Re: lang/hugs (was: 'avoid W|X mappings in libffi' - MARC)
On Tue, May 24, 2016 at 8:57 PM, Matthias Kilianwrote: > IIRC, I once wrote that the ports tree isn't a software museum, so > instead of trying to fix it, i'd just cimpletely remove it from the > tree, and maybe other ancient haskell implementations (yes, I mean > you, nhc98!). > > I know that I tried to preserve that old shit a year ago (or even > less), but it's just in the way and no longer maintained upstream. bye bye hugs. ok with me for the removal.
Re: lang/hugs (was: 'avoid W|X mappings in libffi' - MARC)
On Tue, May 24, 2016 at 8:57 PM, Matthias Kilianwrote: > IIRC, I once wrote that the ports tree isn't a software museum, so > instead of trying to fix it, i'd just cimpletely remove it from the > tree, and maybe other ancient haskell implementations (yes, I mean > you, nhc98!). Agree, better concentrate on GHC these days and not waste energy on museum stuff which may be run on museum OpenBSD anyway...
Re: [new] devel/cargo
> > "Unlicense" -> "Unlicensed" > > It is "unlicense" - http://unlicense.org/ - it's a bit of a funny > one this, I'm not sure you can actually release something to the > public domain and then try and use a copyright-like warranty > disclaimer..anyway the intent is very clear. Any verbiage after "public domain" is purely advisory. So judge -- either it has absolutely no impact and can be ignored, or the text is dangerous. I cannot decide. I love the misuse of the word detriment. Let me translate it that part of it: "We make this dedication for the benefit of the public at large and to harm our heirs and successors." Awesome!
Re: [new] devel/cargo
On 2016/05/24 19:39, Edd Barrett wrote: > > -sysconfdir=${LOCALBASE}/share/examples/cargo > > Usually syconfdir is /etc, and you use @example in the PLIST to make an > example. This also means the user can edit the config file without > upsetting pkg_delete. This is a bit different though, it's just for the bash-completion file, and doesn't need @sample'ing. But it would be better to install it here: /usr/local/share/bash-completion/completions/ We don't have any infrastructure for loading these completion scripts automatically, but this is where other packages are installing them, so it makes sense to follow suit. > "licence" -> "license"? (although apparently both are correct. I guess > choose one and stick with it). "to license" is the verb, "a licence" is the noun. They work the same way as "advise" and "advice" (which are often easier to remember because in that case, the sound differs). > "Unlicense" -> "Unlicensed" It is "unlicense" - http://unlicense.org/ - it's a bit of a funny one this, I'm not sure you can actually release something to the public domain and then try and use a copyright-like warranty disclaimer..anyway the intent is very clear.
Re: archivers/p7zip: patches for CVE-2016-2334 and CVE-2016-2335
On 2016/05/23 22:03, Josh Grosse wrote: > CVE-2016-2334 and CVE-2016-2335 affect 7zip, with code shared > in p7zip that is installed in /usr/local/lib/p7zip/7z.so. > > Upstream has not yet applied these fixes to code shared with > 7zip. > > Attached are -current, 5.9, and 5.8 patches. I don't have time to handle committing this atm, could somebody take care of it please? OK with me. > Index: Makefile > === > RCS file: /systems/cvs/ports/archivers/p7zip/Makefile,v > retrieving revision 1.34 > diff -u -p -r1.34 Makefile > --- Makefile 12 Apr 2016 23:13:22 - 1.34 > +++ Makefile 24 May 2016 00:31:06 - > @@ -7,7 +7,7 @@ V=15.14.1 > DISTNAME=p7zip_${V}_src_all > PKGNAME= p7zip-${V} > PKGNAME-main=p7zip-${V} > -REVISION-main= 0 > +REVISION-main= 1 > PKGNAME-rar= p7zip-rar-${V} > CATEGORIES= archivers > > Index: patches/patch-CPP_7zip_Archive_HfsHandler_cpp > === > RCS file: patches/patch-CPP_7zip_Archive_HfsHandler_cpp > diff -N patches/patch-CPP_7zip_Archive_HfsHandler_cpp > --- /dev/null 1 Jan 1970 00:00:00 - > +++ patches/patch-CPP_7zip_Archive_HfsHandler_cpp 24 May 2016 00:38:41 > - > @@ -0,0 +1,26 @@ > +$OpenBSD$ > + > +CVE-2016-2334 > + > +--- CPP/7zip/Archive/HfsHandler.cpp.orig Fri Jun 19 06:52:08 2015 > CPP/7zip/Archive/HfsHandler.cpp Mon May 23 20:37:42 2016 > +@@ -987,7 +987,9 @@ HRESULT CDatabase::LoadCatalog(const CFork , cons > + item.GroupID = Get32(r + 0x24); > + item.AdminFlags = r[0x28]; > + item.OwnerFlags = r[0x29]; > ++ */ > + item.FileMode = Get16(r + 0x2A); > ++ /* > + item.special.iNodeNum = Get16(r + 0x2C); // or .linkCount > + item.FileType = Get32(r + 0x30); > + item.FileCreator = Get32(r + 0x34); > +@@ -1571,6 +1573,9 @@ HRESULT CHandler::ExtractZlibFile( > + blockSize = (UInt32)rem; > + > + UInt32 size = GetUi32(tableBuf + i * 8 + 4); > ++ > ++if (size > buf.Size() || size > kCompressionBlockSize + 1) > ++return S_FALSE; > + > + RINOK(ReadStream_FALSE(inStream, buf, size)); > + > Index: patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp > === > RCS file: patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp > diff -N patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp > --- /dev/null 1 Jan 1970 00:00:00 - > +++ patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp 24 May 2016 00:38:25 > - > @@ -0,0 +1,19 @@ > +$OpenBSD$ > + > +CVE-2016-2335 > + > +--- CPP/7zip/Archive/Udf/UdfIn.cpp.orig Fri Nov 20 15:40:08 2015 > CPP/7zip/Archive/Udf/UdfIn.cpp Mon May 23 20:37:46 2016 > +@@ -389,7 +389,11 @@ HRESULT CInArchive::ReadFileItem(int volIndex, int fsI > + return S_FALSE; > + CFile = Files.Back(); > + const CLogVol = LogVols[volIndex]; > +- CPartition = > Partitions[vol.PartitionMaps[lad.Location.PartitionRef].PartitionIndex]; > ++ unsigned partitionRef = lad.Location.PartitionRef; > ++ > ++ if (partitionRef >= vol.PartitionMaps.Size()) > ++return S_FALSE; > ++ CPartition = > Partitions[vol.PartitionMaps[partitionRef].PartitionIndex]; > + > + UInt32 key = lad.Location.Pos; > + UInt32 value; > Index: Makefile > === > RCS file: /systems/cvs/ports/archivers/p7zip/Makefile,v > retrieving revision 1.31 > diff -u -p -r1.31 Makefile > --- Makefile 4 Feb 2016 10:38:26 - 1.31 > +++ Makefile 24 May 2016 00:46:00 - > @@ -6,7 +6,7 @@ COMMENT-main= file archiver with high co > COMMENT-rar= rar modules for p7zip > > V= 15.09 > -REVISION=4 > +REVISION=5 > DISTNAME=p7zip_${V}_src_all > PKGNAME= p7zip-${V} > PKGNAME-main=p7zip-${V} > Index: patches/patch-CPP_7zip_Archive_HfsHandler_cpp > === > RCS file: patches/patch-CPP_7zip_Archive_HfsHandler_cpp > diff -N patches/patch-CPP_7zip_Archive_HfsHandler_cpp > --- /dev/null 1 Jan 1970 00:00:00 - > +++ patches/patch-CPP_7zip_Archive_HfsHandler_cpp 24 May 2016 00:44:39 > - > @@ -0,0 +1,26 @@ > +$OpenBSD$ > + > +CVE-2016-2334 > + > +--- CPP/7zip/Archive/HfsHandler.cpp.orig Fri Jun 19 06:52:08 2015 > CPP/7zip/Archive/HfsHandler.cpp Mon May 23 20:37:42 2016 > +@@ -987,7 +987,9 @@ HRESULT CDatabase::LoadCatalog(const CFork , cons > + item.GroupID = Get32(r + 0x24); > + item.AdminFlags = r[0x28]; > + item.OwnerFlags = r[0x29]; > ++ */ > + item.FileMode = Get16(r + 0x2A); > ++ /* > + item.special.iNodeNum = Get16(r + 0x2C); // or .linkCount > + item.FileType = Get32(r + 0x30); > + item.FileCreator = Get32(r + 0x34); > +@@ -1571,6 +1573,9 @@ HRESULT CHandler::ExtractZlibFile( > + blockSize = (UInt32)rem; > + > + UInt32 size =
lang/hugs (was: 'avoid W|X mappings in libffi' - MARC)
On Tue, May 24, 2016 at 11:51:08AM +0100, Stuart Henderson wrote: > I've collected the known problems so far at > https://docs.google.com/spreadsheets/d/1RjfH2_ecaUc_G5kmPAKbH00w0qcR-vWljTiUb4UCVXI/edit?usp=sharing Regarding lang/hugs, there's this masterpiece in src/builtin.c: /* * Allocate len bytes which are readable, writable, and executable. * * ToDo: If this turns out to be a performance bottleneck, one could * e.g. cache the last VirtualProtect/mprotect-ed region and do * nothing in case of a cache hit. */ static void* local mallocBytesRWX(int len) { void *addr = (void *)malloc(len); #if defined(i386_HOST_ARCH) && defined(_WIN32) /* This could be necessary for processors which distinguish between READ and EXECUTE memory accesses, e.g. Itaniums. */ DWORD dwOldProtect = 0; if (VirtualProtect(addr, len, PAGE_EXECUTE_READWRITE, ) == 0) { ERRMSG(0) "mallocBytesRWX: failed to protect 0x%p\n", addr EEND; } #elif defined(openbsd_HOST_OS) || defined(linux_HOST_OS) /* malloced memory isn't executable by default on OpenBSD */ uintptr_t pageSize = sysconf(_SC_PAGESIZE); uintptr_t mask = ~(pageSize - 1); uintptr_t startOfFirstPage = ((uintptr_t)addr ) & mask; uintptr_t startOfLastPage = ((uintptr_t)addr + len - 1) & mask; uintptr_t size = startOfLastPage - startOfFirstPage + pageSize; if (mprotect((void*)startOfFirstPage, (size_t)size, PROT_EXEC | PROT_READ | PROT_WRITE) != 0) { ERRMSG(0) "mallocBytesRWX: failed to protect 0x%p\n", addr EEND; } #endif return addr; } IIRC, I once wrote that the ports tree isn't a software museum, so instead of trying to fix it, i'd just cimpletely remove it from the tree, and maybe other ancient haskell implementations (yes, I mean you, nhc98!). I know that I tried to preserve that old shit a year ago (or even less), but it's just in the way and no longer maintained upstream. Ciao, Kili
