Bug 460305 - libnss-compat-ossl causes crashes when using ldap (symbol conflict with real openssl)
libnss-compat-ossl causes crashes when using ldap (symbol conflict with real ...
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: nss_compat_ossl (Show other bugs)
23
All Linux
medium Severity medium
: ---
: ---
Assigned To: Orphan Owner
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-27 10:04 EDT by Hans de Goede
Modified: 2016-12-20 07:01 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-12-20 07:01:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Hans de Goede 2008-08-27 10:04:32 EDT
The story starts with bug 446860:

This is a bug against gkrellm which crashes when used on systems that use ldap and thus have nss_ldap configured in /etc/nssswitch.conf

The problem basicly goes like this:
-gkrellm is started
-gkrellm is linked against gnutls-openssl, which provides symbols also
 found in openssl for easy porting of openssl applications to gnutls
 (but with a different ABI!)
-gkrellm does something which causes glibc to load ldap_nss, which is build
 against the real openssl, however ldap_nss's openssl symbols get resolved against
 gnutls-openssl
-ldap_nss dives into some path causing it to call openssl functions, but ends
 up in gnutls code, which has a completely different ABI -> boom

I know sofar this is only about gnutls's openldap compatibility, not about
libnss-compat-ossl, but while at I've checked libnss-compat-ossl, and it has the same issue (reusing symbols from openssl for the easy porting of openssl apps).

Proposed solution: rename the openssl compatibility function to unique names for example foo to nss_foo, and use #define's in the openssl compat header to make programs compiled against libnss-compat-ossl use the libnss-compat-ossl symbols.

Up until now there seems to be only one user of libnss-compat-ossl in the Fedora repositories, so this would be a good moment for this change, before libnss-compat-ossl becomes widely used.
Comment 1 Kai Engert (:kaie) 2008-09-09 15:31:48 EDT
Rob suggested to change the bug component to nss_compat_ossl
Comment 2 Bug Zapper 2008-11-25 21:52:14 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Bug Zapper 2009-11-18 03:18:52 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Rob Crittenden 2009-11-18 09:14:57 EST
Changing version, this is still an issue.
Comment 5 Bug Zapper 2010-03-15 08:04:03 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 13 development cycle.
Changing version to '13'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 6 Bug Zapper 2011-06-02 14:28:23 EDT
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 7 Hans de Goede 2011-06-03 04:32:06 EDT
Bumping version again, as this is still an issue AFAIK.
Comment 8 Fedora Admin XMLRPC Client 2011-08-24 14:22:40 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 9 Fedora End Of Life 2013-04-03 15:55:06 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 10 Hans de Goede 2013-05-07 06:54:27 EDT
Ping? Given that:
https://fedoraproject.org/wiki/FedoraCryptoConsolidation

Actually advises the use of nss_compat_ossl under some circumstances, and that this is a rather serious bug, this really ought to be fixed!

A possible (likely the only possible) solution would be to prefix all the functions with ie nss_compat_, so SSL_library_init would become nss_compat_SSL_library_init, etc.

And then add the following to nss_compat_ossl.h to allow apps building against it to use the old names:
#define SSL_library_init nss_compat_SSL_library_init
etc.
Comment 11 Rich Megginson 2013-05-09 13:46:45 EDT
Is this still a problem now that openldap is built against NSS instead of openssl on RHEL6 and later, and in Fedora?
Comment 12 Hans de Goede 2013-05-09 14:48:26 EDT
Hi,

(In reply to comment #11)
> Is this still a problem now that openldap is built against NSS instead of
> openssl on RHEL6 and later, and in Fedora?

That probably fixes the specific case which lead to the filing of this bug report, but the generic problem of symbol collisions remains.

If an app drags in 2 libs one linked against libnss-compat-ossl and one against the real openssl, things will go wrong eventually, so yes this is still a problem.

Regards,

Hans
Comment 13 Fedora Admin XMLRPC Client 2015-04-29 18:35:50 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 14 Fedora Admin XMLRPC Client 2015-05-26 07:02:59 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 15 Fedora Admin XMLRPC Client 2015-05-26 07:26:48 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 16 Fedora Admin XMLRPC Client 2015-05-26 11:33:03 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 17 Jan Kurik 2015-07-15 11:22:46 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
Comment 18 Fedora End Of Life 2016-11-24 05:23:00 EST
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 19 Fedora End Of Life 2016-12-20 07:01:05 EST
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.