,6 @@
 CPPFLAGS+=     -I${LOCALBASE}/include
 CONFIGURE_ENV+=        CPPFLAGS="${CPPFLAGS}"
 USE_OPENSSL=   yes
-WITH_OPENSSL_PORT=     yes
-CONFIGURE_ARGS+=       --with-openssl-dir="${OPENSSLBASE}"
 
 OPTIONS=       BUFFREELISTS "freelists for buffer RAM" on \
                GEOIP "track country data" off \
@@ -47,6 +45,13 @@
 
 .include <bsd.port.pre.mk>
 
+.if ${OSVERSION} <= 800505
+WITH_OPENSSL_PORT=     yes
+CONFIGURE_ARGS+=       --with-openssl-dir="${LOCALBASE}"
+.else
+CONFIGURE_ARGS+=       --with-openssl-dir="/usr"
+.endif
+
 .if defined(WITH_BUFFREELISTS)
 CONFIGURE_ARGS+=       --enable-buf-freelists
 .else


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->miwi 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Sun Oct 3 22:40:06 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=151181 

From: "b. f." <bf1783@googlemail.com>
To: miwi@freebsd.org
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/151181: [patch] remove dependency of security/tor on
 security/openssl for > 8.1
Date: Mon, 4 Oct 2010 09:17:39 +0000

 --0016e65b4b860a26490491c704c6
 Content-Type: text/plain; charset=ISO-8859-1
 
 On 10/4/10, b. f. <bf1783@googlemail.com> wrote:
 > The patch in the PR is wrong, and so is my handling of a similar case
 > in security/tor-devel.  I've got an updated patch, which I'll submit
 > to you soon, after I try to fix my tinderbox, which keeps bringing my
 > machine down.
 
 Well, my @#@%$^$ tinderbox is still crashing in the regression-test
 target when building lang/perl5.10.  Anyway, here is a patch that
 ought to fix the issue in ports/151181.  The way to use openssl
 conditionally is to include bsd.openssl.mk once, and only once, after
 deciding whether WITH_OPENSSL_PORT needs to be set.  (This is similar
 to other ports that use openssl conditionally, like, for example,
 ftp/wget.) Otherwise, if you use the patch originally proposed in the
 PR, you bypass safety checks, set a bunch of conflicting variables in
 the build environment, prevent users on recent versions of the OS from
 using openssl from ports if they want to do so, and fail to add
 dependencies on the openssl port on older versions of the OS when the
 user hasn't already installed the port beforehand, or defined
 WITH_OPENSSL_PORT manually, among other problems.
 
 
 b.
 
 --0016e65b4b860a26490491c704c6
 Content-Type: application/octet-stream; name="commit38_tor.diff"
 Content-Disposition: attachment; filename="commit38_tor.diff"
 Content-Transfer-Encoding: base64
 X-Attachment-Id: file0
 
 SW5kZXg6IE1ha2VmaWxlCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
 PT09PT09PT09PT09PT09PT09PT09PT09PT0KUkNTIGZpbGU6IC9ob21lL3BjdnMvcG9ydHMvc2Vj
 dXJpdHkvdG9yL01ha2VmaWxlLHYKcmV0cmlldmluZyByZXZpc2lvbiAxLjU4CmRpZmYgLXUgLXIx
 LjU4IE1ha2VmaWxlCi0tLSBNYWtlZmlsZQkzMCBBdWcgMjAxMCAxNDo0NTowMyAtMDAwMAkxLjU4
 CisrKyBNYWtlZmlsZQk0IE9jdCAyMDEwIDA4OjU5OjUzIC0wMDAwCkBAIC0yMyw4ICsyMyw2IEBA
 CiBHTlVfQ09ORklHVVJFPQl5ZXMKIENQUEZMQUdTKz0JLUkke0xPQ0FMQkFTRX0vaW5jbHVkZQog
 Q09ORklHVVJFX0VOVis9CUNQUEZMQUdTPSIke0NQUEZMQUdTfSIKLVVTRV9PUEVOU1NMPQl5ZXMK
 LVdJVEhfT1BFTlNTTF9QT1JUPQl5ZXMKIENPTkZJR1VSRV9BUkdTKz0JLS13aXRoLW9wZW5zc2wt
 ZGlyPSIke09QRU5TU0xCQVNFfSIKIAogT1BUSU9OUz0JQlVGRlJFRUxJU1RTICJmcmVlbGlzdHMg
 Zm9yIGJ1ZmZlciBSQU0iIG9uIFwKQEAgLTQ3LDYgKzQ1LDExIEBACiAKIC5pbmNsdWRlIDxic2Qu
 cG9ydC5wcmUubWs+CiAKKy5pZiAgKCAke09TVkVSU0lPTn0gPCA4MDEwMDAgfHwgKCR7T1NWRVJT
 SU9OfSA+PSA5MDAwMDAgJiYgJHtPU1ZFUlNJT059IDwgOTAwMDExKSApCitXSVRIX09QRU5TU0xf
 UE9SVD0JeWVzCisuZW5kaWYKKy5pbmNsdWRlICIke1BPUlRTRElSfS9Nay9ic2Qub3BlbnNzbC5t
 ayIKKwogLmlmIGRlZmluZWQoV0lUSF9CVUZGUkVFTElTVFMpCiBDT05GSUdVUkVfQVJHUys9CS0t
 ZW5hYmxlLWJ1Zi1mcmVlbGlzdHMKIC5lbHNlCg==
 --0016e65b4b860a26490491c704c6--