Re: [new] devel/cargo
Hi Sebastien, Thanks for your work on this. Here's some low hanging fruit. On Fri, May 20, 2016 at 05:51:54AM +0200, Sebastien Marie wrote: > Note it requires the pending lang/rust port update. Which version? BUILD_DEPENDS says it needs lang/rust>=1.8. Or do you mean it needs your LOCALBASE tweak? If so, the BUILD_DEPEND will need a bump. > -sysconfdir=${LOCALBASE}/share/examples/cargo Usually syconfdir is /etc, and you use @example in the PLIST to make an example. This also means the user can edit the config file without upsetting pkg_delete. > DISTFILES +=cargo-bootstrap-${BOOTSTRAP_VERSION}.tar.gz:1 It would be nice to have a target that can make the bootstrap tarball automatically, like, for example, the lang/pypy does. Is that possible? And some boring nitpicking: "cartes.io" -> "crates.io"? "the package doesn't contains it" -> "the package doesn't *contain* it" "licencied" -> "licensed" "licence" -> "license"? (although apparently both are correct. I guess choose one and stick with it). "Unlicense" -> "Unlicensed" -- Best Regards Edd Barrett http://www.theunixzoo.co.uk
Re: avoid W|X mappings in libffi
On Monday, May 23, 2016 21:22 CEST, Jeremie Courreges-Anglaswrote: > Jeremie Courreges-Anglas writes: > > > Theo de Raadt writes: > > > >>> IIUC they would differ on OSes where libffi can't get a single mapping > >>> with both W and X access. On those OSes libffi uses a workaround, two > >>> mappings are allocated one with RW, the other with RX. While we want to > >>> disable RWX on OpenBSD as an end goal, I don't think we want to let > >>> libffi use this hack, 'cause it it basically the same as RWX. > >> > >> Yes we do. > >> > >> In general, shadow mappings are probably less attackable on a case > >> to case basis. Pure RWX mappings are worse. > >> > >> The roadmap is to remove as much RWX as possible. If we can split > >> some RWX uses off into shadow mappings, that is progress. At least > >> code using shadow mappings is half-ready for using mprotect correctly. > > > > Then the diff for src/closures.c should be different: it should ensure > > that libffi uses dlmmap_locked(). > > On amd64, but the diff should be MI: > > === libffi Summary === > > # of expected passes1867 > # of unexpected failures3 patch below at least seems to make the configure test of gnustep-base happy. Going to rebuild everything with it, and run some applications. Sebastian > > > > Index: Makefile > === > RCS file: /cvs/ports/devel/libffi/Makefile,v > retrieving revision 1.34 > diff -u -p -r1.34 Makefile > --- Makefile 23 Mar 2016 22:50:29 - 1.34 > +++ Makefile 23 May 2016 18:38:58 - > @@ -3,7 +3,7 @@ > COMMENT= Foreign Function Interface > > DISTNAME=libffi-3.2.1 > -REVISION=1 > +REVISION=2 > SHARED_LIBS += ffi 1.2 # .6.4 > CATEGORIES= devel > > Index: patches/patch-src_closures_c > === > RCS file: patches/patch-src_closures_c > diff -N patches/patch-src_closures_c > --- /dev/null 1 Jan 1970 00:00:00 - > +++ patches/patch-src_closures_c 23 May 2016 18:38:58 - > @@ -0,0 +1,19 @@ > +$OpenBSD$ > +--- src/closures.c.orig Mon May 23 20:34:13 2016 > src/closures.c Mon May 23 20:35:56 2016 > +@@ -525,6 +525,7 @@ dlmmap (void *start, size_t length, int prot, > + printf ("mapping in %zi\n", length); > + #endif > + > ++#if 0 > + if (execfd == -1 && is_emutramp_enabled ()) > + { > + ptr = mmap (start, length, prot & ~PROT_EXEC, flags, fd, offset); > +@@ -543,6 +544,7 @@ dlmmap (void *start, size_t length, int prot, > + with ((prot & ~PROT_WRITE) | PROT_EXEC) and mremap with > + MREMAP_DUP and prot at this point. */ > + } > ++#endif > + > + if (execsize == 0 || execfd == -1) > + { > > > -- > jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: e...@cvs.openbsd.org2016/05/24 12:01:36 Modified files: www/py-frozen-flask: Makefile Log message: www/py-frozen-flask: fix build warnings if package not already installed. Spotted and OK shadchin@. Thanks.
