Seems today is #FreeBSD SA day. I will merge the fixes into the #HardenedBSD quarterly branches and kick off new builds tonight.
#HardenedBSD applies the following compiler flags to #OpenSSL in the base operating system:
-ftrivial-var-auto-init=zero
-fsanitize=safe-stack
-fzero-call-used-regs=used
The OpenSSL port (in the HardenedBSD ports tree exclusively) only enables the first option.
I wonder if the combination of these features would mitigate the OpenSSL stack-based buffer overflow vulnerability announced today. I hope to answer that question this evening unless someone else beats me to it.
For reference: https://openssl-library.org/news/vulnerabilities/#CVE-2025-15467
@lattera I guess safe-stack would mitigate it, but so would have -fstack-protector, which I guess most distros have in defaults these days.
Although if you could somehow get past the initial canary on `evp_cipher_get_asn1_aead_params` and its caller and ended up in https://github.com/openssl/openssl/blob/master/crypto/cms/cms_enc.c#L102, smashing one of the EVP_CIPHER pointers may require control flow integrity to catch, since that contains a bunch of function pointers.
@neverpanic HardenedBSD also applies -fstack-protector=all and -D _FORTIFY_SOURCE=2 in addition to the others already mentioned. I probably should've included that core bit of info.