* OpenSSL 1.1.0c security update required
@ 2016-11-11 1:40 Leo Famulari
2016-11-12 11:21 ` Ludovic Courtès
0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-11-11 1:40 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 485 bytes --]
OpenSSL 1.1.0c was released today. It fixes CVE-2016-{7053,7054,7055}:
https://www.openssl.org/news/secadv/20161110.txt
This version of OpenSSL is *not* currently used by any packages, so it's
not a critical "drop everything and get to work" update, in my opinion.
They changed how library runpaths are recorded at build time, and so our
packaging no longer works:
https://github.com/openssl/openssl/pull/1699
I can tackle it in the next few days if nobody else gets to it first.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: OpenSSL 1.1.0c security update required
2016-11-11 1:40 OpenSSL 1.1.0c security update required Leo Famulari
@ 2016-11-12 11:21 ` Ludovic Courtès
2016-11-15 19:09 ` Leo Famulari
0 siblings, 1 reply; 5+ messages in thread
From: Ludovic Courtès @ 2016-11-12 11:21 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> skribis:
> OpenSSL 1.1.0c was released today. It fixes CVE-2016-{7053,7054,7055}:
>
> https://www.openssl.org/news/secadv/20161110.txt
>
> This version of OpenSSL is *not* currently used by any packages, so it's
> not a critical "drop everything and get to work" update, in my opinion.
I agreed, good for us. ;-)
> They changed how library runpaths are recorded at build time, and so our
> packaging no longer works:
>
> https://github.com/openssl/openssl/pull/1699
I would expect ld-wrapper to do the right thing regardless of what
OpenSSL’s build system does, no?
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: OpenSSL 1.1.0c security update required
2016-11-12 11:21 ` Ludovic Courtès
@ 2016-11-15 19:09 ` Leo Famulari
2016-12-09 10:11 ` Marius Bakke
0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-11-15 19:09 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 2620 bytes --]
On Sat, Nov 12, 2016 at 12:21:44PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > They changed how library runpaths are recorded at build time, and so our
> > packaging no longer works:
> >
> > https://github.com/openssl/openssl/pull/1699
>
> I would expect ld-wrapper to do the right thing regardless of what
> OpenSSL’s build system does, no?
So far, we've had to do some extra work in the openssl-next package
definition:
(add-after 'configure 'patch-runpath
(lambda* (#:key outputs #:allow-other-keys)
(let ((lib (string-append (assoc-ref outputs "out") "/lib")))
(substitute* "Makefile.shared"
(("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}")
(string-append "$${SHAREDCMD} $${SHAREDFLAGS}"
" -Wl,-rpath," lib)))
#t)))))))))
This phase still works to help OpenSSL's libraries find the libssl and
libcrypto libraries, but the OpenSSL executable itself now lacks a
reference to those libraries:
starting phase `validate-runpath'
validating RUNPATH of 5 binaries in "/gnu/store/d4669fp9lhvi85i97kbhwk3xprgqpv6v-openssl-1.1.0c/lib"...
validating RUNPATH of 1 binaries in "/gnu/store/d4669fp9lhvi85i97kbhwk3xprgqpv6v-openssl-1.1.0c/bin"...
/gnu/store/d4669fp9lhvi85i97kbhwk3xprgqpv6v-openssl-1.1.0c/bin/openssl: error: depends on 'libssl.so.1.1', which cannot be found in RUNPATH ("/gnu/store/iwgi9001dmmihrjg4rqhd6pa6788prjw-glibc-2.24/lib" "/gnu/store/cdi08kw7r6r684w8mk0xq0dkgpjhfpmd-gcc-4.9.4-lib/lib" "/gnu/store/cdi08kw7r6r684w8mk0xq0dkgpjhfpmd-gcc-4.9.4-lib/lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../..")