Re: 'avoid W|X mappings in libffi' - MARC
Aha. Google says obxj are files emitted by obc? So perhaps that row just has lang/obc in the wrong column. :-) Ken On 24 May 2016 at 07:05, Kenneth Westerbackwrote: > What's 'obxj' that your spreadsheet says processes lang/obc? > > make search key=obxj > > doesn't show anything. > > Just curious as lang/obc popped out at me due to my ocaml update work. :-) > > Ken > > > On 24 May 2016 at 06:51, Stuart Henderson wrote: >> I've collected the known problems so far at >> https://docs.google.com/spreadsheets/d/1RjfH2_ecaUc_G5kmPAKbH00w0qcR-vWljTiUb4UCVXI/edit?usp=sharing >>
Re: 'avoid W|X mappings in libffi' - MARC
What's 'obxj' that your spreadsheet says processes lang/obc? make search key=obxj doesn't show anything. Just curious as lang/obc popped out at me due to my ocaml update work. :-) Ken On 24 May 2016 at 06:51, Stuart Hendersonwrote: > I've collected the known problems so far at > https://docs.google.com/spreadsheets/d/1RjfH2_ecaUc_G5kmPAKbH00w0qcR-vWljTiUb4UCVXI/edit?usp=sharing >
Re: 'avoid W|X mappings in libffi' - MARC
I've collected the known problems so far at https://docs.google.com/spreadsheets/d/1RjfH2_ecaUc_G5kmPAKbH00w0qcR-vWljTiUb4UCVXI/edit?usp=sharing
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: st...@cvs.openbsd.org 2016/05/24 03:57:50 Modified files: lang/python/2.7: Makefile lang/python/2.7/patches: patch-Lib_test_regrtest_py patch-Lib_test_test_tempfile_py Log message: Handle OpenBSD 6.x in Python 2.7 tests. Python 3.x's tests are done in a different way and don't need this. OK rpointel@
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: dco...@cvs.openbsd.org 2016/05/24 03:13:14 Modified files: audio/umurmur : Makefile audio/umurmur/patches: patch-src_server_c patch-src_ssli_openssl_c Log message: Fix size of value passed to setsockopt (git commit d723b45fc42e04b9179ba29c65efc9484ec2924c) Upgrade TLS suites for OpenSSL (part of git commit c72ebd29f239793218f2248c3f8b48a7b3e0a541)
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: dco...@cvs.openbsd.org 2016/05/24 02:07:58 Modified files: audio/openal : Makefile Added files: audio/openal/patches: patch-Alc_mixer_sse_c Log message: Avoid an underflow in the SSE mixers if BufferSize is less than 4 (upstream git commit 564a1822595e287cf808ea63a03d96719e3cc7b4) Fix a crash with games/ioquake3. Reported and fix tested by Ryan Freeman.
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: ajacou...@cvs.openbsd.org 2016/05/24 01:54:16 Modified files: multimedia/libbluray: Makefile distinfo multimedia/libbluray/patches: patch-Makefile_in Log message: Update to libbluray-0.9.3. from Brad, maintainer timeout
CVS: cvs.openbsd.org: ports
CVSROOT:/cvs Module name:ports Changes by: ajacou...@cvs.openbsd.org 2016/05/24 01:53:23 Modified files: devel/llvm : Makefile devel/llvm/patches: patch-tools_clang_lib_Driver_Tools_cpp Log message: Select proper SPARCv9 variant for the assembler. from Brad (maintainer)