Re: Security update textproc/wkhtmltopdf-0.12.3.2
On Thu, Aug 11, 2016 at 03:48:59PM +0800, Tinker wrote: > On 2016-08-11 15:38, Tinker wrote: > >On 2016-07-28 22:54, Frank Groeneveld wrote: > >>On Thu, Jul 28, 2016 at 12:54:52PM +0100, Stuart Henderson wrote: > >>>On 2016/07/28 01:02, Tinker wrote: > On 2016-07-27 16:36, Frank Groeneveld wrote: > > Attached patch updates wkhtmltopdf to the latest release. Some > > important > > security fixes (OpenSSL updates) were added .. > > Can't it use the system's LibreSSL version?? > > >>> > >>>I'm pretty sure it is, otherwise we wouldn't have needed the > >>>OPENSSL_NO_SSL3 > >>>patches. > >> > >>Yes, it doesn't use the bundled OpenSSl version, sorry for the > >>confusion. It seems [..] > > (Wait, by "does not use the bundled OpenSSL version", you mean that the > Wkhtmltopdf OpenBSD port not uses the *OS-*bundled *LibreSSL* library > right?) > With bundled I mean the library that comes in the wkhtmltopdf "bundle". As you can see we need patches to let the build know that the base LibreSSL doesn't support SSLv3, which leads me and Stuart to think that it uses the LibreSSL from base. I see Stuart has committed this update already. Thanks Stuart! Frank
Re: Security update textproc/wkhtmltopdf-0.12.3.2
On 2016-08-11 15:38, Tinker wrote: On 2016-07-28 22:54, Frank Groeneveld wrote: On Thu, Jul 28, 2016 at 12:54:52PM +0100, Stuart Henderson wrote: On 2016/07/28 01:02, Tinker wrote: > On 2016-07-27 16:36, Frank Groeneveld wrote: > > Attached patch updates wkhtmltopdf to the latest release. Some important > > security fixes (OpenSSL updates) were added .. > > Can't it use the system's LibreSSL version?? > I'm pretty sure it is, otherwise we wouldn't have needed the OPENSSL_NO_SSL3 patches. Yes, it doesn't use the bundled OpenSSl version, sorry for the confusion. It seems [..] (Wait, by "does not use the bundled OpenSSL version", you mean that the Wkhtmltopdf OpenBSD port not uses the *OS-*bundled *LibreSSL* library right?)
Re: Security update textproc/wkhtmltopdf-0.12.3.2
On 2016-07-28 22:54, Frank Groeneveld wrote: On Thu, Jul 28, 2016 at 12:54:52PM +0100, Stuart Henderson wrote: On 2016/07/28 01:02, Tinker wrote: > On 2016-07-27 16:36, Frank Groeneveld wrote: > > Attached patch updates wkhtmltopdf to the latest release. Some important > > security fixes (OpenSSL updates) were added .. > > Can't it use the system's LibreSSL version?? > I'm pretty sure it is, otherwise we wouldn't have needed the OPENSSL_NO_SSL3 patches. Yes, it doesn't use the bundled OpenSSl version, sorry for the confusion. It seems [..] I understand why Wkhtmltopdf builds its own QT: it needs cutom formatting patches and the like, that the ordinary QT not has. Wkhtmltopdf bundling its own OpenSSL sounds not only useless (bc Wkhtmltopdf does not rely on any custom functionality via patches, right?), but also dangerous? Afterall OpenSSL is one of the nastiest open-source libraries in widespread use. Could Wkhtmltopdf be made to use the OS-bundled LibreSSL instead, do you see any conceptual problems about doing that?
