netbsd-bugs: pkg/24161: security/openssl/buildlink[23].mk sets SSLCERTS inappropriately

Subject: pkg/24161: security/openssl/buildlink[23].mk sets SSLCERTS inappropriately
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <grant@NetBSD.org>
List: netbsd-bugs
Date: 01/20/2004 14:33:40

>Number:         24161
>Category:       pkg
>Synopsis:       security/openssl/buildlink[23].mk sets SSLCERTS inappropriately
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jan 20 03:34:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     grant beattie
>Release:        Linux 2.4.22
>Organization:
>Environment:
System: Linux liz 2.4.22 #4 Tue Nov 25 02:19:06 EST 2003 i686 unknown unknown GNU/Linux
Architecture: i386
Machine: i386
>Description:
packages which use openssl/buildlink2.mk get an inappropriate
value of SSLCERTS where the base system's OpenSSL is adequate on
systems other than NetBSD, eg. on Linux:

===> Extracting for stunnel-4.04nb2
==========================================================================
The following variables will affect the build process of this package,
stunnel-4.04nb2.  Their current value is shown below:

        * SSLBASE = /usr
        * SSLCERTS = /usr/pkg/etc/openssl/certs

this is because BUILDLINK_PREFIX.openssl=/usr, but this is not
checked when assigning SSLCERTS, so the logic below hits the
catch-all:

.if defined(PKG_SYSCONFDIR.openssl)
SSLCERTS=		${PKG_SYSCONFDIR.openssl}/certs
.elif ${OPSYS} == "NetBSD"
SSLCERTS=		/etc/openssl/certs
.else
SSLCERTS=		${PKG_SYSCONFBASEDIR}/openssl/certs
.endif

pkgsrc should probably only ever use ${PKG_SYSCONF...} if it is
actually using pkgsrc OpenSSL. and even then, if the system has
OpenSSL in base, SSLCERTS should always default to the base system's
certs dir. if it doesn't, and OpenSSL in pkgsrc gets updated, the base
system's OpenSSL may be considered too old, and the value of SSLCERTS
will change, breaking existing installations.

openssl/buildlink3.mk has a similar issue.

>How-To-Repeat:
"cd security/stunnel; make" on a non-NetBSD system with an acceptable
OpenSSL in base system.

>Fix:
munge the logic above to consider base system OpenSSL and set SSLCERTS
to an appropriate directory. on my Linux system, this is
/etc/ssl/certs.
>Release-Note:
>Audit-Trail:
>Unformatted: