[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] spodhuis keyserver down, pending OCaml CVE updates
From: |
Phil Pennock |
Subject: |
Re: [Sks-devel] spodhuis keyserver down, pending OCaml CVE updates |
Date: |
Thu, 8 Mar 2018 19:18:35 -0500 |
On 2017-10-03 at 17:28 -0400, Phil Pennock wrote:
> TL;DR: sks-peer.spodhuis.org down until further notice, when I get time
> to investigate properly. Down by administrator action. No need to
> deconfigure peering.
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
>
> This appears to have been publicly discussed in April 2016, but not
> patched for that OS until today. I'm on FreeBSD. My OCaml is 4.02.3.
It's been a lot longer than expected, but sks-peer.spodhuis.org is
peering again and is all caught up.
Grotty details follow, including details of compiling with newer OCaml.
FreeBSD is still packaging for Ports ocaml-4.02.3, which generates code
susceptible to overflow attacks. The bug I filed,
<https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223039>, has seen no
activity. I do not know enough about the OCaml ecosystem to be
confident taking on the work myself, to upgrade the compiler without
fallout for other packages. Having since rebuilt SKS on a newer
version, I know that there will be breakages. OCaml's stdlib makes
backwards-incompatible changes.
I build and installed OCaml 4.05 using "ocamlbrew", which promptly
failed to install just over half of the extra packages because lwt_react
depends upon internals of lwt which were deliberately broken ... "March
2018". But it got me ocaml and opam. I then spent a lot of time trying
to get `gmake dep` to work, trying to figure out what the right
combination of invocation options was to get the pre-processing to work,
before finally realizing that no, `camlp4` really wasn't installed: opam
had installed a *stub*, because it hadn't installed ocaml, thus the ocaml
was "system" and came with camlp4, while ocamlbrew also didn't install,
leaving that to be a packaging system. When I see `+system` at the end
of a package version, I don't normally conclude "stub, nothing present".
After a <configure/make/make install> cycle of camlp4, it suddenly
became possible to start actually compiling SKS. The code patches
needed were adding `~cloexec:true` to every `Unix.socket` instantiation.
Mostly because Kristian had already done a bunch of ocamlfind stuff for
me.
I'm still using my long keyids patch, but merged in current upstream
changes. The exact code is available at
<https://bitbucket.org/philpennock/sks-keyserver-philp>.
I don't know mercurial well enough to do proper pull requests again
for the long keyid support. Heck, I can't even install Mercurial in the
Jail where SKS is right now, because to get better crypto for nginx it's
got my "OpenSSL 1.1.0 + Python3" package combination and Mercurial is
still Python2-only.
Full keydump after catchup at:
<http://pennocktech-pgp-keydumps.s3-website.us-east-2.amazonaws.com/20180308/>
-Phil
signature.asc
Description: Digital signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Sks-devel] spodhuis keyserver down, pending OCaml CVE updates,
Phil Pennock <=