mirror of
git://slackware.nl/current.git
synced 2024-12-31 10:28:29 +01:00
0e307de269
patches/packages/openssl-1.1.1za-x86_64-1_slack15.0.txz: Upgraded.
Apply patches to fix CVEs that were fixed by the 1.1.1{x,y,za} releases that
were only available to subscribers to OpenSSL's premium extended support.
These patches were prepared by backporting commits from the OpenSSL-3.0 repo.
The reported version number has been updated so that vulnerability scanners
calm down. All of these issues were considered to be of low severity.
Thanks to Ken Zalewski for the patches!
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-5678
https://www.cve.org/CVERecord?id=CVE-2024-0727
https://www.cve.org/CVERecord?id=CVE-2024-2511
https://www.cve.org/CVERecord?id=CVE-2024-4741
https://www.cve.org/CVERecord?id=CVE-2024-5535
(* Security fix *)
patches/packages/openssl-solibs-1.1.1za-x86_64-1_slack15.0.txz: Upgraded.
281 lines
10 KiB
Bash
Executable file
281 lines
10 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# Copyright 2000 BSDi, Inc. Concord, CA, USA
|
|
# Copyright 2001, 2002 Slackware Linux, Inc. Concord, CA, USA
|
|
# Copyright 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2018, 2024 Patrick J. Volkerding, Sebeka, MN, USA
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use of this script, with or without modification, is
|
|
# permitted provided that the following conditions are met:
|
|
#
|
|
# 1. Redistributions of this script must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
|
|
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
|
|
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
|
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
# Set initial variables:
|
|
cd $(dirname $0) ; CWD=$(pwd)
|
|
TMP=${TMP:-/tmp}
|
|
|
|
PKGNAM=openssl
|
|
VERSION=${VERSION:-$(echo openssl-*.tar.gz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
|
|
# Get the new version number from the latest patch:
|
|
PKGVER=$(grep "^+" $(/bin/ls -t 00*patch | head -n 1) | grep OPENSSL_VERSION_TEXT | cut -f 2 -d \" | cut -f 2 -d ' ')
|
|
BUILD=${BUILD:-1_slack15.0}
|
|
|
|
# Automatically determine the architecture we're building on:
|
|
if [ -z "$ARCH" ]; then
|
|
case "$( uname -m )" in
|
|
i?86) export ARCH=i586 ;;
|
|
arm*) export ARCH=arm ;;
|
|
# Unless $ARCH is already set, use uname -m for all other archs:
|
|
*) export ARCH=$( uname -m ) ;;
|
|
esac
|
|
fi
|
|
|
|
PKG1=$TMP/package-openssl
|
|
PKG2=$TMP/package-ossllibs
|
|
NAME1=openssl-$PKGVER-$ARCH-$BUILD
|
|
NAME2=openssl-solibs-$PKGVER-$ARCH-$BUILD
|
|
|
|
# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
|
|
# the name of the created package would be, and then exit. This information
|
|
# could be useful to other scripts.
|
|
if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
|
|
echo "${NAME1}.txz"
|
|
echo "${NAME2}.txz"
|
|
exit 0
|
|
fi
|
|
|
|
# Parallel build doesn't link properly.
|
|
#NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
|
|
|
|
# So that ls has the right field counts for parsing...
|
|
export LC_ALL=C
|
|
|
|
cd $TMP
|
|
rm -rf $PKG1 $PKG2 openssl-$VERSION
|
|
|
|
tar xvf $CWD/openssl-$VERSION.tar.gz || exit 1
|
|
cd openssl-$VERSION
|
|
|
|
# Fix pod syntax errors which are fatal wih a newer perl:
|
|
find . -name "*.pod" -exec sed -i "s/^\=item \([0-9]\)\(\ \|$\)/\=item C<\1>/g" {} \;
