Bug 1289599 - Regression: unresolved symbol EC_GFp_nistp224_method with openssl-1.0.2e-1.fc23.x86_64
Summary: Regression: unresolved symbol EC_GFp_nistp224_method with openssl-1.0.2e-1.fc...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: python-cryptography
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Matěj Cepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-08 14:16 UTC by Matthew Booth
Modified: 2018-04-11 10:56 UTC (History)
8 users (show)

Fixed In Version: openssl-1.0.2e-3.fc23 python-cryptography-1.2.1-1.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-15 23:24:27 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Matthew Booth 2015-12-08 14:16:02 UTC
Description of problem:
When building the python cryptography library I get unresolved symbols. Specifically, the EC_GFp_nistp224_method symbol is unresolved. If I downgrade to openssl-1.0.2d-2.fc23.x86_64 I do not get unresolved symbols.

As devstack (a development installation of openstack) does this, the impact is that devstack does not work on fully updated Fedora 23.

Version-Release number of selected component (if applicable):
openssl-1.0.2e-1.fc23.x86_64

How reproducible:
Always

Steps to Reproduce:
1. git clone git:pyca/cryptography.git && cd cryptography
2. python setup.py build
3. nm -a build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/_openssl.so | grep EC_GFp_nistp224_method

Actual results:
000000000007d5f0 t _cffi_d_EC_GFp_nistp224_method
000000000007d600 t _cffi_f_EC_GFp_nistp224_method
                 U EC_GFp_nistp224_method

Expected results:
0000000000036d50 t _cffi_d_EC_GFp_nistp224_method
0000000000036f80 t _cffi_f_EC_GFp_nistp224_method
00000000002d7e30 B EC_GFp_nistp224_method

Comment 1 Fedora Update System 2015-12-08 15:46:10 UTC
openssl-1.0.2e-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-ad30810eba

Comment 2 Major Hayden 🤠 2015-12-08 16:40:01 UTC
Just tested with openssl-1.0.2e-3.fc23.x86_64 and I'm still getting the symbol error:

$ python -c "from cryptography.hazmat.backends.openssl.backend import backend"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/home/major/.pyenv/versions/venv-2.7.10/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/home/major/.pyenv/versions/venv-2.7.10/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 43, in <module>
    from cryptography.hazmat.bindings.openssl import binding
  File "/home/major/.pyenv/versions/venv-2.7.10/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 13, in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: /home/major/.pyenv/versions/venv-2.7.10/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so: undefined symbol: EC_GFp_nistp224_method

Comment 3 Major Hayden 🤠 2015-12-08 16:42:18 UTC
Sorry, was using a pyenv python version in the last comment.  Same error with built-in Python in F23 and openssl-1.0.2e-3.fc23.x86_64:

$ python -c "from cryptography.hazmat.backends.openssl.backend import backend"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 43, in <module>
    from cryptography.hazmat.bindings.openssl import binding
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 13, in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: /usr/lib64/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so: undefined symbol: EC_GFp_nistp224_method

Comment 4 Tomas Mraz 2015-12-08 17:05:50 UTC
Have you actually rebuilt the python-cryptography against the openssl-1.0.2e-3? The symbol should not be used at all then as I removed it from the headers.

Comment 5 Fedora Update System 2015-12-08 22:57:44 UTC
openssl-1.0.2e-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update openssl'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-ad30810eba

Comment 6 Major Hayden 🤠 2015-12-09 12:56:39 UTC
Yes, I rebuilt cryptography completely (without using the cached wheel) after updating OpenSSL.

Comment 7 Fedora Update System 2015-12-09 20:49:20 UTC
openssl-1.0.2e-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Tomas Mraz 2015-12-10 10:22:45 UTC
So it needs to be solved in python-cryptography. The symbol is not present in the library and it is removed in headers.

Comment 9 Sergio Basto 2015-12-10 22:49:45 UTC
(In reply to Matthew Booth from comment #0)
> Description of problem:
> When building the python cryptography library I get unresolved symbols.

Man!  https://apps.fedoraproject.org/packages/python-cryptography/ 
I report this https://bugzilla.redhat.com/show_bug.cgi?id=1284148

on 2015-11-21  , if you got python-cryptography as a package you shouldn't use upstream source but the fedora package. 

> Specifically, the EC_GFp_nistp224_method symbol is unresolved. If I
> downgrade to openssl-1.0.2d-2.fc23.x86_64 I do not get unresolved symbols.
> 
> As devstack (a development installation of openstack) does this, the impact
> is that devstack does not work on fully updated Fedora 23.
> 
> Version-Release number of selected component (if applicable):
> openssl-1.0.2e-1.fc23.x86_64
> 
> How reproducible:
> Always
> 
> Steps to Reproduce:
> 1. git clone git:pyca/cryptography.git && cd cryptography
> 2. python setup.py build
> 3. nm -a build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/_openssl.so
> | grep EC_GFp_nistp224_method
> 
> Actual results:
> 000000000007d5f0 t _cffi_d_EC_GFp_nistp224_method
> 000000000007d600 t _cffi_f_EC_GFp_nistp224_method
>                  U EC_GFp_nistp224_method
> 
> Expected results:
> 0000000000036d50 t _cffi_d_EC_GFp_nistp224_method
> 0000000000036f80 t _cffi_f_EC_GFp_nistp224_method
> 00000000002d7e30 B EC_GFp_nistp224_method

Comment 10 Matthew Booth 2015-12-11 09:55:52 UTC
(In reply to Sergio Monteiro Basto from comment #9)
> Man!  https://apps.fedoraproject.org/packages/python-cryptography/ 
> I report this https://bugzilla.redhat.com/show_bug.cgi?id=1284148
> 
> on 2015-11-21  , if you got python-cryptography as a package you shouldn't
> use upstream source but the fedora package. 

If you can get devstack to go with that I'll buy you several beers :) They won't, though; that's not how they roll. We just have to deal with it.

Thank you for the fix, btw! Can confirm that python-cryptography no longer contains this symbol at all when built with the updated package.

Comment 11 Fedora Update System 2016-01-11 15:11:09 UTC
python-cryptography-1.2.1-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8351acc81f

Comment 12 Fedora Update System 2016-01-12 09:52:52 UTC
python-cryptography-1.2.1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8351acc81f

Comment 13 Fedora Update System 2016-01-13 21:48:13 UTC
python-cryptography-1.2.1-1.fc23 python-cryptography-vectors-1.2.1-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8351acc81f

Comment 14 Fedora Update System 2016-01-14 11:26:08 UTC
python-cryptography-1.2.1-1.fc23, python-cryptography-vectors-1.2.1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8351acc81f

Comment 15 Fedora Update System 2016-01-15 23:24:20 UTC
python-cryptography-1.2.1-1.fc23, python-cryptography-vectors-1.2.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.