From: Pascal Stumpf <Pascal.Stumpf@cubes.de>
To: bug-followup@freebsd.org,
 Pascal.Stumpf@cubes.de
Cc:  
Subject: Re: ports/151181: [patch] remove dependency of security/tor on security/openssl for &gt; 8.1
Date: Sun, 24 Oct 2010 15:43:27 +0200

 I think b.f. is right. Since something similar is already up and working 
 in tor-devel, can this please be committed as soon as possible?
 
 Cheers,
 Pascal

From: Pascal Stumpf <Pascal.Stumpf@cubes.de>
To: bug-followup@freebsd.org,
 Pascal.Stumpf@cubes.de
Cc:  
Subject: Re: ports/151181: [patch] remove dependency of security/tor on security/openssl for &gt; 8.1
Date: Fri, 26 Nov 2010 19:28:02 +0000

 Also, please note that Tor 0.2.1.26 is not compatible to OpenSSL 0.9.8p 
 and 1.0.0b (for relays). Updating to 0.2.1.27 is trivial:
 
 --- Makefile.old        2010-11-26 20:25:53.438853946 +0100
 +++ Makefile    2010-11-26 20:21:28.561240507 +0100
 @@ -6,8 +6,7 @@
  #
  
  PORTNAME=      tor
 -DISTVERSION=   0.2.1.26
 -PORTREVISION=  2
 +DISTVERSION=   0.2.1.27
  CATEGORIES=    security net ipv6
  MASTER_SITES=  http://www.torproject.org/dist/ \
                 http://tor.cypherpunks.at/dist/ \
 @@ -23,8 +22,6 @@
  GNU_CONFIGURE= yes
  CPPFLAGS+=     -I${LOCALBASE}/include
  CONFIGURE_ENV+=        CPPFLAGS="${CPPFLAGS}"
 -USE_OPENSSL=   yes
 -WITH_OPENSSL_PORT=     yes
  CONFIGURE_ARGS+=       --with-openssl-dir="${OPENSSLBASE}"
  
  OPTIONS=       BUFFREELISTS "freelists for buffer RAM" on \
 @@ -47,6 +44,12 @@
  
  .include <bsd.port.pre.mk>
  
 +.if (${OSVERSION} < 801000 || (${OSVERSION} >= 900000 && ${OSVERSION} < 
 900011))
 +WITH_OPENSSL_PORT=     yes
 +.endif
 +
 +.include "${PORTSDIR}/Mk/bsd.openssl.mk"
 +
  .if defined(WITH_BUFFREELISTS)
  CONFIGURE_ARGS+=       --enable-buf-freelists
  .else
 
 
 
 --- distinfo.old        2010-05-25 13:29:30.000000000 +0200
 +++ distinfo    2010-11-26 20:23:06.991467916 +0100
 @@ -1,3 +1,2 @@
 -MD5 (tor-0.2.1.26.tar.gz) = f7b30a144e1da41aa43f496bd47ffba7
 -SHA256 (tor-0.2.1.26.tar.gz) = 
 6cdc60ed0b2e3eb790cbf37741a3c86a004f4f7c6678e25b9b936d6a340c7fa2
 -SIZE (tor-0.2.1.26.tar.gz) = 2405749
 +SHA256 (tor-0.2.1.27.tar.gz) = 
 ec4d5c67231551d5ee3bf6cbccb87fccac3491fbe80f1d3fb778ad6b3d3f661c
 +SIZE (tor-0.2.1.27.tar.gz) = 2484332

