contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606)
In default configuration OpenSSL loads config from
certain location on disk, for example
c:\vcpkg\packages\openssl_x64-windows\openvpn.cnf
which may pose a security risk.
There is "no-autoload-config" config option for OpenSSL
which disables this functionality:
https://github.com/openssl/openssl/pull/5959
however it is not "exported" to vcpkg.
This adds openssl port overlay which sets "no-autoload-config"
config option. Here is the diff (indented with "!" to avoid
confusing "git am"):
! diff --git a/ports/openssl/windows/portfile.cmake
! b/ports/openssl/windows/portfile.cmake
! index
7a3bf08ed..
c873eb756 100644
! --- a/ports/openssl/windows/portfile.cmake
! +++ b/ports/openssl/windows/portfile.cmake
! @@ -21,6 +21,7 @@ set(CONFIGURE_OPTIONS
! enable-capieng
! no-ssl2
! no-tests
! + no-autoload-config
! -utf-8
! ${OPENSSL_SHARED}
! )
There is also corresponsing PR to vcpkg:
https://github.com/microsoft/vcpkg/pull/18389
When above PR is merged, this port overlay can be removed.
CVE: 2121-3606
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <
20210617061259.297-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22569.html
(cherry picked from commit
84d5079b0f40387317b348025c99097f7876807a)
projects / thirdparty / openvpn.git / commit