|
|
|
|
# Apply patches to fix CVEs that were fixed by the 1.1.1{x,y,za} releases that
|
|
# were only available to subscribers to OpenSSL's premium extended support.
|
|
# These patches were prepared by backporting commits from the OpenSSL-3.0 repo.
|
|
# Thanks to Ken Zalewski!
|
|
cat $CWD/0001-openssl-1.1.1x_CVE-2023-5678_CVE-2024-0727.patch | patch -p1 --verbose || exit 1
|
|
cat $CWD/0002-openssl-1.1.1y_CVE-2024-2511_CVE-2024-4741.patch | patch -p1 --verbose || exit 1
|
|
cat $CWD/0003-openssl-1.1.1za_CVE-2024-5535.patch | patch -p1 --verbose || exit 1
|
|
|
|
## For openssl-1.1.x, don't try to change the soname.
|
|
## Use .so.1, not .so.1.0.0:
|
|
#sed -i "s/soname=\$\$SHLIB\$\$SHLIB_SOVER\$\$SHLIB_SUFFIX/soname=\$\$SHLIB.1/g" Makefile.shared
|
|
|
|
if [ "$ARCH" = "i586" ]; then
|
|
# Build with -march=i586 -mtune=i686:
|
|
sed -i "/linux-elf/s/fomit-frame-pointer/fomit-frame-pointer -march=i586 -mtune=i686/g" Configure
|
|
LIBDIRSUFFIX=""
|
|
elif [ "$ARCH" = "i686" ]; then
|
|
# Build with -march=i686 -mtune=i686:
|
|
sed -i "/linux-elf/s/fomit-frame-pointer/fomit-frame-pointer -march=i686 -mtune=i686/g" Configure
|
|
LIBDIRSUFFIX=""
|
|
elif [ "$ARCH" = "x86_64" ]; then
|
|
LIBDIRSUFFIX="64"
|
|
fi
|
|
|
|
# OpenSSL has a (nasty?) habit of bumping the internal version number with
|
|
# every release. This wouldn't be so bad, but some applications are so
|
|
# paranoid that they won't run against a different OpenSSL version than
|
|
# what they were compiled against, whether or not the ABI has changed.
|
|
#
|
|
# So, we will use the OPENSSL_VERSION_NUMBER from openssl-1.1.1 unless ABI
|
|
# breakage forces it to change. Yes, we're finally using this old trick. :)
|
|
sed -i "s/#define OPENSSL_VERSION_NUMBER.*/\/* Use 0x1010100fL (1.1.1) below to avoid pointlessly breaking the ABI *\/\n#define OPENSSL_VERSION_NUMBER 0x1010100fL/g" include/openssl/opensslv.h || exit 1
|
|
|
|
chown -R root:root .
|
|
mkdir -p $PKG1/usr/doc/openssl-$PKGVER
|
|
cp -a ACKNOWLEDGEMENTS AUTHORS CHANGES* CONTRIBUTING FAQ INSTALL* \
|
|
LICENSE* NEWS NOTES* README* doc \
|
|
$PKG1/usr/doc/openssl-$PKGVER
|
|
# For this backported package, let's put the patches in the documentation since
|
|
# the CHANGES and other files are not up-to-date with the reported version.
|
|
# This'll make it more clear exactly what this package is.
|
|
cp -a $CWD/00* $PKG1/usr/doc/openssl-$PKGVER
|
|
chown root:root $PKG1/usr/doc/openssl-$PKGVER/00*
|
|
find $PKG1/usr/doc/openssl-$PKGVER -type d -exec chmod 755 {} \+
|
|
find $PKG1/usr/doc/openssl-$PKGVER -type f -exec chmod 644 {} \+
|
|
|
|
# If there's a CHANGES file, installing at least part of the recent history
|
|
# is useful, but don't let it get totally out of control:
|
|
if [ -r CHANGES ]; then
|
|
DOCSDIR=$(echo $PKG1/usr/doc/*-$PKGVER)
