timlegge
commented
3 months ago Thanks. I have limited access to macros but I am happy to apply patches. I will see if I can determine the cause when I get access to macros again.
Closed lukaso closed 3 months ago
timlegge
commented
3 months ago Thanks. I have limited access to macros but I am happy to apply patches. I will see if I can determine the cause when I get access to macros again.
timlegge
commented
3 months ago @lukaso Can you clarify? https://trac.macports.org/ticket/65496 seems to reference version 0.004001 2018-05-19T19:58+01:00 which included Brotli library to v1.0.4 (https://trac.macports.org/attachment/ticket/65496/main.log)
That version is not the latest and includes Brotli library v1.0.4 which is vulnerable to CVE-2020-8927
If you are indeed using https://metacpan.org/release/MGV/IO-Compress-Brotli-0.004001 please update to the latest version (0.17)
lukaso
commented
3 months ago Hi, you are right. After posting this I tried the upgraded version but ran into a problem with CMake (but that might be a MacPorts specific problem). Feel free to close this for now because it's might be a MacPorts problem. Sorry for the disturbance.
ryandesign
commented
1 month ago I tried the upgraded version but ran into a problem with CMake
You didn't mention what the problem was, but when I tried your updated Portfile the build blew up completely because MacPorts builds in parallel by default (e.g. make -j8 -w all) which caused this build system to start three simultaneous cmake processes, each trying to build the bundled brotli and stepping on each other's toes, finally failing with the unintelligible error messages (twice each):
CMake Error at /opt/local/share/cmake-3.29/Modules/CMakeDetermineSystem.cmake:218 (configure_file):
No such file or directory
Call Stack (most recent call first):
CMakeLists.txt:11 (project)CMake Error at /opt/local/share/cmake-3.29/Modules/CMakeDetermineCCompiler.cmake:231 (configure_file):
No such file or directory
Call Stack (most recent call first):
CMakeLists.txt:11 (project)CMake Error at /opt/local/share/cmake-3.29/Modules/CTestTargets.cmake:39 (configure_file):
No such file or directory
Call Stack (most recent call first):
/opt/local/share/cmake-3.29/Modules/CTest.cmake:264 (include)
CMakeLists.txt:233 (include)This is a perl-IO-Compress-Brotli bug, not a MacPorts bug.
Disabling parallel building worked around the problem and I'll commit the update to MacPorts shortly.
timlegge
commented
1 month ago @ryandesign thank you for that as a number of people have reported issues. I am happy to fix the issue in the module but I don't have regular access to a Mac and I don't really know where to start. However, I will check to see if "make -j8 -w all" will cause the issue on Linux and if so I may be able to track down how to replicate and fix.
There appears to be some form of race condition. The condition is improved when disabling parallel builds, but not eliminated.
https://trac.macports.org/ticket/65496