1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-11-25 07:49:18 +00:00

Reduce overlinking

The framework now ensure by itself that pthread is added to the link chain
as the last component if linked to kerberos hence avoid with out any explicit
addition prevent issue like CVE-2014-8475
This commit is contained in:
Baptiste Daroussin 2014-11-25 22:25:13 +00:00
parent 4c5e7118db
commit ff75e00737
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=275083
12 changed files with 10 additions and 33 deletions

View File

@ -41,7 +41,6 @@ CFLAGS+= -I${SSHDIR} -include ssh_namespace.h
.if ${MK_KERBEROS_SUPPORT} != "no"
CFLAGS+= -include krb5_config.h
LIBADD+= gssapi krb5 hx509 asn1 com_err md roken
.endif
.if ${MK_OPENSSH_NONE_CIPHER} != "no"

View File

@ -21,8 +21,6 @@ CFLAGS+= -DHAVE_LDNS=1
#USEPRIVATELIB+= ldns
.endif
LIBADD+= crypto crypto z
.include <bsd.prog.mk>
.PATH: ${SSHDIR}

View File

@ -17,7 +17,7 @@ CFLAGS+= -DHAVE_LDNS=1
#USEPRIVATELIB+= ldns
.endif
LIBADD+= crypt crypto z
LIBADD+= crypto
.include <bsd.prog.mk>

View File

@ -21,7 +21,7 @@ CFLAGS+= -DHAVE_LDNS=1
#USEPRIVATELIB+= ldns
.endif
LIBADD+= crypt crypto z
LIBADD+= crypto
.include <bsd.prog.mk>

View File

@ -20,8 +20,6 @@ CFLAGS+= -DHAVE_LDNS=1
#USEPRIVATELIB+= ldns
.endif
LIBADD+= crypt crypto z
.include <bsd.prog.mk>
.PATH: ${SSHDIR}

View File

@ -20,8 +20,6 @@ CFLAGS+= -DHAVE_LDNS=1
#USEPRIVATELIB+= ldns
.endif
LIABDD+= crypt crypto z
.include <bsd.prog.mk>
.PATH: ${SSHDIR}

View File

@ -20,8 +20,6 @@ CFLAGS+= -DHAVE_LDNS=1
#USEPRIVATELIB+= ldns
.endif
LIBADD+= crypt crypto z
.include <bsd.prog.mk>
.PATH: ${SSHDIR}

View File

@ -20,7 +20,7 @@ CFLAGS+= -DHAVE_LDNS=1
#USEPRIVATELIB+= ldns
.endif
LIBADD+= crypt crypto z
LIBADD+= crypto
.include <bsd.prog.mk>

View File

@ -15,10 +15,9 @@ LIBADD= ssh
.if ${MK_LDNS} != "no"
CFLAGS+= -DHAVE_LDNS=1
LIBADD+= ldns
.endif
LIBADD+= crypt crypto z
LIBADD+= crypto
.include <bsd.prog.mk>

View File

@ -15,8 +15,6 @@ CFLAGS+= -DHAVE_LDNS=1
#USEPRIVATELIB+= ldns
.endif
LIBADD+= crypt crypto z
.include <bsd.prog.mk>
.PATH: ${SSHDIR}

View File

@ -15,11 +15,10 @@ SRCS= ssh.c readconf.c clientloop.c sshtty.c \
# gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile
SRCS+= gss-genr.c
LIBADD= ssh util
LIBADD= ssh
.if ${MK_LDNS} != "no"
CFLAGS+= -DHAVE_LDNS=1
LIBADD+= ldns
.endif
.if ${MK_KERBEROS_SUPPORT} != "no"
@ -31,7 +30,7 @@ LIBADD+= gssapi
CFLAGS+= -DNONE_CIPHER_ENABLED
.endif
LIBADD+= crypt crypto z
LIBADD+= crypto
.if defined(LOCALBASE)
CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"

View File

@ -25,7 +25,8 @@ SRCS+= gss-genr.c
MAN= sshd.8 sshd_config.5
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
LIBADD= ssh util wrap pam
# pam should always happen before ssh here for static linking
LIBADD= pam ssh util wrap
.if ${MK_LDNS} != "no"
CFLAGS+= -DHAVE_LDNS=1
@ -41,25 +42,14 @@ LIBADD+= bsm
.if ${MK_KERBEROS_SUPPORT} != "no"
CFLAGS+= -include krb5_config.h
LIBADD+= gssapi_krb5 gssapi krb5 hx509 asn1 com_err roken wind heimbase \
heimipcc
LIBADD+= gssapi_krb5 gssapi krb5
.endif
.if ${MK_OPENSSH_NONE_CIPHER} != "no"
CFLAGS+= -DNONE_CIPHER_ENABLED
.endif
LIBADD+= crypt crypto z
# Fix the order of NEEDED entries for libthr and libc. The libthr
# needs to interpose libc symbols, leaving the libthr loading as
# dependency of krb causes reversed order and broken interposing. Put
# the threading library last on the linker command line, just before
# the -lc added by a compiler driver.
# XXX In theory the framework now takes care of that, it needs to be checked
.if ${MK_KERBEROS_SUPPORT} != "no"
LIBADD+= pthread
.endif
LIBADD+= crypto
.if defined(LOCALBASE)
CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"