/gnu/store/d4669fp9lhvi85i97kbhwk3xprgqpv6v-openssl-1.1.0c/bin/openssl: error: depends on 'libcrypto.so.1.1', which cannot be found in RUNPATH ("/gnu/store/iwgi9001dmmihrjg4rqhd6pa6788prjw-glibc-2.24/lib" "/gnu/store/cdi08kw7r6r684w8mk0xq0dkgpjhfpmd-gcc-4.9.4-lib/lib" "/gnu/store/cdi08kw7r6r684w8mk0xq0dkgpjhfpmd-gcc-4.9.4-lib/lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../..")
validating RUNPATH of 0 binaries in "/gnu/store/wdzvwl9kx3iiq4fk2qyxg7sjxqq2qx3x-openssl-1.1.0c-static/lib"...
phase `validate-runpath' failed after 0.0 seconds
builder for `/gnu/store/ja9xpivxkfvbm2p6zs1vicdkk4ppq1is-openssl-1.1.0c.drv' failed with exit code 1
Upstream discussion:
https://github.com/openssl/openssl/pull/1688
https://github.com/openssl/openssl/pull/1699
My understanding is that this change was made for openssl@1.0.2 as well,
so we will need to address it for the next big OpenSSL update. We should
try packaging a Git snapshot of 1.0.2 now, so that we are ready.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: OpenSSL 1.1.0c security update required
2016-11-15 19:09 ` Leo Famulari
@ 2016-12-09 10:11 ` Marius Bakke
2016-12-10 1:21 ` Leo Famulari
0 siblings, 1 reply; 5+ messages in thread
From: Marius Bakke @ 2016-12-09 10:11 UTC (permalink / raw)
To: Leo Famulari, Ludovic Courtès; +Cc: guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 3242 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Sat, Nov 12, 2016 at 12:21:44PM +0100, Ludovic Courtès wrote:
>> Leo Famulari <leo@famulari.name> skribis:
>> > They changed how library runpaths are recorded at build time, and so our
>> > packaging no longer works:
>> >
>> > https://github.com/openssl/openssl/pull/1699
>>
>> I would expect ld-wrapper to do the right thing regardless of what
>> OpenSSL’s build system does, no?
>
> So far, we've had to do some extra work in the openssl-next package
> definition:
>
> (add-after 'configure 'patch-runpath
> (lambda* (#:key outputs #:allow-other-keys)
> (let ((lib (string-append (assoc-ref outputs "out") "/lib")))
> (substitute* "Makefile.shared"
> (("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}")
> (string-append "$${SHAREDCMD} $${SHAREDFLAGS}"
> " -Wl,-rpath," lib)))
> #t)))))))))
>
> This phase still works to help OpenSSL's libraries find the libssl and
> libcrypto libraries, but the OpenSSL executable itself now lacks a
> reference to those libraries:
>
> starting phase `validate-runpath'
> validating RUNPATH of 5 binaries in "/gnu/store/d4669fp9lhvi85i97kbhwk3xprgqpv6v-openssl-1.1.0c/lib"...
> validating RUNPATH of 1 binaries in "/gnu/store/d4669fp9lhvi85i97kbhwk3xprgqpv6v-openssl-1.1.0c/bin"...
> /gnu/store/d4669fp9lhvi85i97kbhwk3xprgqpv6v-openssl-1.1.0c/bin/openssl: error: depends on 'libssl.so.1.1', which cannot be found in RUNPATH ("/gnu/store/iwgi9001dmmihrjg4rqhd6pa6788prjw-glibc-2.24/lib" "/gnu/store/cdi08kw7r6r684w8mk0xq0dkgpjhfpmd-gcc-4.9.4-lib/lib" "/gnu/store/cdi08kw7r6r684w8mk0xq0dkgpjhfpmd-gcc-4.9.4-lib/lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../..")
> /gnu/store/d4669fp9lhvi85i97kbhwk3xprgqpv6v-openssl-1.1.0c/bin/openssl: error: depends on 'libcrypto.so.1.1', which cannot be found in RUNPATH ("/gnu/store/iwgi9001dmmihrjg4rqhd6pa6788prjw-glibc-2.24/lib" "/gnu/store/cdi08kw7r6r684w8mk0xq0dkgpjhfpmd-gcc-4.9.4-lib/lib" "/gnu/store/cdi08kw7r6r684w8mk0xq0dkgpjhfpmd-gcc-4.9.4-lib/lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../..")