|
|
cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES
|
|
touch -r CHANGES $DOCSDIR/CHANGES
|
|
fi
|
|
|
|
# These are the known patent issues with OpenSSL:
|
|
# name # expires
|
|
# MDC-2: 4,908,861 2007-03-13, not included.
|
|
# IDEA: 5,214,703 2010-05-25, not included.
|
|
#
|
|
# Although all of the above are expired, it's still probably
|
|
# not a good idea to include them as there are better
|
|
# algorithms to use.
|
|
|
|
./config \
|
|
--prefix=/usr \
|
|
--openssldir=/etc/ssl \
|
|
zlib \
|
|
enable-camellia \
|
|
enable-seed \
|
|
enable-rfc3779 \
|
|
enable-cms \
|
|
enable-md2 \
|
|
enable-rc5 \
|
|
enable-ssl3 \
|
|
enable-ssl3-method \
|
|
no-weak-ssl-ciphers \
|
|
no-mdc2 \
|
|
no-ec2m \
|
|
no-idea \
|
|
no-sse2 \
|
|
shared
|
|
|
|
make $NUMJOBS depend || make depend || exit 1
|
|
|
|
make $NUMJOBS || make || exit 1
|
|
|
|
make install DESTDIR=$PKG1 || exit 1
|
|
|
|
# No thanks on the static libraries:
|
|
rm -f $PKG1/usr/lib${LIBDIRSUFFIX}/*.a
|
|
|
|
# No thanks on manpages duplicated as html:
|
|
rm -rf $PKG1/usr/share/doc
|
|
|
|
# Also no thanks on .pod versions of the already shipped manpages:
|
|
rm -rf $PKG1/usr/doc/openssl-*/doc/man*
|
|
|
|
# Make the .so.? library symlinks:
|
|
( cd $PKG1/usr/lib${LIBDIRSUFFIX} ; ldconfig -l lib*.so.* )
|
|
|
|
# Move libraries, as they might be needed by programs that bring a network
|
|
# mounted /usr online:
|
|
|
|
mkdir $PKG1/lib${LIBDIRSUFFIX}
|
|
( cd $PKG1/usr/lib${LIBDIRSUFFIX}
|
|
for file in lib*.so.?.* ; do
|
|
mv $file ../../lib${LIBDIRSUFFIX}
|
|
ln -sf ../../lib${LIBDIRSUFFIX}/$file .
|
|
done
|
|
cp -a lib*.so.? ../../lib${LIBDIRSUFFIX}
|
|
)
|
|
|
|
# Add a cron script to warn root if a certificate is going to expire soon:
|
|
mkdir -p $PKG1/etc/cron.daily
|
|
zcat $CWD/certwatch.gz > $PKG1/etc/cron.daily/certwatch.new
|
|
chmod 755 $PKG1/etc/cron.daily/certwatch.new
|
|
|
|
# Make config file non-clobber:
|
|
mv $PKG1/etc/ssl/openssl.cnf $PKG1/etc/ssl/openssl.cnf.new
|
|
|
|
# Remove duplicate config file:
|
|
rm -f $PKG1/etc/ssl/openssl.cnf.dist
|
|
|
|
( cd $PKG1
|
|
find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
|
|
find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
|
|
)
|
|
|
|
# Relocate the manpages:
|
|
mv $PKG1/usr/share/man $PKG1/usr
|
|
rmdir $PKG1/usr/share
|
|
|
|
# Fix manpage name collisions, and relink anything that linked to the old name:
|
|
( cd $PKG1/usr/man/man1
|
|
mv passwd.1 ssl_passwd.1
|
|
for file in *.1 ; do
|
|
if [ -L $file ]; then
|
|
if [ "$(readlink $file)" = "passwd.1" ]; then
|
|
rm -f $file
|
|
ln -sf ssl_passwd.1 $file
|
|
fi
|
|
fi
|
|
done )
|
|
|
|
# Compress and symlink the man pages:
|
|
if [ -d $PKG1/usr/man ]; then
|
|
( cd $PKG1/usr/man
|
|
for manpagedir in $(find . -type d -name "man*") ; do
|
|
( cd $manpagedir
|
|
for eachpage in $( find . -type l -maxdepth 1) ; do
|
|
ln -s $( readlink $eachpage ).gz $eachpage.gz
|
|
rm $eachpage
|
|
done
|
|
gzip -9 *.?
|
|
)
|
|
done
|
|
)
|
|
fi
|
|
|
|
# If there's an openssl1 directory, then build openssl-1.0 shared libraries for
|
|
# compatibility with programs linked to those:
|
|
if [ -d $CWD/openssl1 ]; then
|
|
( cd $CWD/openssl1
|
|
./openssl1.build || exit 1
|
|
) || exit 1
|
|
# Don't put these in the openssl package... openssl-solibs is enough.
|
|
#mkdir -p $PKG1/lib${LIBDIRSUFFIX}
|
|
#cp -a $TMP/package-openssl1/usr/lib/lib*.so.?.?.? $PKG1/lib${LIBDIRSUFFIX}
|
|
#( cd $PKG1/lib${LIBDIRSUFFIX} ; ldconfig -l lib*.so.?.?.? )
|
|
mkdir -p $PKG2/lib${LIBDIRSUFFIX}
|
|
cp -a $TMP/package-openssl1/usr/lib${LIBDIRSUFFIX}/lib*.so.?.?.? $PKG2/lib${LIBDIRSUFFIX}
|
|
( cd $PKG2/lib${LIBDIRSUFFIX} ; ldconfig -l lib*.so.?.?.? )
|
|
fi
|
|
|
|
cd $PKG1
|
|
chmod 755 usr/lib${LIBDIRSUFFIX}/pkgconfig
|
|
sed -i -e "s#lib\$#lib${LIBDIRSUFFIX}#" usr/lib${LIBDIRSUFFIX}/pkgconfig/*.pc
|
|
mkdir -p install
|
|
zcat $CWD/doinst.sh-openssl.gz > install/doinst.sh
|
|
cat $CWD/slack-desc.openssl > install/slack-desc
|
|
/sbin/makepkg -l y -c n $TMP/${NAME1}.txz
|
|
|
|
# Make runtime package:
|
|
mkdir -p $PKG2/lib${LIBDIRSUFFIX}
|
|
( cd lib${LIBDIRSUFFIX} ; cp -a lib*.so.* $PKG2/lib${LIBDIRSUFFIX} )
|
|
( cd $PKG2/lib${LIBDIRSUFFIX} ; ldconfig -l * )
|
|
mkdir -p $PKG2/etc
|
|
( cd $PKG2/etc ; cp -a $PKG1/etc/ssl . )
|
|
mkdir -p $PKG2/usr/doc/openssl-$PKGVER
|
|
( cd $TMP/openssl-$VERSION
|
|
cp -a ACKNOWLEDGEMENTS AUTHORS CHANGES* CONTRIBUTING FAQ INSTALL* \
|
|
LICENSE* NEWS NOTES* README* $PKG2/usr/doc/openssl-$PKGVER
|
|
# If there's a CHANGES file, installing at least part of the recent history
|
|
# is useful, but don't let it get totally out of control:
|
|
if [ -r CHANGES ]; then
|
|
DOCSDIR=$(echo $PKG2/usr/doc/*-$PKGVER)
|
|
cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES
|
|
touch -r CHANGES $DOCSDIR/CHANGES
|
|
fi
|
|
)
|
|
|
|
find $PKG2/usr/doc/openssl-$PKGVER -type d -exec chmod 755 {} \+
|
|
find $PKG2/usr/doc/openssl-$PKGVER -type f -exec chmod 644 {} \+
|
|
cd $PKG2
|
|
mkdir -p install
|
|
zcat $CWD/doinst.sh-openssl-solibs.gz > install/doinst.sh
|
|
cat $CWD/slack-desc.openssl-solibs > install/slack-desc
|
|
/sbin/makepkg -l y -c n $TMP/${NAME2}.txz
|