View previous topic :: View next topic |
Author |
Message |
Polynomial-C Retired Dev
Joined: 01 Jun 2003 Posts: 1432 Location: Germany
|
Posted: Tue Mar 01, 2016 10:45 pm Post subject: Attention! dev-libs/openssl-1.0.2g breaks ABI! |
|
|
Hi dear Gentoo people,
today I bumped openssl-1.0.2g into portage without noticing that they changed their ABI in a release that was announced as security update.
This bump breaks nearly all consumers of the libssl.so library (see bug 576128).
In case you still haven't updated to openssl-1.0.2g yet, simply prepare wget to not break: Code: | USE="gnutls" emerge -1v wget |
Then upgrade openssl and proceed with the steps mentioned below (skip the wget part). Once all packages have been fixed again, recompile wget to link against openssl again.
In case you have already upgraded to openssl-1.0.2g and have broken packages, don't panic! This can be fixed.
First of all, in case net-misc/wget is broken for you and you need to download the source tarball in order to recompile wget you can try "busybox wget" instead: Code: | FETCHCOMMAND="/bin/busybox wget -O \"\${DISTDIR}/\${FILE}\" \"\${URI}\"" emerge -1v wget |
In case you get a bad address error message from busybox' wget and you still have access to a webbrowser, simply donwload the required wget source tarball from the GNU FTP server and place it in your DISTDIR (usually /usr/portage/distfiles).
Once your wget binary is no longer broken, install the app-portage/gentoolkit package: Code: | emerge -1nv gentoolkit |
Now you have the required tool to fix the remaining broken packages: Code: | revdep-rebuild.sh -i -L "libssl\.so.*" -- --exclude=openssl --keep-going |
Watch carefully for packages that fail during compilation. Sometimes the ordering of the packages is wrong and then packages get recompiled that have dependencies which are still broken. In this case try to re-emerge such packages once the revdep-rebuild command has finished.
As a last step you should run Code: | revdep-rebuild.sh -i -u -- --keep-going | as the previous revdep-rebuild command might not pick up every libssl consumer (don't ask me why). This command most likely will print false positives or reports undefined symbols not related to the openssl update. Just let it run and again watch for failed packages.
Please let me know if this guide is helpful to you.
[edit]Added preparation steps (thanks tamiko)[/edit]
[edit]Added revdep-rebuild search for undefined symbols[/edit]
Stuck. -- desultory
Unstuck 2018-09-25, --kallamej _________________ The manual said "Requires Windows10 or better" so I installed GNU/Linux...
my portage overlay
Need a stage1 tarball? (Unofficial builds) |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Wed Mar 02, 2016 3:06 pm Post subject: |
|
|
Polynomial-C,
- wouldn't it be just easier to package current wget in order to restore it easy? <quickpkg wget>
- and the whole process could be made without need to rebuild wget twice: <emerge --update --newuse --deep --with-bdeps=y --fetchonly @world> will download everything, next to that, you don't need wget if packages sources are already present when updating for real. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Wed Mar 02, 2016 6:23 pm Post subject: |
|
|
Might be a good idea to add "net-misc/curl CURL_SSL: -* gnutls" to a package.use file too, otherwise it uses openssl by default.
I have a policy of disabling/replacing openssl where possible already. Unfortunately there's still a huge amount of packages that won't work at all without this radioactive waste present... |
|
Back to top |
|
|
Dr.Willy Guru
Joined: 15 Jul 2007 Posts: 547 Location: NRW, Germany
|
Posted: Wed Mar 02, 2016 11:08 pm Post subject: |
|
|
What makes you think that gnutls is better in any way, shape or form? |
|
Back to top |
|
|
tnt Veteran
Joined: 27 Feb 2004 Posts: 1222
|
Posted: Thu Mar 03, 2016 11:14 am Post subject: |
|
|
worked for me.
thx! _________________ gentoo user |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Thu Mar 03, 2016 5:38 pm Post subject: |
|
|
Dr.Willy wrote: | What makes you think that gnutls is better in any way, shape or form? |
The existence of this thread? |
|
Back to top |
|
|
tnt Veteran
Joined: 27 Feb 2004 Posts: 1222
|
Posted: Thu Mar 03, 2016 9:26 pm Post subject: |
|
|
Ant P. wrote: | Dr.Willy wrote: | What makes you think that gnutls is better in any way, shape or form? |
The existence of this thread? |
good one! _________________ gentoo user |
|
Back to top |
|
|
antonlacon Apprentice
Joined: 27 Jun 2004 Posts: 257
|
Posted: Thu Mar 03, 2016 10:18 pm Post subject: |
|
|
Revdep-rebuild step for undefined symbols is using unstable gentoolkit?
