FS#51331 - [crypto++] CVE-2016-7420 and NDEBUG

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Tuesday, 11 October 2016, 21:23 GMT
Last edited by Antonio Rojas (arojas) - Tuesday, 11 October 2016, 22:06 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No



It looks like crypto++ should always be built with -DNDEBUG, since not doing so led to CVE-2016-7420 [1][2]. It appears less problematic since the 5.6.5 release replaced many assert() with CRYPTOPP_ASSERT(), which is not enabled if CRYPTOPP_DEBUG is not defined, but the developers have made it clear in both Readme.txt and Install.txt that -DNDEBUG should be used.
We were actually building with -DNDEBUG until recently [3], but the current PKGBUILD overrides CXXFLAGS without setting -DNDEBUG, leading to the first line of GNUmakefile-cross to be ignored (since CXXFLAGS is already defined), thus building without -DNDEBUG. Since CXXFLAGS may already be set by the environment, I think it would make sense to replace:
CXXFLAGS+=" -fPIC" make -f GNUmakefile-cross
CXXFLAGS+=" -DNDEBUG -fPIC" make -f GNUmakefile-cross
in our PKGBUILD.

[1]: https://github.com/weidai11/cryptopp/issues/277
[2]: http://seclists.org/oss-sec/2016/q3/519
[3]: https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/crypto%2b%2b&id=fc4dd81f39589eeb5bdb927587c0fbd2b41d47df
This task depends upon

Closed by  Antonio Rojas (arojas)
Tuesday, 11 October 2016, 22:06 GMT
Reason for closing:  Fixed
Additional comments about closing:  crypto++ 5.6.5-2