From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: OpenSSL 1.1.0c security update required Date: Fri, 09 Dec 2016 11:11:07 +0100 Message-ID: <87fulxxvic.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> References: <20161111014018.GA19957@jasmine> <87zil5ndtj.fsf@gnu.org> <20161115190905.GA1941@jasmine> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:51877) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cFI96-0005qe-Jv for guix-devel@gnu.org; Fri, 09 Dec 2016 05:11:20 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cFI90-0000PF-DR for guix-devel@gnu.org; Fri, 09 Dec 2016 05:11:16 -0500 In-Reply-To: <20161115190905.GA1941@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari , Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org --=-=-= Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" --==-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Sat, Nov 12, 2016 at 12:21:44PM +0100, Ludovic Court=C3=A8s wrote: >> Leo Famulari skribis: >> > They changed how library runpaths are recorded at build time, and so o= ur >> > packaging no longer works: >> > >> > https://github.com/openssl/openssl/pull/1699 >>=20 >> I would expect ld-wrapper to do the right thing regardless of what >> OpenSSL=E2=80=99s build system does, no? > > So far, we've had to do some extra work in the openssl-next package > definition: > > (add-after 'configure 'patch-runpath > (lambda* (#:key outputs #:allow-other-keys) > (let ((lib (string-append (assoc-ref outputs "out") "/lib"))) > (substitute* "Makefile.shared" > (("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}") > (string-append "$${SHAREDCMD} $${SHAREDFLAGS}" > " -Wl,-rpath," lib))) > #t))))))))) > > This phase still works to help OpenSSL's libraries find the libssl and > libcrypto libraries, but the OpenSSL executable itself now lacks a > reference to those libraries: > > starting phase `validate-runpath' > validating RUNPATH of 5 binaries in "/gnu/store/d4669fp9lhvi85i97kbhwk3xp= rgqpv6v-openssl-1.1.0c/lib"... > validating RUNPATH of 1 binaries in "/gnu/store/d4669fp9lhvi85i97kbhwk3xp= rgqpv6v-openssl-1.1.0c/bin"... > /gnu/store/d4669fp9lhvi85i97kbhwk3xprgqpv6v-openssl-1.1.0c/bin/openssl: e= rror: depends on 'libssl.so.1.1', which cannot be found in RUNPATH ("/gnu/s= tore/iwgi9001dmmihrjg4rqhd6pa6788prjw-glibc-2.24/lib" "/gnu/store/cdi08kw7r= 6r684w8mk0xq0dkgpjhfpmd-gcc-4.9.4-lib/lib" "/gnu/store/cdi08kw7r6r684w8mk0x= q0dkgpjhfpmd-gcc-4.9.4-lib/lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../..") > /gnu/store/d4669fp9lhvi85i97kbhwk3xprgqpv6v-openssl-1.1.0c/bin/openssl: e= rror: depends on 'libcrypto.so.1.1', which cannot be found in RUNPATH ("/gn= u/store/iwgi9001dmmihrjg4rqhd6pa6788prjw-glibc-2.24/lib" "/gnu/store/cdi08k= w7r6r684w8mk0xq0dkgpjhfpmd-gcc-4.9.4-lib/lib" "/gnu/store/cdi08kw7r6r684w8m= k0xq0dkgpjhfpmd-gcc-4.9.4-lib/lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../= ..") > validating RUNPATH of 0 binaries in "/gnu/store/wdzvwl9kx3iiq4fk2qyxg7sjx= qq2qx3x-openssl-1.1.0c-static/lib"... > phase `validate-runpath' failed after 0.0 seconds > builder for `/gnu/store/ja9xpivxkfvbm2p6zs1vicdkk4ppq1is-openssl-1.1.0c.d= rv' failed with exit code 1 > > Upstream discussion: > https://github.com/openssl/openssl/pull/1688 > https://github.com/openssl/openssl/pull/1699 > > My understanding is that this change was made for openssl@1.0.2 as well, > so we will need to address it for the next big OpenSSL update. We should > try packaging a Git snapshot of 1.0.2 now, so that we are ready. I did this change for openssl@1.1.0 (attached). The 'config(ure)' script now takes a -rpath flag which works as advertised. However by duplicating the 'configure' phase, I discovered that the 'version' variable actually gets the inherited value when