Code: | # revdep-rebuild -i -u
Encountered unrecognized option -u.
revdep-rebuild no longer automatically passes unrecognized options to portage.
Separate emerge-only options from revdep-rebuild options with the -- flag.
For example, revdep-rebuild -v -- --ask
See the man page or revdep-rebuild -h for more detail. |
Code: | # emerge -pv gentoolkit
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] app-portage/gentoolkit-0.3.0.9-r2::gentoo PYTHON_TARGETS="python2_7 python3_4 (-pypy) -python3_3" |
|
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Fri Mar 04, 2016 1:02 am Post subject: |
|
|
Note that I very deliberately didn't say anything about gnutls up there other than mentioning it's an option. Both libs suck (unavoidably, because they're implementations of the horrifically brain-damaged X509/SSL/TLS/CA stack), but you can't deny that OpenSSL in particular is most infamous for its black-hole-like properties. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Fri Mar 04, 2016 1:57 pm Post subject: |
|
|
Many thanks! I took the easier step of adding >=dev-libs/openssl-1.0.2g to /usr/portage/package.mask/badapps |
|
Back to top |
|
|
limn l33t
Joined: 13 May 2005 Posts: 997
|
Posted: Fri Mar 04, 2016 3:40 pm Post subject: |
|
|
Thank you ccache. |
|
Back to top |
|
|
Steffen Apprentice
Joined: 14 Jul 2002 Posts: 159
|
Posted: Sat Mar 05, 2016 5:59 am Post subject: |
|
|
On my stable amd64 system, I've unmasked openssl-1.0.2g-r2 which seems to be OpenSSL 1.0.2g with re-enabled SSLv2 and thus avoids the ABI break. However, you then have to carefully disable SSLv2 (and while you're at it: SSLv3) in all daemons.
Until the Gentoo developers decide how to handle this situation, I think this is better than continuing to use OpenSSL 1.0.2f. |
|
Back to top |
|
|
Dr.Willy Guru
Joined: 15 Jul 2007 Posts: 547 Location: NRW, Germany
|
Posted: Sat Mar 05, 2016 2:16 pm Post subject: |
|
|
Ant P. wrote: | Note that I very deliberately didn't say anything about gnutls up there other than mentioning it's an option. |
Well yes, you did.
You explicitly said it "might be a good idea to" use gnutls over openssl. Which it is not, because both are a pile of poo. But with gnutls you at least have the option to stay away from it, because almost no packages use it - and it is wise to keep it that way.
Look at the options for CURL_SSL again - and tell me which ones you would actually recommend. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Sat Mar 05, 2016 5:37 pm Post subject: |
|
|
If it was a practical choice, I'd rather USE="-ssl"... failing that, I'm waiting for the day I can start using libressl.
And until then, I'll just settle for avoiding the lib where the hardest part of finding an exploit seems to be coming up with a catchy logo and domain name for it. |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Sat Mar 05, 2016 8:24 pm Post subject: |
|
|
Ant P. wrote: | And until then, I'll just settle for avoiding the lib where the hardest part of finding an exploit seems to be coming up with a catchy logo and domain name for it. |
Ant ... I don't know, you also have think up a suitable name, and choosing between 'sslop', 'sslam' and 'sslut' isn't *that* easy ;)
best ... khay |
|
Back to top |
|
|
lutel Tux's lil' helper
Joined: 19 Oct 2003 Posts: 110 Location: Pomroczna
|
Posted: Thu Nov 09, 2017 10:21 pm Post subject: |
|
|
This thread is more than year old, dev-libs/openssl-1.0.2m is stable in tree, we should rather move to openssl 1.1.0. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21602
|
Posted: Fri Nov 10, 2017 2:25 am Post subject: |
|
|
This thread was more than a year old, so why wake it up to make a comment that is not relevant to the original thread? Also, note that openssl-1.1.x is currently both unstable and hard-masked, both for good reason, so many people are not even offered that update. |
|
Back to top |
|
|
|