[tor-commits] [tor-browser-build/master] Bug 31844: Use DESTDIR instead of --prefix when building OpenSSL

gk at torproject.org gk at torproject.org
Thu Sep 26 19:24:50 UTC 2019


commit abdfbfdb3f4122300c3f3f5e745af1c74a559102
Author: Nicolas Vigier <boklm at torproject.org>
Date:   Wed Sep 25 12:54:00 2019 +0200

    Bug 31844: Use DESTDIR instead of --prefix when building OpenSSL
    
    This is fixing CVE-2019-1552:
    http://cve.circl.lu/cve/CVE-2019-1552
    
    In oder to avoid changing the OPENSSLDIR to a directory that might be
    writable on the user system, we don't set the --prefix/--openssldir
    option anymore and use DESTDIR to select the packaging installation
    directory.
---
 projects/openssl/build  | 5 +++--
 projects/openssl/config | 2 ++
 projects/tor/build      | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/projects/openssl/build b/projects/openssl/build
index 40dc526..d53185e 100644
--- a/projects/openssl/build
+++ b/projects/openssl/build
@@ -14,10 +14,11 @@ export CC='gcc -m32'
   export CC="cc [% c("var/FLAGS") %]"
 [% END -%]
 export SOURCE_DATE_EPOCH='[% c("timestamp") %]'
-./Configure --prefix=$distdir [% c('var/configure_opts') %]
+./Configure [% c('var/configure_opts') %]
 make
-make install
+make DESTDIR="$distdir" install
 cd /var/tmp/dist
+ln -s '[% c("var/openssldir") %]' openssl/openssl
 [% c('tar', {
         tar_src => [ project ],
         tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'),
diff --git a/projects/openssl/config b/projects/openssl/config
index 27b9526..f648598 100644
--- a/projects/openssl/config
+++ b/projects/openssl/config
@@ -3,6 +3,7 @@ version: 1.1.1d
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
 
 var:
+  openssldir: 'usr/local'
   container:
     use_container: 1
 
@@ -17,6 +18,7 @@ targets:
     var:
       flag_mwindows: ''
       configure_opts: '-shared --cross-compile-prefix=[% c("arch") %]-w64-mingw32- mingw[% IF c("var/windows-x86_64") %]64[% END %] "[% c("var/CFLAGS") %] [% c("var/LDFLAGS") %]"'
+      openssldir: 'Program Files[% IF c("var/windows-i686") %] (x86)[% END %]/OpenSSL'
   osx-x86_64:
     var:
       configure_opts: --cross-compile-prefix=x86_64-apple-darwin11- darwin64-x86_64-cc enable-ec_nistp_64_gcc_128
diff --git a/projects/tor/build b/projects/tor/build
index 0705626..2d10fb3 100644
--- a/projects/tor/build
+++ b/projects/tor/build
@@ -30,7 +30,7 @@ tar -C /var/tmp/dist -xf [% c('input_files_by_name/libevent') %]
 [% END %]
 tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz
 libeventdir=/var/tmp/dist/libevent
-openssldir=/var/tmp/dist/openssl
+openssldir=/var/tmp/dist/openssl/openssl
 
 [% IF c("var/windows") %]
   [% IF c("var/nightly") %]





More information about the tor-commits mailing list