Re: Security update textproc/wkhtmltopdf-0.12.3.2
On Thu, Jul 28, 2016 at 04:54:18PM +0200, Frank Groeneveld wrote: > > I'll bring this patch up again after the lock is removed, because > without security issues there is no rush this port update. > Bringing this up again now that the lock is gone. Could somebody commit this if there are no objections? Thanks! Frank Index: Makefile === RCS file: /cvs/ports/textproc/wkhtmltopdf/Makefile,v retrieving revision 1.8 diff -u -p -r1.8 Makefile --- Makefile3 Apr 2016 14:20:03 - 1.8 +++ Makefile27 Jul 2016 08:26:08 - @@ -7,9 +7,8 @@ COMMENT = convert HTML to PDF using Web GH_ACCOUNT = wkhtmltopdf GH_PROJECT = wkhtmltopdf -GH_TAGNAME = 0.12.2.4 -REVISION = 3 -QT_COMMIT =7e48a1fac7e0f9aefccd01e9871f987da3a62fda +GH_TAGNAME = 0.12.3.2 +QT_COMMIT =8dae19a82231e87366d81c683bafcb025aea9c1d MASTER_SITES0 =https://github.com/wkhtmltopdf/qt/archive/ DISTFILES =${DISTNAME}.tar.gz \ wkhtmltopdf-qt-${QT_COMMIT}{${QT_COMMIT}}.tar.gz:0 Index: distinfo === RCS file: /cvs/ports/textproc/wkhtmltopdf/distinfo,v retrieving revision 1.2 diff -u -p -r1.2 distinfo --- distinfo6 Jan 2016 16:50:35 - 1.2 +++ distinfo27 Jul 2016 08:26:08 - @@ -1,4 +1,4 @@ -SHA256 (wkhtmltopdf-0.12.2.4.tar.gz) = 27AWbpzhkeeH6QlgHkzbrnEGnylpM2Lt9c19TUREcog= -SHA256 (wkhtmltopdf-qt-7e48a1fac7e0f9aefccd01e9871f987da3a62fda.tar.gz) = 0uxGcEwKVGE7Wlhv/0bSRZLFCiYYJJTxqkmKy0aLwlQ= -SIZE (wkhtmltopdf-0.12.2.4.tar.gz) = 127595 -SIZE (wkhtmltopdf-qt-7e48a1fac7e0f9aefccd01e9871f987da3a62fda.tar.gz) = 173043701 +SHA256 (wkhtmltopdf-0.12.3.2.tar.gz) = chUj74fMuTe/NxSt4ZsRL0y4os2EDjSzDybuJixB/hY= +SHA256 (wkhtmltopdf-qt-8dae19a82231e87366d81c683bafcb025aea9c1d.tar.gz) = w7Fa4y044TfRu3BSWGNK+CFzbANS6VIVCk01NrjISl4= +SIZE (wkhtmltopdf-0.12.3.2.tar.gz) = 128050 +SIZE (wkhtmltopdf-qt-8dae19a82231e87366d81c683bafcb025aea9c1d.tar.gz) = 173040690
Re: Security update textproc/wkhtmltopdf-0.12.3.2
On Thu, Jul 28, 2016 at 12:54:52PM +0100, Stuart Henderson wrote: > On 2016/07/28 01:02, Tinker wrote: > > On 2016-07-27 16:36, Frank Groeneveld wrote: > > > Attached patch updates wkhtmltopdf to the latest release. Some important > > > security fixes (OpenSSL updates) were added .. > > > > Can't it use the system's LibreSSL version?? > > > > I'm pretty sure it is, otherwise we wouldn't have needed the OPENSSL_NO_SSL3 > patches. Yes, it doesn't use the bundled OpenSSl version, sorry for the confusion. It seems the 0.12.3.1 and 0.12.3.2 releases are mostly done for Windows users which do use the bundled OpenSSL: https://github.com/wkhtmltopdf/wkhtmltopdf/releases/tag/0.12.3.2 https://github.com/wkhtmltopdf/wkhtmltopdf/releases/tag/0.12.3.1 Other platforms only need the fixes that were done in 0.12.3, which according to the changelog, don't include security fixes: https://github.com/wkhtmltopdf/wkhtmltopdf/releases/tag/0.12.3 I'll bring this patch up again after the lock is removed, because without security issues there is no rush this port update. Frank
Re: Security update textproc/wkhtmltopdf-0.12.3.2
On 2016/07/28 01:02, Tinker wrote: > On 2016-07-27 16:36, Frank Groeneveld wrote: > > Attached patch updates wkhtmltopdf to the latest release. Some important > > security fixes (OpenSSL updates) were added .. > > Can't it use the system's LibreSSL version?? > I'm pretty sure it is, otherwise we wouldn't have needed the OPENSSL_NO_SSL3 patches.
Re: Security update textproc/wkhtmltopdf-0.12.3.2
On 2016-07-27 16:36, Frank Groeneveld wrote: Attached patch updates wkhtmltopdf to the latest release. Some important security fixes (OpenSSL updates) were added .. Can't it use the system's LibreSSL version??
Re: Security update textproc/wkhtmltopdf-0.12.3.2
