commit abdfbfdb3f4122300c3f3f5e745af1c74a559102 Author: Nicolas Vigier boklm@torproject.org Date: Wed Sep 25 12:54:00 2019 +0200
Bug 31844: Use DESTDIR instead of --prefix when building OpenSSL
This is fixing CVE-2019-1552: http://cve.circl.lu/cve/CVE-2019-1552
In oder to avoid changing the OPENSSLDIR to a directory that might be writable on the user system, we don't set the --prefix/--openssldir option anymore and use DESTDIR to select the packaging installation directory. --- projects/openssl/build | 5 +++-- projects/openssl/config | 2 ++ projects/tor/build | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/projects/openssl/build b/projects/openssl/build index 40dc526..d53185e 100644 --- a/projects/openssl/build +++ b/projects/openssl/build @@ -14,10 +14,11 @@ export CC='gcc -m32' export CC="cc [% c("var/FLAGS") %]" [% END -%] export SOURCE_DATE_EPOCH='[% c("timestamp") %]' -./Configure --prefix=$distdir [% c('var/configure_opts') %] +./Configure [% c('var/configure_opts') %] make -make install +make DESTDIR="$distdir" install cd /var/tmp/dist +ln -s '[% c("var/openssldir") %]' openssl/openssl [% c('tar', { tar_src => [ project ], tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'), diff --git a/projects/openssl/config b/projects/openssl/config index 27b9526..f648598 100644 --- a/projects/openssl/config +++ b/projects/openssl/config @@ -3,6 +3,7 @@ version: 1.1.1d filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
var: + openssldir: 'usr/local' container: use_container: 1
@@ -17,6 +18,7 @@ targets: var: flag_mwindows: '' configure_opts: '-shared --cross-compile-prefix=[% c("arch") %]-w64-mingw32- mingw[% IF c("var/windows-x86_64") %]64[% END %] "[% c("var/CFLAGS") %] [% c("var/LDFLAGS") %]"' + openssldir: 'Program Files[% IF c("var/windows-i686") %] (x86)[% END %]/OpenSSL' osx-x86_64: var: configure_opts: --cross-compile-prefix=x86_64-apple-darwin11- darwin64-x86_64-cc enable-ec_nistp_64_gcc_128 diff --git a/projects/tor/build b/projects/tor/build index 0705626..2d10fb3 100644 --- a/projects/tor/build +++ b/projects/tor/build @@ -30,7 +30,7 @@ tar -C /var/tmp/dist -xf [% c('input_files_by_name/libevent') %] [% END %] tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz libeventdir=/var/tmp/dist/libevent -openssldir=/var/tmp/dist/openssl +openssldir=/var/tmp/dist/openssl/openssl
[% IF c("var/windows") %] [% IF c("var/nightly") %]