using 'substitute-keyword-arguments', and had to duplicate the 'remove-miscellany' phase as well, since it tried deleting a directory called '$out/share/openssl-1.0.2j'. Should I file a bug for this, or is it something intrinsically unfixable? --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlhKgzsACgkQoqBt8qM6 VPrSfAf/dSOP6fx79Okyy5E3KHKHEOJhvzSWhayFQtPzYBYTWH/3f5zfoKaVKFWC tXg1gE4PSrfqKMV56gz9l1u2u4UvhJ/gV50YSWPnFU4GsmVpkhl37ZsF1O9dVon/ TMxY7XsASu0Az7FnoYhAlN0vbLEZVTm9BnZz0xfHSU1IwpPTlFxj4+Z9yqLq1p2g 1qszEJbPfa/92vUIj5HO90MNpEJch7eXb+XNUZbga0bfwoEdB7QUXmYhx0YENB9w BeMHNoOqu8ybM9L31txy6jFA6zCZ+q9rj4MvSxyP9NgQpxZRTh4hOFchzllaCbEj IY5luyhsZ7hUs68o+8N2aDd+PYvBsg== =kWsx -----END PGP SIGNATURE----- --==-=-=-- --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-gnu-openssl-next-Update-to-1.1.0c-fixes-CVE-7053-705.patch >From 2fa175873823afb4b2e05c9ed26772c900a2f5ef Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Fri, 9 Dec 2016 09:48:38 +0100 Subject: [PATCH] gnu: openssl-next: Update to 1.1.0c [fixes CVE-{7053,7054,7055}]. * gnu/packages/tls.scm (openssl-next): Update to 1.1.0c. [arguments]: Duplicate 'configure' to add rpath flag previously handled by now-defunct 'patch-runpath' phase. Duplicate 'remove-miscellany' phase. --- gnu/packages/tls.scm | 46 ++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 38 insertions(+), 8 deletions(-) diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 854ba1cb4..b581d59ce 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -355,7 +355,7 @@ required structures.") (package (inherit openssl) (name "openssl") - (version "1.1.0b") + (version "1.1.0c") (source (origin (method url-fetch) (uri (list (string-append "ftp://ftp.openssl.org/source/" @@ -366,7 +366,7 @@ required structures.") (patches (search-patches "openssl-1.1.0-c-rehash-in.patch")) (sha256 (base32 - "1xznrqvb1dbngv2k2nb6da6fdw00c01sy2i36yjdxr4vpxrf0pd4")))) + "1xfn5ydl14myd9wgxm4nxy5a42cpp1g12ijf3g9m4mz0l90n8hzw")))) (outputs '("out" "doc" ;1.3MiB of man3 pages "static")) ; 5.5MiB of .a files @@ -377,13 +377,43 @@ required structures.") (delete 'patch-tests) ; These two phases are not needed by (delete 'patch-Makefile.org) ; OpenSSL 1.1.0. - (add-after 'configure 'patch-runpath + ;; Override configure phase since -rpath is now a configure option. + (replace 'configure (lambda* (#:key outputs #:allow-other-keys) - (let ((lib (string-append (assoc-ref outputs "out") "/lib"))) - (substitute* "Makefile.shared" - (("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}") - (string-append "$${SHAREDCMD} $${SHAREDFLAGS}" - " -Wl,-rpath," lib))) + (let* ((out (assoc-ref outputs "out")) + (lib (string-append out "/lib"))) + (zero? + (system* "./config" + "shared" ;build shared libraries + "--libdir=lib" + + ;; The default for this catch-all directory is + ;; PREFIX/ssl. Change that to something more + ;; conventional. + (string-append "--openssldir=" out + "/share/openssl-" ,version) + + (string-append "--prefix=" out) + + (string-append "-Wl,-rpath," lib) + + ;; XXX FIXME: Work around a code generation bug in GCC + ;; 4.9.3 on ARM when compiled with -mfpu=neon. See: + ;; + ,@(if (and (not (%current-target-system)) + (string-prefix? "armhf" (%current-system))) + '("-mfpu=vfpv3") + '())))))) + + ;; XXX: Duplicate this phase since 'version' evaluates to the + ;; inherited package when using substitute-keyword-arguments. + (replace 'remove-miscellany + (lambda* (#:key outputs #:allow-other-keys) + ;; The 'misc' directory contains random undocumented shell and Perl + ;; scripts. Remove them to avoid retaining a reference on Perl. + (let ((out (assoc-ref outputs "out"))) + (delete-file-recursively (string-append out "/share/openssl-" + ,version "/misc")) #t))))))))) (define-public libressl -- 2.11.0 --=-=-=--