Red Hat Bugzilla – Full Text Bug Listing
|Summary:||openssl updated to 1.0.0b libguestfs depends on exact file names|
|Product:||[Fedora] Fedora||Reporter:||Tomas Mraz <tmraz>|
|Component:||libguestfs||Assignee:||Richard W.M. Jones <rjones>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||12||CC:||andrew.kavalov, dennis, herrold, jwboyer, mbooth, mgoldman, rjones, urkle, virt-maint, web|
|Fixed In Version:||libguestfs-1.2.11-1.fc12.1||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2010-11-25 20:04:44 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Tomas Mraz 2010-11-18 08:52:13 EST
I've upgraded openssl with a minor patch level update from upstream 1.0.0a->1.0.0b which fixes a potentially serious security vulnerability. Unfortunately the update breaks libguestfs. Would it be possible to modify libguestfs so it does not depend on the full file names, but on the soname file names? There are the /lib64/libcrypto.so.10 and /lib64/.libcrypto.so.10.hmac which are symlinks that can be dereferenced to obtain the full file names. These symlink names will not change in released Fedora versions as that would be of course an ABI break.
Comment 1 Richard W.M. Jones 2010-11-18 09:18:39 EST
We should just not depend on the hmac files, which is what seems to cause the problem. AIUI they are not useful for general users. The issue of depending on file paths is discussed here, and nothing has changed since this was written: http://lists.fedoraproject.org/pipermail/devel/2010-April/134663.html BTW I'm already doing new builds for F13 and F14: http://koji.fedoraproject.org/koji/buildinfo?buildID=205415 http://koji.fedoraproject.org/koji/buildinfo?buildID=205413
Comment 2 Tomas Mraz 2010-11-18 09:41:40 EST
Yes, the hmac files are not needed if the system is not run in the FIPS mode which itself is not very useful for regular Fedora users.
Comment 3 Richard W.M. Jones 2010-11-18 10:38:03 EST
I pushed this patch upstream and into the F13 and F14 branches: http://git.annexia.org/?p=libguestfs.git;a=commitdiff;h=16e39ac0b8583c60fb1bc3378483b91886ed6f85 New builds: http://koji.fedoraproject.org/koji/taskinfo?taskID=2608591 http://koji.fedoraproject.org/koji/taskinfo?taskID=2608593
Comment 4 Tomas Mraz 2010-11-18 10:43:40 EST
I made openssl-1.0.0b update for F-12 as well. Is libguestfs requiring the hmac file there or not?
Comment 5 Richard W.M. Jones 2010-11-18 10:55:26 EST
Yes, I think it is. I've kicked off a rebuild for F12 including this patch: http://koji.fedoraproject.org/koji/taskinfo?taskID=2608622
Comment 6 Fedora Update System 2010-11-18 12:20:30 EST
libguestfs-1.6.2-1.fc13.4 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/libguestfs-1.6.2-1.fc13.4
Comment 7 Fedora Update System 2010-11-18 12:20:58 EST
libguestfs-1.6.2-1.fc14.4 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/libguestfs-1.6.2-1.fc14.4
Comment 8 Fedora Update System 2010-11-18 12:21:35 EST
libguestfs-1.2.11-1.fc12.1 has been submitted as an update for Fedora 12. https://admin.fedoraproject.org/updates/libguestfs-1.2.11-1.fc12.1
Comment 9 Fedora Update System 2010-11-18 18:58:55 EST
libguestfs-1.6.2-1.fc14.4 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update libguestfs'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/libguestfs-1.6.2-1.fc14.4
Comment 10 Magnus Glantz 2010-11-21 14:05:00 EST
*** Bug 655505 has been marked as a duplicate of this bug. ***
Comment 11 Josh Boyer 2010-11-22 08:33:28 EST
In case you didn't already know, the openssl update is in stable for F12 while libguestfs is still in updates-testing. This leads to broken updates for those with libguestfs installed.
Comment 12 Tomas Mraz 2010-11-22 14:03:45 EST
*** Bug 655937 has been marked as a duplicate of this bug. ***
Comment 13 Fedora Update System 2010-11-22 17:17:21 EST
libguestfs-1.6.2-1.fc14.4 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Richard W.M. Jones 2010-11-22 17:44:50 EST
Reopen, otherwise it won't appear in some searches. Still waiting for enough karma to push this to F12, F13.
Comment 15 Edward Rudd 2010-11-23 13:11:18 EST
With the 1.2.11-1.fc12.1 release I still cannot install openssl-1.0.0b on Fedora 12. 1.0.0a has all libs in /usr/lib64 whereas 1.0.0b has the crypto libs in /lib64 Failed dependencies: /usr/lib64/libcrypto.so.10 is needed by (installed) libguestfs-1:1.2.11-1.fc12.1.x86_64
Comment 16 Tomas Mraz 2010-11-23 14:40:52 EST
(In reply to comment #15) > With the 1.2.11-1.fc12.1 release I still cannot install openssl-1.0.0b on > Fedora 12. > > 1.0.0a has all libs in /usr/lib64 whereas 1.0.0b has the crypto libs in /lib64 Oops, that was unintentional change in F12 openssl package caused by my too eager merge with newer branches. I'll correct that in the openssl package.
Comment 17 Richard W.M. Jones 2010-11-23 14:45:23 EST
We can also fix this in libguestfs if you prefer.
Comment 18 Tomas Mraz 2010-11-23 14:52:25 EST
No, this was really unintentional change and I'm building fixed openssl package just now.
Comment 19 Tomas Mraz 2010-11-23 15:04:00 EST
Richard, please can you add the new openssl-1.0.0b-1.fc12.1 package to the libguestfs Fedora 12 update so both packages can be updated simultaneously?
Comment 20 Richard W.M. Jones 2010-11-23 15:13:46 EST
With any luck, this is correct ... https://admin.fedoraproject.org/updates/openssl-1.0.0b-1.fc12.1,libguestfs-1.2.11-1.fc12.1
Comment 21 Fedora Update System 2010-11-23 16:54:56 EST
libguestfs-1.6.2-1.fc13.4 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
Comment 22 Richard W.M. Jones 2010-11-23 17:50:04 EST
Comment 23 Richard W.M. Jones 2010-11-23 17:51:48 EST
*** Bug 656517 has been marked as a duplicate of this bug. ***
Comment 24 Fedora Update System 2010-11-24 17:37:36 EST
libguestfs-1.2.11-1.fc12.1, openssl-1.0.0b-1.fc12.1 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update libguestfs openssl'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/openssl-1.0.0b-1.fc12.1,libguestfs-1.2.11-1.fc12.1
Comment 25 Edward Rudd 2010-11-25 09:52:36 EST
I can confirm that the new openssl packages install correctly with the updated libguestfs on F12 x86_64.
Comment 26 Fedora Update System 2010-11-25 20:04:39 EST
libguestfs-1.2.11-1.fc12.1, openssl-1.0.0b-1.fc12.1 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.