Bug 460310 - libgnutls-openssl causes crashes when using ldap (symbol conflict with real openssl)
libgnutls-openssl causes crashes when using ldap (symbol conflict with real o...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: gnutls (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
: Reopened, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-27 10:23 EDT by Hans de Goede
Modified: 2011-09-15 17:41 EDT (History)
4 users (show)

See Also:
Fixed In Version: gnutls-2.12.7-2.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-26 06:37:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for zoneminder (3.82 KB, patch)
2011-08-02 11:03 EDT, Tomas Mraz
no flags Details | Diff
Hopefully fixed patch for zoneminder (3.84 KB, patch)
2011-09-15 16:39 EDT, Tomas Mraz
no flags Details | Diff

  None (edit)
Description Hans de Goede 2008-08-27 10:23:35 EDT
The story starts with bug 446860:

This is a bug against gkrellm which crashes when used on systems that use ldap
and thus have nss_ldap configured in /etc/nssswitch.conf

The problem basicly goes like this:
-gkrellm is started
-gkrellm is linked against gnutls-openssl, which provides symbols also
 found in openssl for easy porting of openssl applications to gnutls
 (but with a different ABI!)
-gkrellm does something which causes glibc to load ldap_nss, which is build
 against the real openssl, however ldap_nss's openssl symbols get resolved
against
 gnutls-openssl
-ldap_nss dives into some path causing it to call openssl functions, but ends
 up in gnutls code, which has a completely different ABI -> boom

Proposed solution: rename the gnutls compatibility functions to unique names
for example foo to gnutls_foo, and use #define's in the openssl compat header to
make programs compiled against libgnutls-openssl use the libgnutls-openssl 
symbols.

Luckily the number of users of libgnutls-openssl is small, so if we do this only 3 packages need to be rebuild:
gkrellm
zoneminder
mcabber
Comment 1 Bug Zapper 2008-11-25 21:52:21 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 2 Dan Stahlke 2009-06-17 15:29:39 EDT
Is this crash caused by this bug?  This happens seemingly randomly, about once
per day:


======= Backtrace: =========
/lib64/libc.so.6[0x3f74275a26]
/usr/lib64/libcrypto.so.8(CRYPTO_free+0x1d)[0x359330371d]
/usr/lib64/libcrypto.so.8(OBJ_NAME_add+0x92)[0x3593266e12]
/usr/lib64/libcrypto.so.8(EVP_add_cipher+0x20)[0x3593298ea0]
/usr/lib64/libssl.so.8(SSL_library_init+0x16)[0x359363d6a6]
/usr/bin/gkrellm[0x432551]
/usr/bin/gkrellm[0x43275b]
/usr/bin/gkrellm[0x43a88e]
/usr/bin/gkrellm[0x43559a]
/lib64/libglib-2.0.so.0[0x3f76a616e4]
/lib64/libpthread.so.0[0x3f74e0686a]
/lib64/libc.so.6(clone+0x6d)[0x3f742de25d]

