| Summary: | gnutls crypto policy code incompatible with ostree (causes glib-networking/libsoup crashes) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Colin Walters <walters> |
| Component: | gnutls | Assignee: | Nikos Mavrogiannopoulos <nmavrogi> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 25 | CC: | danw, dustymabe, mcatanzaro+wrong-account-do-not-cc, mclasen, miabbott, nmavrogi, tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | gnutls-3.5.5-2.fc25 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-10-14 05:00:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Colin Walters
2016-10-11 14:09:39 UTC
Oh...because there's a Fedora patch: http://pkgs.fedoraproject.org/cgit/rpms/glib-networking.git/commit/?id=441e95cc5d2531a0cf6f0317a49660497007bd70 And indeed, explicitly specifying: env G_TLS_GNUTLS_PRIORITY='@SYSTEM:NORMAL:%COMPAT:%LATEST_RECORD_VERSION' ./get -c /etc/pki/tls/cert.pem https://google.com crashes as well. Looks like 205 packages in Fedora 25 require libsoup: ``` $ rpm -q --provides libsoup | cut -f 1 -d ' ' | xargs -I' ' sudo dnf repoquery --whatrequires ' ' | sort | uniq | wc -l 205 ``` potential blocker bug? Ah, this is a conflict between ostree and gnutls. OSTree uses an mtime of zero for content in /usr/share. But:
static time_t system_priority_last_mod = 0;
static void _gnutls_update_system_priorities(void)
{
...
if (stat(system_priority_file, &sb) < 0) {
_gnutls_debug_log("unable to access: %s: %d\n",
system_priority_file, errno);
return;
}
if (sb.st_mtime == system_priority_last_mod) {
_gnutls_debug_log("system priority %s has not changed\n",
system_priority_file);
return;
}
So if the mtime starts out zero, we never read the file at all.
Testing this patch now:
diff --git a/lib/priority.c b/lib/priority.c
index 0d6b81e..bd4cf25 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -945,7 +945,8 @@ static void _gnutls_update_system_priorities(void)
return;
}
- if (sb.st_mtime == system_priority_last_mod) {
+ if (system_priority_buf != NULL &&
+ sb.st_mtime == system_priority_last_mod) {
_gnutls_debug_log("system priority %s has not changed\n",
system_priority_file);
return;
Worked for me to: ostree admin unlock rpm -Uvh https://fedorapeople.org/~walters/gnutls-3.5.5-2.atomic.0.fc25.x86_64.rpm systemctl restart rpm-ostreed gnutls-3.5.5-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9824a9f2ed gnutls-3.5.5-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. |