FS#51331 - [crypto++] CVE-2016-7420 and NDEBUG
Attached to Project:
Arch Linux
Opened by Remi Gacogne (rgacogne) - Tuesday, 11 October 2016, 21:23 GMT
Last edited by Antonio Rojas (arojas) - Tuesday, 11 October 2016, 22:06 GMT
Opened by Remi Gacogne (rgacogne) - Tuesday, 11 October 2016, 21:23 GMT
Last edited by Antonio Rojas (arojas) - Tuesday, 11 October 2016, 22:06 GMT
|
Details
Hi,
It looks like crypto++ should always be built with -DNDEBUG, since not doing so led to CVE-2016-7420 [1][2]. It appears less problematic since the 5.6.5 release replaced many assert() with CRYPTOPP_ASSERT(), which is not enabled if CRYPTOPP_DEBUG is not defined, but the developers have made it clear in both Readme.txt and Install.txt that -DNDEBUG should be used. We were actually building with -DNDEBUG until recently [3], but the current PKGBUILD overrides CXXFLAGS without setting -DNDEBUG, leading to the first line of GNUmakefile-cross to be ignored (since CXXFLAGS is already defined), thus building without -DNDEBUG. Since CXXFLAGS may already be set by the environment, I think it would make sense to replace: CXXFLAGS+=" -fPIC" make -f GNUmakefile-cross with: CXXFLAGS+=" -DNDEBUG -fPIC" make -f GNUmakefile-cross in our PKGBUILD. [1]: https://github.com/weidai11/cryptopp/issues/277 [2]: http://seclists.org/oss-sec/2016/q3/519 [3]: https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/crypto%2b%2b&id=fc4dd81f39589eeb5bdb927587c0fbd2b41d47df |
This task depends upon
Closed by Antonio Rojas (arojas)
Tuesday, 11 October 2016, 22:06 GMT
Reason for closing: Fixed
Additional comments about closing: crypto++ 5.6.5-2
Tuesday, 11 October 2016, 22:06 GMT
Reason for closing: Fixed
Additional comments about closing: crypto++ 5.6.5-2