[Bug 3604] New: Building OpenSSH fails with zlib1.3 installed

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Aug 19 04:03:30 AEST 2023


https://bugzilla.mindrot.org/show_bug.cgi?id=3604

            Bug ID: 3604
           Summary: Building OpenSSH fails with zlib1.3 installed
           Product: Portable OpenSSH
           Version: 9.4p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Build system
          Assignee: unassigned-bugs at mindrot.org
          Reporter: fabian at wenks.ch

Running on macOS 13.5 (Ventura) with MacPorts, but based on the version
check this may affect all OS versions as soon as zlib 1.3 is installed.
I did the upgrades with 'port upgrade outdated', zlib 1.2.13_0 -> 1.3_0
and OpenSSH 9.3p2_0 -> 9.4p1_0 and the update of zlib was done before
openssh: 

 # port installed | grep '^  zlib'
  zlib @1.2.13_0 requested_variants='' platform='darwin 22'
archs='x86_64' date='2023-07-21T19:42:11+0200'
  zlib @1.3_0 (active) requested_variants='' platform='darwin 22'
archs='x86_64' date='2023-08-18T18:40:38+0200'

Building OpenSSH 9.4p1_0 failed with this error:

checking for deflate in -lz... yes
checking for possibly buggy zlib... yes
configure: error: *** zlib too old - check config.log ***
Your reported zlib version has known security problems.  It's possible
your
vendor has fixed these problems without changing the version number. 
If you
are sure this is the case, you can disable the check by running
"./configure --without-zlib-version-check".
If you are in doubt, upgrade zlib to version 1.2.3 or greater.
See http://www.gzip.org/zlib/ for details.

More relevant details out of the config.log:

This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.

It was created by OpenSSH configure Portable, which was
generated by GNU Autoconf 2.71.  Invocation command line was

  $ ./configure --prefix=/opt/local --with-ssl-dir=/opt/local
--sysconfdir=/opt/local/etc/ssh --with-privsep-path=/var/empty
--with-md5-passwords --with-pid-dir=/opt/local/var/run --with-pam
--mandir=/opt/local/share/man --with-zlib=/opt/local
--without-kerberos5 --with-libedit --with-pie
--with-xauth=/opt/local/bin/xauth --with-ldns --with-audit=bsm
--with-keychain=apple

[...]

configure:10755: checking for zlib
configure:10763: result: yes
configure:10768: checking for zlib.h
configure:10768: /opt/local/bin/clang-mp-15 -c -pipe -Os
-isysroot/Applications/
Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.s
dk -arch x86_64 -pipe -Wunknown-warning-option -Qunused-arguments -Wall
-Wpointe
r-arith -Wuninitialized -Wsign-compare -Wformat-security
-Wsizeof-pointer-memacc
ess -Wno-pointer-sign -Wno-unused-result -Wmisleading-indentation
-Wbitwise-inst
ead-of-logical -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv
-fzero-call-used
-regs=used -fno-builtin-memset -fstack-protector-strong
-I/opt/local/include -I/
opt/local/include -DBROKEN_STRNVIS=1 -D__APPLE_SANDBOX_NAMED_EXTERNAL__
-D__APPL
E_API_STRICT_CONFORMANCE -D__APPLE_LAUNCHD__
-isysroot/Applications/Xcode.app/Co
ntents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.sdk
conftest.
c >&5
configure:10768: $? = 0
configure:10768: result: yes

[...]

configure:10809: result: yes
configure:10871: checking for possibly buggy zlib
configure:10911: /opt/local/bin/clang-mp-15 -o conftest -pipe -Os
-isysroot/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.sdk
-arch x86_64 -pipe -Wunknown-warning-option -Qunused-arguments -Wall
-Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security
-Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result
-Wmisleading-indentation -Wbitwise-instead-of-logical
-fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv
-fzero-call-used-regs=used -fno-builtin-memset -fstack-protector-strong
-I/opt/local/include -I/opt/local/include -DBROKEN_STRNVIS=1
-D__APPLE_SANDBOX_NAMED_EXTERNAL__ -D__APPLE_API_STRICT_CONFORMANCE
-D__APPLE_LAUNCHD__
-isysroot/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.sdk
-L/opt/local/lib -L/opt/local/lib -Wl,-headerpad_max_install_names
-Wl,-search_paths_first
-Wl,-syslibroot,/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.sdk
-arch x86_64 -fstack-protector-strong conftest.c -lz  >&5
configure:10911: $? = 0
configure:10911: ./conftest
configure:10911: $? = 1
configure: program exited with status 1
configure: failed program was:
| /* confdefs.h */
| #define PACKAGE_NAME "OpenSSH"
| #define PACKAGE_TARNAME "openssh"
| #define PACKAGE_VERSION "Portable"
| #define PACKAGE_STRING "OpenSSH Portable"
| #define PACKAGE_BUGREPORT "openssh-unix-dev at mindrot.org"

[...]

| #define HAVE_BASENAME 1
| #define WITH_ZLIB 1
| #define HAVE_LIBZ 1
| /* end confdefs.h.  */
| 
| #include <stdio.h>
| #include <stdlib.h>
| #include <zlib.h>
| 
| int
| main (void)
| {
| 
|       int a=0, b=0, c=0, d=0, n, v;
|       n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
|       if (n != 3 && n != 4)
|               exit(1);
|       v = a*1000000 + b*10000 + c*100 + d;
|       fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION,
v);
| 
|       /* 1.1.4 is OK */
|       if (a == 1 && b == 1 && c >= 4)
|               exit(0);
| 
|       /* 1.2.3 and up are OK */
|       if (v >= 1020300)
|               exit(0);
| 
|       exit(2);
| 
|   ;
|   return 0;
| }
configure:10916: result: yes
configure:10919: error: *** zlib too old - check config.log ***
Your reported zlib version has known security problems.  It's possible
your
vendor has fixed these problems without changing the version number. 
If you
are sure this is the case, you can disable the check by running
"./configure --without-zlib-version-check".
If you are in doubt, upgrade zlib to version 1.2.3 or greater.
See http://www.gzip.org/zlib/ for details.


Bugreport at MacPorts: https://trac.macports.org/ticket/67986

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list