#0  0x0000003f742332f5 in *__GI_raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003f74234b20 in *__GI_abort () at abort.c:88
#2  0x0000003f7427005d in __libc_message (do_abort=2,
    fmt=0x7ffff5924480 "0 09:00 3015908", ' ' <repeats 20 times>, "/var/cache/fontconfig/beeeeb3dfe132a8a0633a017c99ce0c0-x86-64.cache-2\n7ffff7ff4000-7ffff7ff5000 rw-p 7ffff7ff4000 00:00 0 \n7ffff7ff5000-7ffff7ffc000 r--s 00000000 09"...) at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3  0x0000003f74275a26 in malloc_printerr (action=3,
    str=0x3f74335f00 "double free or corruption (fasttop)", ptr=<value optimized out>)
    at malloc.c:6196
#4  0x000000359330371d in CRYPTO_free (str=0x7fffec001590) at mem.c:402
#5  0x0000003593266e12 in OBJ_NAME_add (name=0x359331c5ee "DES-CBC", type=<value optimized out>,
    data=0x3593562420 "\37") at o_names.c:216
#6  0x0000003593298ea0 in EVP_add_cipher (c=0x3593562420) at names.c:73
#7  0x000000359363d6a6 in SSL_library_init () at ssl_algs.c:72
#8  0x0000000000432551 in ssl_negotiate (conn=0x5cdd, mbox=0x26af) at mail.c:753
#9  0x000000000043275b in tcp_connect (conn=0x7ffff5924d30, mbox=0x9adf80) at mail.c:803
#10 0x000000000043a88e in check_imap (mbox=0x9adf80) at mail.c:1151
#11 0x000000000043559a in mail_check_thread (data=0x9adf80) at mail.c:2213
#12 0x0000003f76a616e4 in g_thread_create_proxy (data=0xb870a0) at gthread.c:635
#13 0x0000003f74e0686a in start_thread (arg=<value optimized out>) at pthread_create.c:297
#14 0x0000003f742de25d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#15 0x0000000000000000 in ?? ()
Comment 3 Bug Zapper 2009-11-18 03:18:57 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Bug Zapper 2009-12-18 01:20:09 EST
Fedora 10 changed to end-of-life (EOL) status on 2009-12-17. Fedora 10 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 5 Hans de Goede 2009-12-18 02:30:48 EST
Although gkrellm has long been fixed (by not using libgnutls-openssl anymore), this bug still exists, /usr/lib/libgnutls-openssl.so.26 still defines symbols which clash with openssl.
Comment 6 Tomas Mraz 2009-12-18 02:54:48 EST
There are only three packages requiring libgnutls-openssl now - zoneminder, pokerth, and wput. Hopefully neither of them calls the getpw functions. On the other hand I am very much inclined to completely disable building the libgnutls-openssl as this is clearly an experimental code that should not be used in production.
Comment 7 Hans de Goede 2009-12-18 03:20:03 EST
+1 for disabling the openssl compatibility of gnutls
Comment 8 Hans de Goede 2009-12-18 03:22:28 EST
Note though, that this should probably be coordinated with the maintainers of the 3 remaining packages. Switching over to the real openssl, may require contacting upstream and ask them to add an exception to their license (if GPL) to allow that. I had to do that for gkrellm too before I switched it over.
Comment 9 Bug Zapper 2010-03-15 08:04:16 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 13 development cycle.
Changing version to '13'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 10 Bug Zapper 2011-06-02 14:28:14 EDT
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 11 Hans de Goede 2011-06-03 04:34:28 EDT
Bumping version again, as this is still an issue AFAIK.
Comment 12 Tomas Mraz 2011-07-26 06:37:50 EDT
Fixed in rawhide by dropping the libgnutls-openssl altogether.
Comment 13 Jason Tibbitts 2011-08-02 09:19:59 EDT
Good old comment #8.  Words to live by.  But, hey, who completely forgot to do that before breaking my package completely and giving me no time to actually request the license change from upstream?

I've sent a request for a license exception.  I do not expect for them to grant it, assuming they could actually get all of the contributors to agree to do so.  If they do not do so, my options are simply dropping the software or figuring out how to port it.  Unfortunately that may be beyond me, but if someone wants to give me some pointers, I'll do my best.
Comment 14 Tomas Mraz 2011-08-02 09:39:50 EDT
I am sorry Jason, I did repoquery against the rawhide repository before the change and it showed no dependencies to me anymore. Perhaps broken repo or PEBKAC, I do not know. As I wrote on the fedora-devel the libgnutls-openssl is left by upstream in practically unmaintained state.

As for zoneminder, could it be possible to compile it with no SSL support at all temporarily?
Comment 15 Jason Tibbitts 2011-08-02 10:14:02 EDT
repoquery --whatrequires 'libgnutls-openssl.so.26()(64bit)' on F15 shows four packages (one of which is gnutls-devel).

It turns out, assuming I'm reading the C++ correctly, that zoneminder uses openssl for exactly one thing: MD5, to hash passwords. Disabling openssl would break hashed passwords and, presumably, all existing Fedora zoneminder installations.

I'm tempted to just pull in one of the public domain openssl-compatible MD5 implementations and use that.  Assuming I can figure out the maze of autotools and C++; it's really not my strong suit.  (Not only is Zoneminder written in at least four languages, but I inherited it from a maintainer who no longer appears to be around.)  Unfortunately the code uses the MD5 functions and the free code I've found just does the MD5_{Init,Update,Final} triple so I need to figure that out, but otherwise I think it should be doable.
Comment 17 Tomas Mraz 2011-08-02 11:03:46 EDT
Created attachment 516335 [details]
Patch for zoneminder

Jason, this is an easy patch for zoneminder to use the libgcrypt directly and not through the libgnutls-openssl.
Comment 18 Jason Tibbitts 2011-09-15 16:04:43 EDT
I just wanted to thank you for the patch but to let you know that it doesn't quite work.  Everything builds and appears to work fine except for one bit of functionality.  After spending quite some time tracking it down it does appear that HAVE_DECL_MD5 is still unset and this causes streamed image previews (but nothing else, it seems) to fail to work.

I will keep poking at it.
Comment 19 Tomas Mraz 2011-09-15 16:39:37 EDT
Created attachment 523445 [details]
Hopefully fixed patch for zoneminder
Comment 20 Jason Tibbitts 2011-09-15 17:17:39 EDT
Heh, that's exactly what I thought to do while I was driving home.  Thanks again.
Comment 21 Jason Tibbitts 2011-09-15 17:41:35 EDT
I needed to add one additional define (MD5_DIGEST_LENGTH, which I set to 16 as openssl had it) and it appears to fix the last remaining problem.  So at this point I think I'm good to go.

Note You need to log in before you can comment on or make changes to this bug.