From: Pascal Stumpf <Pascal.Stumpf@cubes.de>
To: bug-followup@freebsd.org,
 Pascal.Stumpf@cubes.de
Cc:  
Subject: Re: ports/151181: [patch] remove dependency of security/tor on security/openssl for &gt; 8.1
Date: Mon, 20 Dec 2010 20:19:01 +0100

 Update to 0.2.1.28. Security update, remote heap overflow 
 (CVE-2010-1676). Maybe even remote code execution, so this is urgent!
 
 --- Makefile.orig       2010-12-20 20:11:22.000000000 +0100
 +++ Makefile    2010-12-20 20:13:52.000000000 +0100
 @@ -6,8 +6,7 @@
  #
  
  PORTNAME=      tor
 -DISTVERSION=   0.2.1.26
 -PORTREVISION=  2
 +DISTVERSION=   0.2.1.28
  CATEGORIES=    security net ipv6
  MASTER_SITES=  http://www.torproject.org/dist/ \
                 http://tor.cypherpunks.at/dist/ \
 @@ -23,8 +22,6 @@
  GNU_CONFIGURE= yes
  CPPFLAGS+=     -I${LOCALBASE}/include
  CONFIGURE_ENV+=        CPPFLAGS="${CPPFLAGS}"
 -USE_OPENSSL=   yes
 -WITH_OPENSSL_PORT=     yes
  CONFIGURE_ARGS+=       --with-openssl-dir="${OPENSSLBASE}"
  
  OPTIONS=       BUFFREELISTS "freelists for buffer RAM" on \
 @@ -47,6 +44,12 @@
  
  .include <bsd.port.pre.mk>
  
 +.if (${OSVERSION} < 801000 || (${OSVERSION} >= 900000 && ${OSVERSION} < 
 900011))
 +WITH_OPENSSL_PORT=yes
 +.endif
 +
 +.include "${PORTSDIR}/Mk/bsd.openssl.mk"
 +
  .if defined(WITH_BUFFREELISTS)
  CONFIGURE_ARGS+=       --enable-buf-freelists
  .else
 
 
 --- distinfo.orig       2010-05-25 13:29:30.000000000 +0200
 +++ distinfo    2010-12-20 20:14:02.000000000 +0100
 @@ -1,3 +1,2 @@
 -MD5 (tor-0.2.1.26.tar.gz) = f7b30a144e1da41aa43f496bd47ffba7
 -SHA256 (tor-0.2.1.26.tar.gz) = 
 6cdc60ed0b2e3eb790cbf37741a3c86a004f4f7c6678e25b9b936d6a340c7fa2
 -SIZE (tor-0.2.1.26.tar.gz) = 2405749
 +SHA256 (tor-0.2.1.28.tar.gz) = 
 fe9756bee3228bf01334f743b7c74dd1edc83e5489f032737ce24eb6bdb19cbf
 +SIZE (tor-0.2.1.28.tar.gz) = 2471741
Responsible-Changed-From-To: miwi->bf 
Responsible-Changed-By: miwi 
Responsible-Changed-When: Tue Dec 21 06:46:45 UTC 2010 
Responsible-Changed-Why:  
plz take over :-) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=151181 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/151181: commit references a PR
Date: Sat,  1 Jan 2011 18:36:06 +0000 (UTC)

 bf          2011-01-01 18:36:01 UTC
 
   FreeBSD ports repository
 
   Modified files:
     security/tor         Makefile 
   Log:
   - update MASTER_SITES on the basis of distilator results and:
   http://www.torproject.org/getinvolved/mirrors.html.en
   - fix conditional openssl requirements [1] (thanks to Pascal Stumpf
   for raising this issue, and that of CVE 2010-1676)
   
   PR:             151181 [1]
   Approved by:    makc, miwi (mentors, implicit)
   
   Revision  Changes    Path
   1.60      +22 -5     ports/security/tor/Makefile
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: bf 
State-Changed-When: Mon Jan 17 18:41:26 UTC 2011 
State-Changed-Why:  
Committed, with minor changes. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=151181 
>Unformatted:
