Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Attention! dev-libs/openssl-1.0.2g breaks ABI!
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
Polynomial-C
Developer
Developer


Joined: 01 Jun 2003
Posts: 1411
Location: germany

PostPosted: Tue Mar 01, 2016 10:45 pm    Post subject: Attention! dev-libs/openssl-1.0.2g breaks ABI! Reply with quote

Hi dear Gentoo people,

today I bumped openssl-1.0.2g into portage without noticing that they changed their ABI in a release that was announced as security update.

This bump breaks nearly all consumers of the libssl.so library (see bug 576128).


In case you still haven't updated to openssl-1.0.2g yet, simply prepare wget to not break:
Code:
USE="gnutls" emerge -1v wget

Then upgrade openssl and proceed with the steps mentioned below (skip the wget part). Once all packages have been fixed again, recompile wget to link against openssl again.


In case you have already upgraded to openssl-1.0.2g and have broken packages, don't panic! This can be fixed.

First of all, in case net-misc/wget is broken for you and you need to download the source tarball in order to recompile wget you can try "busybox wget" instead:
Code:
FETCHCOMMAND="/bin/busybox wget -O \"\${DISTDIR}/\${FILE}\" \"\${URI}\"" emerge -1v wget

In case you get a bad address error message from busybox' wget and you still have access to a webbrowser, simply donwload the required wget source tarball from the GNU FTP server and place it in your DISTDIR (usually /usr/portage/distfiles).
Once your wget binary is no longer broken, install the app-portage/gentoolkit package:
Code:
emerge -1nv gentoolkit

Now you have the required tool to fix the remaining broken packages:
Code:
revdep-rebuild.sh -i -L "libssl\.so.*" -- --exclude=openssl --keep-going

Watch carefully for packages that fail during compilation. Sometimes the ordering of the packages is wrong and then packages get recompiled that have dependencies which are still broken. In this case try to re-emerge such packages once the revdep-rebuild command has finished.
As a last step you should run
Code:
revdep-rebuild.sh -i -u -- --keep-going
as the previous revdep-rebuild command might not pick up every libssl consumer (don't ask me why). This command most likely will print false positives or reports undefined symbols not related to the openssl update. Just let it run and again watch for failed packages.


Please let me know if this guide is helpful to you.

[edit]Added preparation steps (thanks tamiko)[/edit]
[edit]Added revdep-rebuild search for undefined symbols[/edit]

Stuck. -- desultory
_________________
The manual said "Requires Windows10 or better" so I installed GNU/Linux...

my portage overlay

Need a stage1 tarball? (Unofficial builds)
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 5981

PostPosted: Wed Mar 02, 2016 3:06 pm    Post subject: Reply with quote

Polynomial-C,
- wouldn't it be just easier to package current wget in order to restore it easy? <quickpkg wget>
- and the whole process could be made without need to rebuild wget twice: <emerge --update --newuse --deep --with-bdeps=y --fetchonly @world> will download everything, next to that, you don't need wget if packages sources are already present when updating for real.
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 4532

PostPosted: Wed Mar 02, 2016 6:23 pm    Post subject: Reply with quote

Might be a good idea to add "net-misc/curl CURL_SSL: -* gnutls" to a package.use file too, otherwise it uses openssl by default.

I have a policy of disabling/replacing openssl where possible already. Unfortunately there's still a huge amount of packages that won't work at all without this radioactive waste present...
_________________
*.ebuild // /etc/service/*
Back to top
View user's profile Send private message
Dr.Willy
Guru
Guru


Joined: 15 Jul 2007
Posts: 414
Location: NRW, Germany

PostPosted: Wed Mar 02, 2016 11:08 pm    Post subject: Reply with quote

What makes you think that gnutls is better in any way, shape or form?
Back to top
View user's profile Send private message
tnt
Veteran
Veteran


Joined: 27 Feb 2004
Posts: 1154

PostPosted: Thu Mar 03, 2016 11:14 am    Post subject: Reply with quote

worked for me.
thx!
_________________
gentoo user
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 4532

PostPosted: Thu Mar 03, 2016 5:38 pm    Post subject: Reply with quote

Dr.Willy wrote:
What makes you think that gnutls is better in any way, shape or form?

The existence of this thread?
_________________
*.ebuild // /etc/service/*
Back to top
View user's profile Send private message
tnt
Veteran
Veteran


Joined: 27 Feb 2004
Posts: 1154

PostPosted: Thu Mar 03, 2016 9:26 pm    Post subject: Reply with quote

Ant P. wrote:
Dr.Willy wrote:
What makes you think that gnutls is better in any way, shape or form?

The existence of this thread?


good one! :D
_________________
gentoo user
Back to top
View user's profile Send private message
antonlacon
Apprentice
Apprentice


Joined: 27 Jun 2004
Posts: 240

PostPosted: Thu Mar 03, 2016 10:18 pm    Post subject: Reply with quote

Revdep-rebuild step for undefined symbols is using unstable gentoolkit?

Code:
#  revdep-rebuild -i -u

Encountered unrecognized option -u.

revdep-rebuild no longer automatically passes unrecognized options to portage.
Separate emerge-only options from revdep-rebuild options with the -- flag.

