From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: OpenSSL 1.1.0c security update required Date: Tue, 15 Nov 2016 14:09:05 -0500 Message-ID: <20161115190905.GA1941@jasmine> References: <20161111014018.GA19957@jasmine> <87zil5ndtj.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="SUOF0GtieIMvvwua" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:50792) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c6j6W-0001ft-5S for guix-devel@gnu.org; Tue, 15 Nov 2016 14:09:13 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c6j6S-0006ML-Ul for guix-devel@gnu.org; Tue, 15 Nov 2016 14:09:12 -0500 Content-Disposition: inline In-Reply-To: <87zil5ndtj.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?iso-8859-1?Q?Court=E8s?= Cc: guix-devel@gnu.org --SUOF0GtieIMvvwua Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Nov 12, 2016 at 12:21:44PM +0100, Ludovic Court=C3=A8s wrote: > Leo Famulari skribis: > > They changed how library runpaths are recorded at build time, and so our > > packaging no longer works: > > > > https://github.com/openssl/openssl/pull/1699 >=20 > I would expect ld-wrapper to do the right thing regardless of what > OpenSSL=E2=80=99s build system does, no? So far, we've had to do some extra work in the openssl-next package definition: (add-after 'configure 'patch-runpath (lambda* (#:key outputs #:allow-other-keys) (let ((lib (string-append (assoc-ref outputs "out") "/lib"))) (substitute* "Makefile.shared" (("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}") (string-append "$${SHAREDCMD} $${SHAREDFLAGS}" " -Wl,-rpath," lib))) #t))))))))) This phase still works to help OpenSSL's libraries find the libssl and libcrypto libraries, but the OpenSSL executable itself now lacks a reference to those libraries: starting phase `validate-runpath' validating RUNPATH of 5 binaries in "/gnu/store/d4669fp9lhvi85i97kbhwk3xprg= qpv6v-openssl-1.1.0c/lib"... validating RUNPATH of 1 binaries in "/gnu/store/d4669fp9lhvi85i97kbhwk3xprg= qpv6v-openssl-1.1.0c/bin"... /gnu/store/d4669fp9lhvi85i97kbhwk3xprgqpv6v-openssl-1.1.0c/bin/openssl: err= or: depends on 'libssl.so.1.1', which cannot be found in RUNPATH ("/gnu/sto= re/iwgi9001dmmihrjg4rqhd6pa6788prjw-glibc-2.24/lib" "/gnu/store/cdi08kw7r6r= 684w8mk0xq0dkgpjhfpmd-gcc-4.9.4-lib/lib" "/gnu/store/cdi08kw7r6r684w8mk0xq0= dkgpjhfpmd-gcc-4.9.4-lib/lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../..") /gnu/store/d4669fp9lhvi85i97kbhwk3xprgqpv6v-openssl-1.1.0c/bin/openssl: err= or: depends on 'libcrypto.so.1.1', which cannot be found in RUNPATH ("/gnu/= store/iwgi9001dmmihrjg4rqhd6pa6788prjw-glibc-2.24/lib" "/gnu/store/cdi08kw7= r6r684w8mk0xq0dkgpjhfpmd-gcc-4.9.4-lib/lib" "/gnu/store/cdi08kw7r6r684w8mk0= xq0dkgpjhfpmd-gcc-4.9.4-lib/lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../..= ") validating RUNPATH of 0 binaries in "/gnu/store/wdzvwl9kx3iiq4fk2qyxg7sjxqq= 2qx3x-openssl-1.1.0c-static/lib"... phase `validate-runpath' failed after 0.0 seconds builder for `/gnu/store/ja9xpivxkfvbm2p6zs1vicdkk4ppq1is-openssl-1.1.0c.drv= ' failed with exit code 1 Upstream discussion: https://github.com/openssl/openssl/pull/1688 https://github.com/openssl/openssl/pull/1699 My understanding is that this change was made for openssl@1.0.2 as well, so we will need to address it for the next big OpenSSL update. We should try packaging a Git snapshot of 1.0.2 now, so that we are ready. --SUOF0GtieIMvvwua Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJYK11MAAoJECZG+jC6yn8IwJAQAMrcCZCIZTP5bBHYBssH2hEZ xjgb21ASfSaDw6nEZ4xLqJDMBkl+mZTKArBZJGa7nSS/oAqq1iE4juGMgQ9ffa+b mzqYCFpfuFrLTc+2MnhvjNYmruTwCZ7JIAD1vK+kd+nKoBGQw2pV6yjRVpz7eJgy GmbYH9FeyFQ9fa0Z8bZoZ0YPvxkuRYrEQKho5FbfaLc4z9H+SUFN0wPQX2eiWWjN GJe1oAw9FbrkwIFGXG9ZdyfzkhP6G+FljVix3F/5SGTe8H84vJg2HW/39H9PCJHQ qv2d1hDMZcaBjKq7/cdTkzabB/Xy5pNVrs7n9zRM1bseg836V0Kck++Lju2ctADf 0QGOHMVjqXbuz4subaD/6mG0L86cOvYu0dlponFiTuLX60r7/tTbA6AZeQZ4zCar J/hJn1DtjDF+DIGU+xEMtGH2OpGUzBJVsU2BZB0F53n1bqPcOXPsJ/YhVcxiO9uf VakbEOG9l0NWASUY0af56CPIqZu++iSgwGX8rlBm3josEz0H0Obory3vY3jj2RRe pqg3YQ6OVuRrf9SwhyIohIJlhW3vIc8O1A8/jkPqleu3GEoPnjTSMgHapN+pBgUC 4cshQXGRfHHTFKc5QwljuW+7eKbo8HAnFfK0C0zdWKyWJaoWIB83cSoFQILFUn+n qaHMAhYawJAyLuqMEFqn =KoB/ -----END PGP SIGNATURE----- --SUOF0GtieIMvvwua--