Bug 654638 - openssl updated to 1.0.0b libguestfs depends on exact file names
Summary: openssl updated to 1.0.0b libguestfs depends on exact file names
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libguestfs
Version: 12
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Richard W.M. Jones
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 655505 655937 656517 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-18 13:52 UTC by Tomas Mraz
Modified: 2010-11-26 01:04 UTC (History)
10 users (show)

Fixed In Version: libguestfs-1.2.11-1.fc12.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-11-26 01:04:44 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Tomas Mraz 2010-11-18 13:52:13 UTC
I've upgraded openssl with a minor patch level update from upstream 1.0.0a->1.0.0b which fixes a potentially serious security vulnerability. Unfortunately the update breaks libguestfs. Would it be possible to modify libguestfs so it does not depend on the full file names, but on the soname file names? There are the /lib64/libcrypto.so.10 and /lib64/.libcrypto.so.10.hmac which are symlinks that can be dereferenced to obtain the full file names. These symlink names will not change in released Fedora versions as that would be of course an ABI break.

Comment 1 Richard W.M. Jones 2010-11-18 14:18:39 UTC
We should just not depend on the hmac files, which is what
seems to cause the problem.  AIUI they are not useful for
general users.

The issue of depending on file paths is discussed here, and
nothing has changed since this was written:
http://lists.fedoraproject.org/pipermail/devel/2010-April/134663.html

BTW I'm already doing new builds for F13 and F14:
http://koji.fedoraproject.org/koji/buildinfo?buildID=205415
http://koji.fedoraproject.org/koji/buildinfo?buildID=205413

Comment 2 Tomas Mraz 2010-11-18 14:41:40 UTC
Yes, the hmac files are not needed if the system is not run in the FIPS mode which itself is not very useful for regular Fedora users.

Comment 4 Tomas Mraz 2010-11-18 15:43:40 UTC
I made openssl-1.0.0b update for F-12 as well. Is libguestfs requiring the hmac file there or not?

Comment 5 Richard W.M. Jones 2010-11-18 15:55:26 UTC
Yes, I think it is.

I've kicked off a rebuild for F12 including this patch:
http://koji.fedoraproject.org/koji/taskinfo?taskID=2608622

Comment 6 Fedora Update System 2010-11-18 17:20:30 UTC
libguestfs-1.6.2-1.fc13.4 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/libguestfs-1.6.2-1.fc13.4

Comment 7 Fedora Update System 2010-11-18 17:20:58 UTC
libguestfs-1.6.2-1.fc14.4 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/libguestfs-1.6.2-1.fc14.4

Comment 8 Fedora Update System 2010-11-18 17:21:35 UTC
libguestfs-1.2.11-1.fc12.1 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/libguestfs-1.2.11-1.fc12.1

Comment 9 Fedora Update System 2010-11-18 23:58:55 UTC
libguestfs-1.6.2-1.fc14.4 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libguestfs'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/libguestfs-1.6.2-1.fc14.4

Comment 10 Magnus Glantz 2010-11-21 19:05:00 UTC
*** Bug 655505 has been marked as a duplicate of this bug. ***

Comment 11 Josh Boyer 2010-11-22 13:33:28 UTC
In case you didn't already know, the openssl update is in stable for F12 while libguestfs is still in updates-testing.  This leads to broken updates for those with libguestfs installed.

Comment 12 Tomas Mraz 2010-11-22 19:03:45 UTC
*** Bug 655937 has been marked as a duplicate of this bug. ***

Comment 13 Fedora Update System 2010-11-22 22:17:21 UTC
libguestfs-1.6.2-1.fc14.4 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Richard W.M. Jones 2010-11-22 22:44:50 UTC
Reopen, otherwise it won't appear in some searches.
Still waiting for enough karma to push this to F12, F13.

Comment 15 Edward Rudd 2010-11-23 18:11:18 UTC
With the 1.2.11-1.fc12.1 release I still cannot install openssl-1.0.0b  on Fedora 12.

1.0.0a has all libs in /usr/lib64 whereas 1.0.0b has the crypto libs in /lib64

Failed dependencies:
	/usr/lib64/libcrypto.so.10 is needed by (installed) libguestfs-1:1.2.11-1.fc12.1.x86_64

Comment 16 Tomas Mraz 2010-11-23 19:40:52 UTC
(In reply to comment #15)
> With the 1.2.11-1.fc12.1 release I still cannot install openssl-1.0.0b  on
> Fedora 12.
> 
> 1.0.0a has all libs in /usr/lib64 whereas 1.0.0b has the crypto libs in /lib64


Oops, that was unintentional change in F12 openssl package caused by my too eager merge with newer branches. I'll correct that in the openssl package.

Comment 17 Richard W.M. Jones 2010-11-23 19:45:23 UTC
We can also fix this in libguestfs if you prefer.

Comment 18 Tomas Mraz 2010-11-23 19:52:25 UTC
No, this was really unintentional change and I'm building fixed openssl package just now.

Comment 19 Tomas Mraz 2010-11-23 20:04:00 UTC
Richard, please can you add the new openssl-1.0.0b-1.fc12.1 package to the libguestfs Fedora 12 update so both packages can be updated simultaneously?

Comment 20 Richard W.M. Jones 2010-11-23 20:13:46 UTC
With any luck, this is correct ...
https://admin.fedoraproject.org/updates/openssl-1.0.0b-1.fc12.1,libguestfs-1.2.11-1.fc12.1

Comment 21 Fedora Update System 2010-11-23 21:54:56 UTC
libguestfs-1.6.2-1.fc13.4 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Richard W.M. Jones 2010-11-23 22:51:48 UTC
*** Bug 656517 has been marked as a duplicate of this bug. ***

Comment 24 Fedora Update System 2010-11-24 22:37:36 UTC
libguestfs-1.2.11-1.fc12.1, openssl-1.0.0b-1.fc12.1 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libguestfs openssl'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/openssl-1.0.0b-1.fc12.1,libguestfs-1.2.11-1.fc12.1

Comment 25 Edward Rudd 2010-11-25 14:52:36 UTC
I can confirm that the new openssl packages install correctly with the updated libguestfs on F12 x86_64.

Comment 26 Fedora Update System 2010-11-26 01:04:39 UTC
libguestfs-1.2.11-1.fc12.1, openssl-1.0.0b-1.fc12.1 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.