[17.10] libssl-dev 1.0.2g is 1.0.0

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[17.10] libssl-dev 1.0.2g is 1.0.0

Frank Rehberger
Hi

distribution : artful (ubuntu 17.10)
package libssl-dev [1.0.2g]

the package libssl-dev claims to be 1.0.2g, but it seems to be older
header-version 1.0.0, as it lacks the constant

./crypto/x509/x509_vfy.h:# define         X509_V_ERR_INVALID_CALL
                 65

It seems libssl binary package  is also 1.0.0


ii  libssl-dev:amd64                           1.0.2g-1ubuntu13.3
                  amd64        Secure Sockets Layer toolkit -
development files
ii  libssl-doc                                 1.0.2g-1ubuntu13.3
                  all          Secure Sockets Layer toolkit -
development documentation
ii  libssl1.0.0:amd64                          1.0.2g-1ubuntu13.3
                  amd64        Secure Sockets Layer toolkit - shared
libraries


This could be a security issue, shipping a library 1.0.0 claiming to be
1.0.2g


--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: [17.10] libssl-dev 1.0.2g is 1.0.0

Dimitri John Ledkov
Hello,

On 11 March 2018 at 09:05, Frank Rehberger <[hidden email]> wrote:

> Hi
>
> distribution : artful (ubuntu 17.10)
> package libssl-dev [1.0.2g]
>
> the package libssl-dev claims to be 1.0.2g, but it seems to be older
> header-version 1.0.0, as it lacks the constant
>
> ./crypto/x509/x509_vfy.h:# define         X509_V_ERR_INVALID_CALL
>                  65
>
> It seems libssl binary package  is also 1.0.0
>

Ubuntu has patched openssl1.0 to retain ABI compatibility with 1.0.0
by introducing stub functions, and thus not requiring to recompile
software that was compiled against 1.0.0, as it remains usable with
newer Ubuntu releases that ship 1.0.2 series of OpenSSL. Thus the
version numbers you see are correct - 1.0.2g release with 1.0.0 ABI.

About the following defines:
X509_V_ERR_INVALID_CALL 65
X509_V_ERR_STORE_LOOKUP 66

They appear to have been introduced in
5553a12735e11bc9aa28727afe721e7236788aab upstream on
OpenSSL_1_0_2-stable branch.
Which is shipped in:

$ git tag --contains 5553a12735e11bc9aa28727afe721e7236788aab
OpenSSL_1_0_2i
OpenSSL_1_0_2j
OpenSSL_1_0_2k
OpenSSL_1_0_2l
OpenSSL_1_0_2m
OpenSSL_1_0_2n

1.0.2g pre-dates above, and thus these defines are not available.
Bionic, to become 18.04 LTS, ships openssl1.0 1.0.2n and has above
mentioned defines.

W.R.T. security updates - ubuntu does not use upstream version numbers
to rectify security issues, and instead all security vulnerabilities
are patched as distro patches and an USN (Ubuntu Security Notice) is
issued reverencing full package upload numbers and the matching CVEs
these fix. Please see https://usn.ubuntu.com/ for more details.

>
> ii  libssl-dev:amd64                           1.0.2g-1ubuntu13.3
>                   amd64        Secure Sockets Layer toolkit -
> development files
> ii  libssl-doc                                 1.0.2g-1ubuntu13.3
>                   all          Secure Sockets Layer toolkit -
> development documentation
> ii  libssl1.0.0:amd64                          1.0.2g-1ubuntu13.3
>                   amd64        Secure Sockets Layer toolkit - shared
> libraries
>
>
> This could be a security issue, shipping a library 1.0.0 claiming to be
> 1.0.2g
>
>
> --
> ubuntu-devel mailing list
> [hidden email]
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

--
Regards,

Dimitri.

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel