> > On Nov 2, 2022, at 2:56 PM, Clemens Lang <c...@macports.org > <mailto:c...@macports.org>> wrote: > > On Tue, Nov 01, 2022 at 07:04:40PM +0100, Kirill A. Korinsky via macports-dev > wrote: >> OpenSSL team released a fix for found CVE: >> https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ >> <https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/> >> >> >> May I ask someone to review a PR to fix this CVE? >> >> https://github.com/macports/macports-ports/pull/16545 >> >> I think that this CVE should be a reason to merge such PR ASAP without >> maintainers confirmation. > > I deal with OpenSSL for a living at my day job, so I was aware of this. > > November 1st was a public holiday where I live, so I did not spend the > entire day at my desk. I had planned to do the update in the CET evening > hours of November 1st, but your PR beat me to it. > > > On Tue, Nov 01, 2022 at 04:45:26PM -0400, Daniel J. Luke wrote: >> I don't mind waiting a bit for the maintainer for this one (especially >> since it looks like it's already been approved and merged by the >> maintainer :) ), but the policy that allows waiving maintainer >> permission was intended to specifically cover security issues (ie. we >> discussed this when creating the policy and decided that point that >> says 'A critical port is broken that affects many users' covered >> security fixes to ports). > > This is correct. We have previously merged security fixes without > waiting for the maintainer. This would also have been OK in this > instance. > > Speaking of this CVE… we don't actually build with the common set of > security flags in MacPorts, do we? We should probably look into getting > the common set -fstack-protector-strong -fstack-clash-protection -fPIE > (probably not required on modern macOS?) -D_FORTIFY_SOURCE=3 > -fcf-protection=full (on x86_64) and maybe -Wl,-bind_at_load > -Wl,-read_only_stubs.
I’ve been thinking the same thing as I compile packages on my FreeBSD machines and see these flags over and over again. > Does anybody have a good overview of what the recommended set of > security compiler flags is on macOS? Quick testing suggests everything > but -fstack-protector-strong and -D_FORTIFY_SOURCE is already on by > default. Marius -- Marius Schamschula