On Wed, Jul 27, 2016 at 10:59:45AM +0200, Rafael Sadowski wrote: > > ? wkhtmltopdf-0.12.3.2.patch > > Remove it and create new diff. Attached. > > -GH_TAGNAME = 0.12.2.4 > > -REVISION = 3 > > -QT_COMMIT =7e48a1fac7e0f9aefccd01e9871f987da3a62fda > > +GH_TAGNAME = 0.12.3.2 > > +QT_COMMIT =8dae19a82231e87366d81c683bafcb025aea9c1d > > QT_COMMIT is wrong but it works because GH_TAGNAME is set. You can > remove QT_COMMIT. Have a look at the full file, we're actually gathering two seperate projects on Github and merging those in one build. The patched QT doesn't have git tags, so that's why we have a ref there. Frank Index: Makefile === RCS file: /cvs/ports/textproc/wkhtmltopdf/Makefile,v retrieving revision 1.8 diff -u -p -r1.8 Makefile --- Makefile3 Apr 2016 14:20:03 - 1.8 +++ Makefile27 Jul 2016 08:26:08 - @@ -7,9 +7,8 @@ COMMENT = convert HTML to PDF using Web GH_ACCOUNT = wkhtmltopdf GH_PROJECT = wkhtmltopdf -GH_TAGNAME = 0.12.2.4 -REVISION = 3 -QT_COMMIT =7e48a1fac7e0f9aefccd01e9871f987da3a62fda +GH_TAGNAME = 0.12.3.2 +QT_COMMIT =8dae19a82231e87366d81c683bafcb025aea9c1d MASTER_SITES0 =https://github.com/wkhtmltopdf/qt/archive/ DISTFILES =${DISTNAME}.tar.gz \ wkhtmltopdf-qt-${QT_COMMIT}{${QT_COMMIT}}.tar.gz:0 Index: distinfo === RCS file: /cvs/ports/textproc/wkhtmltopdf/distinfo,v retrieving revision 1.2 diff -u -p -r1.2 distinfo --- distinfo6 Jan 2016 16:50:35 - 1.2 +++ distinfo27 Jul 2016 08:26:08 - @@ -1,4 +1,4 @@ -SHA256 (wkhtmltopdf-0.12.2.4.tar.gz) = 27AWbpzhkeeH6QlgHkzbrnEGnylpM2Lt9c19TUREcog= -SHA256 (wkhtmltopdf-qt-7e48a1fac7e0f9aefccd01e9871f987da3a62fda.tar.gz) = 0uxGcEwKVGE7Wlhv/0bSRZLFCiYYJJTxqkmKy0aLwlQ= -SIZE (wkhtmltopdf-0.12.2.4.tar.gz) = 127595 -SIZE (wkhtmltopdf-qt-7e48a1fac7e0f9aefccd01e9871f987da3a62fda.tar.gz) = 173043701 +SHA256 (wkhtmltopdf-0.12.3.2.tar.gz) = chUj74fMuTe/NxSt4ZsRL0y4os2EDjSzDybuJixB/hY= +SHA256 (wkhtmltopdf-qt-8dae19a82231e87366d81c683bafcb025aea9c1d.tar.gz) = w7Fa4y044TfRu3BSWGNK+CFzbANS6VIVCk01NrjISl4= +SIZE (wkhtmltopdf-0.12.3.2.tar.gz) = 128050 +SIZE (wkhtmltopdf-qt-8dae19a82231e87366d81c683bafcb025aea9c1d.tar.gz) = 173040690
Security update textproc/wkhtmltopdf-0.12.3.2
Attached patch updates wkhtmltopdf to the latest release. Some important security fixes (OpenSSL updates) were added and some minor bugfixes are included as well. I've tested this in production on our servers and the produced PDF files seem to be visually identical. Can this be included in 6.0 or should it wait? Frank ? wkhtmltopdf-0.12.3.2.patch Index: Makefile === RCS file: /cvs/ports/textproc/wkhtmltopdf/Makefile,v retrieving revision 1.8 diff -u -p -r1.8 Makefile --- Makefile3 Apr 2016 14:20:03 - 1.8 +++ Makefile27 Jul 2016 08:26:08 - @@ -7,9 +7,8 @@ COMMENT = convert HTML to PDF using Web GH_ACCOUNT = wkhtmltopdf GH_PROJECT = wkhtmltopdf -GH_TAGNAME = 0.12.2.4 -REVISION = 3 -QT_COMMIT =7e48a1fac7e0f9aefccd01e9871f987da3a62fda +GH_TAGNAME = 0.12.3.2 +QT_COMMIT =8dae19a82231e87366d81c683bafcb025aea9c1d MASTER_SITES0 =https://github.com/wkhtmltopdf/qt/archive/ DISTFILES =${DISTNAME}.tar.gz \ wkhtmltopdf-qt-${QT_COMMIT}{${QT_COMMIT}}.tar.gz:0 Index: distinfo === RCS file: /cvs/ports/textproc/wkhtmltopdf/distinfo,v retrieving revision 1.2 diff -u -p -r1.2 distinfo --- distinfo6 Jan 2016 16:50:35 - 1.2 +++ distinfo27 Jul 2016 08:26:08 - @@ -1,4 +1,4 @@ -SHA256 (wkhtmltopdf-0.12.2.4.tar.gz) = 27AWbpzhkeeH6QlgHkzbrnEGnylpM2Lt9c19TUREcog= -SHA256 (wkhtmltopdf-qt-7e48a1fac7e0f9aefccd01e9871f987da3a62fda.tar.gz) = 0uxGcEwKVGE7Wlhv/0bSRZLFCiYYJJTxqkmKy0aLwlQ= -SIZE (wkhtmltopdf-0.12.2.4.tar.gz) = 127595 -SIZE (wkhtmltopdf-qt-7e48a1fac7e0f9aefccd01e9871f987da3a62fda.tar.gz) = 173043701 +SHA256 (wkhtmltopdf-0.12.3.2.tar.gz) = chUj74fMuTe/NxSt4ZsRL0y4os2EDjSzDybuJixB/hY= +SHA256 (wkhtmltopdf-qt-8dae19a82231e87366d81c683bafcb025aea9c1d.tar.gz) = w7Fa4y044TfRu3BSWGNK+CFzbANS6VIVCk01NrjISl4= +SIZE (wkhtmltopdf-0.12.3.2.tar.gz) = 128050 +SIZE (wkhtmltopdf-qt-8dae19a82231e87366d81c683bafcb025aea9c1d.tar.gz) = 173040690