The story starts with bug 446860: This is a bug against gkrellm which crashes when used on systems that use ldap and thus have nss_ldap configured in /etc/nssswitch.conf The problem basicly goes like this: -gkrellm is started -gkrellm is linked against gnutls-openssl, which provides symbols also found in openssl for easy porting of openssl applications to gnutls (but with a different ABI!) -gkrellm does something which causes glibc to load ldap_nss, which is build against the real openssl, however ldap_nss's openssl symbols get resolved against gnutls-openssl -ldap_nss dives into some path causing it to call openssl functions, but ends up in gnutls code, which has a completely different ABI -> boom Proposed solution: rename the gnutls compatibility functions to unique names for example foo to gnutls_foo, and use #define's in the openssl compat header to make programs compiled against libgnutls-openssl use the libgnutls-openssl symbols. Luckily the number of users of libgnutls-openssl is small, so if we do this only 3 packages need to be rebuild: gkrellm zoneminder mcabber
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Is this crash caused by this bug? This happens seemingly randomly, about once per day: ======= Backtrace: ========= /lib64/libc.so.6[0x3f74275a26] /usr/lib64/libcrypto.so.8(CRYPTO_free+0x1d)[0x359330371d] /usr/lib64/libcrypto.so.8(OBJ_NAME_add+0x92)[0x3593266e12] /usr/lib64/libcrypto.so.8(EVP_add_cipher+0x20)[0x3593298ea0] /usr/lib64/libssl.so.8(SSL_library_init+0x16)[0x359363d6a6] /usr/bin/gkrellm[0x432551] /usr/bin/gkrellm[0x43275b] /usr/bin/gkrellm[0x43a88e] /usr/bin/gkrellm[0x43559a] /lib64/libglib-2.0.so.0[0x3f76a616e4] /lib64/libpthread.so.0[0x3f74e0686a] /lib64/libc.so.6(clone+0x6d)[0x3f742de25d] #0 0x0000003f742332f5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x0000003f74234b20 in *__GI_abort () at abort.c:88 #2 0x0000003f7427005d in __libc_message (do_abort=2, fmt=0x7ffff5924480 "0 09:00 3015908", ' ' <repeats 20 times>, "/var/cache/fontconfig/beeeeb3dfe132a8a0633a017c99ce0c0-x86-64.cache-2\n7ffff7ff4000-7ffff7ff5000 rw-p 7ffff7ff4000 00:00 0 \n7ffff7ff5000-7ffff7ffc000 r--s 00000000 09"...) at ../sysdeps/unix/sysv/linux/libc_fatal.c:170 #3 0x0000003f74275a26 in malloc_printerr (action=3, str=0x3f74335f00 "double free or corruption (fasttop)", ptr=<value optimized out>) at malloc.c:6196 #4 0x000000359330371d in CRYPTO_free (str=0x7fffec001590) at mem.c:402 #5 0x0000003593266e12 in OBJ_NAME_add (name=0x359331c5ee "DES-CBC", type=<value optimized out>, data=0x3593562420 "\37") at o_names.c:216 #6 0x0000003593298ea0 in EVP_add_cipher (c=0x3593562420) at names.c:73 #7 0x000000359363d6a6 in SSL_library_init () at ssl_algs.c:72 #8 0x0000000000432551 in ssl_negotiate (conn=0x5cdd, mbox=0x26af) at mail.c:753 #9 0x000000000043275b in tcp_connect (conn=0x7ffff5924d30, mbox=0x9adf80) at mail.c:803 #10 0x000000000043a88e in check_imap (mbox=0x9adf80) at mail.c:1151 #11 0x000000000043559a in mail_check_thread (data=0x9adf80) at mail.c:2213 #12 0x0000003f76a616e4 in g_thread_create_proxy (data=0xb870a0) at gthread.c:635 #13 0x0000003f74e0686a in start_thread (arg=<value optimized out>) at pthread_create.c:297 #14 0x0000003f742de25d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #15 0x0000000000000000 in ?? ()
This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 10 changed to end-of-life (EOL) status on 2009-12-17. Fedora 10 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.
Although gkrellm has long been fixed (by not using libgnutls-openssl anymore), this bug still exists, /usr/lib/libgnutls-openssl.so.26 still defines symbols which clash with openssl.
There are only three packages requiring libgnutls-openssl now - zoneminder, pokerth, and wput. Hopefully neither of them calls the getpw functions. On the other hand I am very much inclined to completely disable building the libgnutls-openssl as this is clearly an experimental code that should not be used in production.
+1 for disabling the openssl compatibility of gnutls
Note though, that this should probably be coordinated with the maintainers of the 3 remaining packages. Switching over to the real openssl, may require contacting upstream and ask them to add an exception to their license (if GPL) to allow that. I had to do that for gkrellm too before I switched it over.
This bug appears to have been reported against 'rawhide' during the Fedora 13 development cycle. Changing version to '13'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
This message is a reminder that Fedora 13 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '13'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 13's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 13 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Bumping version again, as this is still an issue AFAIK.
Fixed in rawhide by dropping the libgnutls-openssl altogether.
Good old comment #8. Words to live by. But, hey, who completely forgot to do that before breaking my package completely and giving me no time to actually request the license change from upstream? I've sent a request for a license exception. I do not expect for them to grant it, assuming they could actually get all of the contributors to agree to do so. If they do not do so, my options are simply dropping the software or figuring out how to port it. Unfortunately that may be beyond me, but if someone wants to give me some pointers, I'll do my best.
I am sorry Jason, I did repoquery against the rawhide repository before the change and it showed no dependencies to me anymore. Perhaps broken repo or PEBKAC, I do not know. As I wrote on the fedora-devel the libgnutls-openssl is left by upstream in practically unmaintained state. As for zoneminder, could it be possible to compile it with no SSL support at all temporarily?
repoquery --whatrequires 'libgnutls-openssl.so.26()(64bit)' on F15 shows four packages (one of which is gnutls-devel). It turns out, assuming I'm reading the C++ correctly, that zoneminder uses openssl for exactly one thing: MD5, to hash passwords. Disabling openssl would break hashed passwords and, presumably, all existing Fedora zoneminder installations. I'm tempted to just pull in one of the public domain openssl-compatible MD5 implementations and use that. Assuming I can figure out the maze of autotools and C++; it's really not my strong suit. (Not only is Zoneminder written in at least four languages, but I inherited it from a maintainer who no longer appears to be around.) Unfortunately the code uses the MD5 functions and the free code I've found just does the MD5_{Init,Update,Final} triple so I need to figure that out, but otherwise I think it should be doable.
FYI, the code in question is at: http://svn.zoneminder.com/svn/zm/trunk/src/zm_user.h http://svn.zoneminder.com/svn/zm/trunk/src/zm_user.cpp
Created attachment 516335 [details] Patch for zoneminder Jason, this is an easy patch for zoneminder to use the libgcrypt directly and not through the libgnutls-openssl.
I just wanted to thank you for the patch but to let you know that it doesn't quite work. Everything builds and appears to work fine except for one bit of functionality. After spending quite some time tracking it down it does appear that HAVE_DECL_MD5 is still unset and this causes streamed image previews (but nothing else, it seems) to fail to work. I will keep poking at it.
Created attachment 523445 [details] Hopefully fixed patch for zoneminder
Heh, that's exactly what I thought to do while I was driving home. Thanks again.
I needed to add one additional define (MD5_DIGEST_LENGTH, which I set to 16 as openssl had it) and it appears to fix the last remaining problem. So at this point I think I'm good to go.