Bug 654638 - openssl updated to 1.0.0b libguestfs depends on exact file names
openssl updated to 1.0.0b libguestfs depends on exact file names
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: libguestfs (Show other bugs)
12
Unspecified Unspecified
low Severity medium
: ---
: ---
Assigned To: Richard W.M. Jones
Fedora Extras Quality Assurance
: Reopened
: 655505 655937 656517 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-18 08:52 EST by Tomas Mraz
Modified: 2010-11-25 20:04 EST (History)
10 users (show)

See Also:
Fixed In Version: libguestfs-1.2.11-1.fc12.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-25 20:04:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Mraz 2010-11-18 08:52:13 EST
I've upgraded openssl with a minor patch level update from upstream 1.0.0a->1.0.0b which fixes a potentially serious security vulnerability. Unfortunately the update breaks libguestfs. Would it be possible to modify libguestfs so it does not depend on the full file names, but on the soname file names? There are the /lib64/libcrypto.so.10 and /lib64/.libcrypto.so.10.hmac which are symlinks that can be dereferenced to obtain the full file names. These symlink names will not change in released Fedora versions as that would be of course an ABI break.
Comment 1 Richard W.M. Jones 2010-11-18 09:18:39 EST
We should just not depend on the hmac files, which is what
seems to cause the problem.  AIUI they are not useful for
general users.

The issue of depending on file paths is discussed here, and
nothing has changed since this was written:
http://lists.fedoraproject.org/pipermail/devel/2010-April/134663.html

BTW I'm already doing new builds for F13 and F14:
http://koji.fedoraproject.org/koji/buildinfo?buildID=205415
http://koji.fedoraproject.org/koji/buildinfo?buildID=205413
Comment 2 Tomas Mraz 2010-11-18 09:41:40 EST
Yes, the hmac files are not needed if the system is not run in the FIPS mode which itself is not very useful for regular Fedora users.
Comment 4 Tomas Mraz 2010-11-18 10:43:40 EST
I made openssl-1.0.0b update for F-12 as well. Is libguestfs requiring the hmac file there or not?
Comment 5 Richard W.M. Jones 2010-11-18 10:55:26 EST
Yes, I think it is.

I've kicked off a rebuild for F12 including this patch:
http://koji.fedoraproject.org/koji/taskinfo?taskID=2608622
Comment 6 Fedora Update System 2010-11-18 12:20:30 EST
libguestfs-1.6.2-1.fc13.4 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/libguestfs-1.6.2-1.fc13.4
Comment 7 Fedora Update System 2010-11-18 12:20:58 EST
libguestfs-1.6.2-1.fc14.4 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/libguestfs-1.6.2-1.fc14.4
Comment 8 Fedora Update System 2010-11-18 12:21:35 EST
libguestfs-1.2.11-1.fc12.1 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/libguestfs-1.2.11-1.fc12.1
Comment 9 Fedora Update System 2010-11-18 18:58:55 EST
libguestfs-1.6.2-1.fc14.4 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libguestfs'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/libguestfs-1.6.2-1.fc14.4
Comment 10 Magnus Glantz 2010-11-21 14:05:00 EST
*** Bug 655505 has been marked as a duplicate of this bug. ***
Comment 11 Josh Boyer 2010-11-22 08:33:28 EST
In case you didn't already know, the openssl update is in stable for F12 while libguestfs is still in updates-testing.  This leads to broken updates for those with libguestfs installed.
Comment 12 Tomas Mraz 2010-11-22 14:03:45 EST
*** Bug 655937 has been marked as a duplicate of this bug. ***
Comment 13 Fedora Update System 2010-11-22 17:17:21 EST
libguestfs-1.6.2-1.fc14.4 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Richard W.M. Jones 2010-11-22 17:44:50 EST
Reopen, otherwise it won't appear in some searches.
Still waiting for enough karma to push this to F12, F13.
Comment 15 Edward Rudd 2010-11-23 13:11:18 EST
With the 1.2.11-1.fc12.1 release I still cannot install openssl-1.0.0b  on Fedora 12.

1.0.0a has all libs in /usr/lib64 whereas 1.0.0b has the crypto libs in /lib64

Failed dependencies:
	/usr/lib64/libcrypto.so.10 is needed by (installed) libguestfs-1:1.2.11-1.fc12.1.x86_64
Comment 16 Tomas Mraz 2010-11-23 14:40:52 EST
(In reply to comment #15)
> With the 1.2.11-1.fc12.1 release I still cannot install openssl-1.0.0b  on
> Fedora 12.
> 
> 1.0.0a has all libs in /usr/lib64 whereas 1.0.0b has the crypto libs in /lib64


Oops, that was unintentional change in F12 openssl package caused by my too eager merge with newer branches. I'll correct that in the openssl package.
Comment 17 Richard W.M. Jones 2010-11-23 14:45:23 EST
We can also fix this in libguestfs if you prefer.
Comment 18 Tomas Mraz 2010-11-23 14:52:25 EST
No, this was really unintentional change and I'm building fixed openssl package just now.
Comment 19 Tomas Mraz 2010-11-23 15:04:00 EST
Richard, please can you add the new openssl-1.0.0b-1.fc12.1 package to the libguestfs Fedora 12 update so both packages can be updated simultaneously?
Comment 20 Richard W.M. Jones 2010-11-23 15:13:46 EST
With any luck, this is correct ...
https://admin.fedoraproject.org/updates/openssl-1.0.0b-1.fc12.1,libguestfs-1.2.11-1.fc12.1
Comment 21 Fedora Update System 2010-11-23 16:54:56 EST
libguestfs-1.6.2-1.fc13.4 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Richard W.M. Jones 2010-11-23 17:51:48 EST
*** Bug 656517 has been marked as a duplicate of this bug. ***
Comment 24 Fedora Update System 2010-11-24 17:37:36 EST
libguestfs-1.2.11-1.fc12.1, openssl-1.0.0b-1.fc12.1 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libguestfs openssl'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/openssl-1.0.0b-1.fc12.1,libguestfs-1.2.11-1.fc12.1
Comment 25 Edward Rudd 2010-11-25 09:52:36 EST
I can confirm that the new openssl packages install correctly with the updated libguestfs on F12 x86_64.
Comment 26 Fedora Update System 2010-11-25 20:04:39 EST
libguestfs-1.2.11-1.fc12.1, openssl-1.0.0b-1.fc12.1 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.