> validating RUNPATH of 0 binaries in "/gnu/store/wdzvwl9kx3iiq4fk2qyxg7sjxqq2qx3x-openssl-1.1.0c-static/lib"...
> phase `validate-runpath' failed after 0.0 seconds
> builder for `/gnu/store/ja9xpivxkfvbm2p6zs1vicdkk4ppq1is-openssl-1.1.0c.drv' failed with exit code 1
>
> Upstream discussion:
> https://github.com/openssl/openssl/pull/1688
> https://github.com/openssl/openssl/pull/1699
>
> My understanding is that this change was made for openssl@1.0.2 as well,
> so we will need to address it for the next big OpenSSL update. We should
> try packaging a Git snapshot of 1.0.2 now, so that we are ready.
I did this change for openssl@1.1.0 (attached). The 'config(ure)' script
now takes a -rpath flag which works as advertised.
However by duplicating the 'configure' phase, I discovered that the
'version' variable actually gets the inherited value when using
'substitute-keyword-arguments', and had to duplicate the
'remove-miscellany' phase as well, since it tried deleting a directory
called '$out/share/openssl-1.0.2j'. Should I file a bug for this, or
is it something intrinsically unfixable?
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-openssl-next-Update-to-1.1.0c-fixes-CVE-7053-705.patch --]
[-- Type: text/x-patch, Size: 4103 bytes --]
From 2fa175873823afb4b2e05c9ed26772c900a2f5ef Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Fri, 9 Dec 2016 09:48:38 +0100
Subject: [PATCH] gnu: openssl-next: Update to 1.1.0c [fixes
CVE-{7053,7054,7055}].
* gnu/packages/tls.scm (openssl-next): Update to 1.1.0c.
[arguments]: Duplicate 'configure' to add rpath flag previously handled by
now-defunct 'patch-runpath' phase. Duplicate 'remove-miscellany' phase.
---
gnu/packages/tls.scm | 46 ++++++++++++++++++++++++++++++++++++++--------
1 file changed, 38 insertions(+), 8 deletions(-)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 854ba1cb4..b581d59ce 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -355,7 +355,7 @@ required structures.")
(package
(inherit openssl)
(name "openssl")
- (version "1.1.0b")
+ (version "1.1.0c")
(source (origin
(method url-fetch)
(uri (list (string-append "ftp://ftp.openssl.org/source/"
@@ -366,7 +366,7 @@ required structures.")
(patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
(sha256
(base32
- "1xznrqvb1dbngv2k2nb6da6fdw00c01sy2i36yjdxr4vpxrf0pd4"))))
+ "1xfn5ydl14myd9wgxm4nxy5a42cpp1g12ijf3g9m4mz0l90n8hzw"))))
(outputs '("out"
"doc" ;1.3MiB of man3 pages
"static")) ; 5.5MiB of .a files
@@ -377,13 +377,43 @@ required structures.")
(delete 'patch-tests) ; These two phases are not needed by
(delete 'patch-Makefile.org) ; OpenSSL 1.1.0.
- (add-after 'configure 'patch-runpath
+ ;; Override configure phase since -rpath is now a configure option.
+ (replace 'configure
(lambda* (#:key outputs #:allow-other-keys)
- (let ((lib (string-append (assoc-ref outputs "out") "/lib")))
- (substitute* "Makefile.shared"
- (("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}")
- (string-append "$${SHAREDCMD} $${SHAREDFLAGS}"
- " -Wl,-rpath," lib)))
+ (let* ((out (assoc-ref outputs "out"))
+ (lib (string-append out "/lib")))
+ (zero?
+ (system* "./config"
+ "shared" ;build shared libraries
+ "--libdir=lib"
+
+ ;; The default for this catch-all directory is
+ ;; PREFIX/ssl. Change that to something more
+ ;; conventional.
+ (string-append "--openssldir=" out
+ "/share/openssl-" ,version)
+
+ (string-append "--prefix=" out)
+
+ (string-append "-Wl,-rpath," lib)
+
+ ;; XXX FIXME: Work around a code generation bug in GCC
+ ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
+ ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
+ ,@(if (and (not (%current-target-system))
+ (string-prefix? "armhf" (%current-system)))
+ '("-mfpu=vfpv3")
+ '()))))))
+
+ ;; XXX: Duplicate this phase since 'version' evaluates to the
+ ;; inherited package when using substitute-keyword-arguments.
+ (replace 'remove-miscellany
+ (lambda* (#:key outputs #:allow-other-keys)
+ ;; The 'misc' directory contains random undocumented shell and Perl
+ ;; scripts. Remove them to avoid retaining a reference on Perl.
+ (let ((out (assoc-ref outputs "out")))
+ (delete-file-recursively (string-append out "/share/openssl-"
+ ,version "/misc"))
#t)))))))))
(define-public libressl
--
2.11.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: OpenSSL 1.1.0c security update required
2016-12-09 10:11 ` Marius Bakke
@ 2016-12-10 1:21 ` Leo Famulari
0 siblings, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2016-12-10 1:21 UTC (permalink / raw)
To: Marius Bakke; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 2507 bytes --]
On Fri, Dec 09, 2016 at 11:11:07AM +0100, Marius Bakke wrote:
> I did this change for openssl@1.1.0 (attached). The 'config(ure)' script
> now takes a -rpath flag which works as advertised.
Thanks for taking this on!
> However by duplicating the 'configure' phase, I discovered that the
> 'version' variable actually gets the inherited value when using
> 'substitute-keyword-arguments', and had to duplicate the
> 'remove-miscellany' phase as well, since it tried deleting a directory
> called '$out/share/openssl-1.0.2j'. Should I file a bug for this, or
> is it something intrinsically unfixable?
I don't know, but the patch looks good enough to me, so can you go ahead
and push it? We can deduplicate the phases later.
> From 2fa175873823afb4b2e05c9ed26772c900a2f5ef Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke@fastmail.com>
> Date: Fri, 9 Dec 2016 09:48:38 +0100
> Subject: [PATCH] gnu: openssl-next: Update to 1.1.0c [fixes
> CVE-{7053,7054,7055}].
>
> * gnu/packages/tls.scm (openssl-next): Update to 1.1.0c.
> [arguments]: Duplicate 'configure' to add rpath flag previously handled by
> now-defunct 'patch-runpath' phase. Duplicate 'remove-miscellany' phase.
[...]
> + (replace 'configure
> (lambda* (#:key outputs #:allow-other-keys)
> - (let ((lib (string-append (assoc-ref outputs "out") "/lib")))
> - (substitute* "Makefile.shared"
> - (("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}")
> - (string-append "$${SHAREDCMD} $${SHAREDFLAGS}"
> - " -Wl,-rpath," lib)))
> + (let* ((out (assoc-ref outputs "out"))
> + (lib (string-append out "/lib")))
> + (zero?
> + (system* "./config"
> + "shared" ;build shared libraries
> + "--libdir=lib"
> +
> + ;; The default for this catch-all directory is
> + ;; PREFIX/ssl. Change that to something more
> + ;; conventional.
> + (string-append "--openssldir=" out
> + "/share/openssl-" ,version)
> +
> + (string-append "--prefix=" out)
> +
> + (string-append "-Wl,-rpath," lib)
This is much clearer than patching the Makefile!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-12-10 1:21 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-11 1:40 OpenSSL 1.1.0c security update required Leo Famulari
2016-11-12 11:21 ` Ludovic Courtès
2016-11-15 19:09 ` Leo Famulari
2016-12-09 10:11 ` Marius Bakke
2016-12-10 1:21 ` Leo Famulari
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.