From nobody Mon Jul 15 09:38:05 2024 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WMxvf1msGz5QX55 for ; Mon, 15 Jul 2024 09:38:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WMxvd2rCQz3xwl for ; Mon, 15 Jul 2024 09:38:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1721036285; a=rsa-sha256; cv=none; b=PFk1WzLKZeKPASlnvi4OhmbIwdjkVfzxadld/bRC2rVaVsFf6zGABFzIQOXRAEZq0roANZ qE2jX7QSOu16FGreI0l0JNZIPIv/jBaymmD08mikkOq6yqTH4m+CmzlkdpVnBtELOlRTRk QoROa/V3IafnUOdbQ8c70frNek1i7PRjFtgcjBwdr99X5NbOMbABnGDzp4Sfdwo5SehnZE nIrhfM1wGmiEeDC27pqxQO2WZbTbrbwdIIPHRY+Vwlpp9peCGZYFa/e8hOD0wzFE5/9+EK cCMK+bpizu691reQHz/49emNcRa5rAvPuKJPNwD4dnVSdR0NVGZPaFWctdOfwQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1721036285; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=w217zNg5LlNRtjulHCaAMrERHLr/7IR46oYLzXIs2FQ=; b=GKUpn0sIJI64qm+aKOt3P5CC9q33mpcHenemNMfZBqL5GOsqBTpO4IdZ7deQ1iJIww1GXV clR50kaIpSMQwAapGb7+IIFhK+SgtidhviEAm0mfL5DVe8j/EgNgnmpQwsZPhI1GgZEgbE fuEqz3y/5IZcaBZ4VB/1GpsMwES674q+CP62jK7Rh5z/AJ0IQGm4p364pO/KSvioKhrO6a eQRU+BXQRajPyUncJuwe54P0BFaJp3C6nfic6dJTzMTTEyZtRjYZ6GBz9hsXs9jAw8U9oT 3wH/v7U+0FnHcMtOouQi3LJFDxjc7eoGxw5LIidMahI/vJY3TmkiVQJDdDgBMg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WMxvd2LSVzmjR for ; Mon, 15 Jul 2024 09:38:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 46F9c5GF051771 for ; Mon, 15 Jul 2024 09:38:05 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 46F9c51S051764 for ports-bugs@FreeBSD.org; Mon, 15 Jul 2024 09:38:05 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 280238] security/crowdsec-firewall-bouncer: not WITH_PIE safe Date: Mon, 15 Jul 2024 09:38:05 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: netchild@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ports-bugs@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-ports-bugs@freebsd.org Sender: owner-freebsd-ports-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280238 --- Comment #2 from Alexander Leidinger --- (In reply to marco from comment #1) PIE_UNSAFE means it is not building when WITH_PIE is set. It is not meant to mean that it is unsafe to run it with PIE, in case this is your concern. The article itself is what I found when googling for PIE and golang, so it = may not be 100% matching, but at least it gives an idea that it is not trivial = to get it working with golang. I stumped upon this because I want to try crowdsec and I compile every port with WITH_PIE (and others) by default. The idea of compiling with PIE is to make ASLR work ( * https://man.freebsd.org/cgi/man.cgi?query=3Dmitigations * https://mropert.github.io/2018/02/02/pic_pie_sanitizers/ ). The problem when compiling the firewall-bouncer with PIE is that a dependen= cy is not compiled with PIE. As I build all ports with PIE and have not excluded any golang port, and the go.mk has some kind of pie support, my first assumption would be that it is something inside the port itself which doesn't inherit the --buildmode=3Dpi= e. I haven't done something with golang at all, so my workaround for my systems = is to add PIE_UNSAFE to the port (via setting it in make.conf for this particu= lar port). I could add the PIE_UNSAFE variable in the port Makefile now, or you could = add it with the next update, or you could have a look why the firewall-bouncer doesn't build correctly when PIE is enabled. Do you have any preference in = this regard or other ideas? Bye, Alexander. --=20 You are receiving this mail because: You are the assignee for the bug.=