For example, revdep-rebuild -v -- --ask

See the man page or revdep-rebuild -h for more detail.


Code:
# emerge -pv gentoolkit

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] app-portage/gentoolkit-0.3.0.9-r2::gentoo  PYTHON_TARGETS="python2_7 python3_4 (-pypy) -python3_3"
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3253

PostPosted: Thu Mar 03, 2016 11:51 pm    Post subject: Reply with quote

tnt wrote:
Ant P. wrote:
Dr.Willy wrote:
What makes you think that gnutls is better in any way, shape or form?

The existence of this thread?


good one! :D


What to think, what to think.... One quick simple search, top hits:
http://www.zdnet.com/article/gnutls-big-internal-bugs-few-real-world-problems/
http://resources.infosecinstitute.com/vulnerabilities-openssl-gnutls-earthquake-internet-encryption/
https://www.quora.com/How-does-one-decide-between-OpenSSL-GnuTLS-and-Mozillas-NSS
http://stackoverflow.com/questions/7008597/securing-udp-openssl-or-gnutls-or
http://www.pcworld.com/article/2105145/what-you-need-to-know-about-the-gnutls-linux-bug.html
https://news.ycombinator.com/item?id=7347500

Much of this, especially with respect to gnutls is old. The newest revelations are about openssl, but some of the problems with gnutls appear to be at the ABI level, not simply an implementation issue.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 4532

PostPosted: Fri Mar 04, 2016 1:02 am    Post subject: Reply with quote

Note that I very deliberately didn't say anything about gnutls up there other than mentioning it's an option. Both libs suck (unavoidably, because they're implementations of the horrifically brain-damaged X509/SSL/TLS/CA stack), but you can't deny that OpenSSL in particular is most infamous for its black-hole-like properties.
_________________
*.ebuild // /etc/service/*
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 2039
Location: Illinois, USA

PostPosted: Fri Mar 04, 2016 1:57 pm    Post subject: Reply with quote

Many thanks! I took the easier step of adding >=dev-libs/openssl-1.0.2g to /usr/portage/package.mask/badapps
Back to top
View user's profile Send private message
limn
l33t
l33t


Joined: 13 May 2005
Posts: 994

PostPosted: Fri Mar 04, 2016 3:40 pm    Post subject: Reply with quote

Thank you ccache.
Back to top
View user's profile Send private message
Steffen
Apprentice
Apprentice


Joined: 14 Jul 2002
Posts: 159

PostPosted: Sat Mar 05, 2016 5:59 am    Post subject: Reply with quote

On my stable amd64 system, I've unmasked openssl-1.0.2g-r2 which seems to be OpenSSL 1.0.2g with re-enabled SSLv2 and thus avoids the ABI break. However, you then have to carefully disable SSLv2 (and while you're at it: SSLv3) in all daemons.

Until the Gentoo developers decide how to handle this situation, I think this is better than continuing to use OpenSSL 1.0.2f.
Back to top
View user's profile Send private message
Dr.Willy
Guru
Guru


Joined: 15 Jul 2007
Posts: 414
Location: NRW, Germany

PostPosted: Sat Mar 05, 2016 2:16 pm    Post subject: Reply with quote

Ant P. wrote:
Note that I very deliberately didn't say anything about gnutls up there other than mentioning it's an option.

Well yes, you did.
You explicitly said it "might be a good idea to" use gnutls over openssl. Which it is not, because both are a pile of poo. But with gnutls you at least have the option to stay away from it, because almost no packages use it - and it is wise to keep it that way.
Look at the options for CURL_SSL again - and tell me which ones you would actually recommend.
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 4532

PostPosted: Sat Mar 05, 2016 5:37 pm    Post subject: Reply with quote

If it was a practical choice, I'd rather USE="-ssl"... failing that, I'm waiting for the day I can start using libressl.

And until then, I'll just settle for avoiding the lib where the hardest part of finding an exploit seems to be coming up with a catchy logo and domain name for it.
_________________
*.ebuild // /etc/service/*
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 5304
Location: Room 101

PostPosted: Sat Mar 05, 2016 8:24 pm    Post subject: Reply with quote

Ant P. wrote:
And until then, I'll just settle for avoiding the lib where the hardest part of finding an exploit seems to be coming up with a catchy logo and domain name for it.

Ant ... I don't know, you also have think up a suitable name, and choosing between 'sslop', 'sslam' and 'sslut' isn't *that* easy ;)

best ... khay
Back to top
View user's profile Send private message
lutel
Tux's lil' helper
Tux's lil' helper


Joined: 19 Oct 2003
Posts: 93
Location: Pomroczna

PostPosted: Thu Nov 09, 2017 10:21 pm    Post subject: Reply with quote

This thread is more than year old, dev-libs/openssl-1.0.2m is stable in tree, we should rather move to openssl 1.1.0.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 11440

PostPosted: Fri Nov 10, 2017 2:25 am    Post subject: Reply with quote

This thread was more than a year old, so why wake it up to make a comment that is not relevant to the original thread? Also, note that openssl-1.1.x is currently both unstable and hard-masked, both for good reason, so many people are not even offered that update.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum