Modify and Rebuild RedHat Source RPM - Wrong Filename
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Modify and Rebuild RedHat Source RPM - Wrong Filename
Hello!
Here is the short version:
I need to rebuild the "openssl-0.9.7a-43.17.e14_6.1.src.rpm" source rpm from RedHat. I downloaded that file from RedHat, put it into /usr/src/redhat/SRPMS, and ran "rpmbuild --rebuild openssl-0.9.7a-43.17.e14_6.1.src.rpm". The process seems to have finished successfully, but what I get in /usr/src/RPMS/i386/ is a file named "openssl-0.9.7a-43.17.1.i386.rpm". I am having trouble reinstalling this because the version name is different. What am I doing wrong?
I think it's due to the .spec's "43.17%{?dist}.1" tag, meaning it should be see a "%define dist" (1, 2) sourced beforehand in some macro file. BTW rebuilding this .src.rpm as root account user isn't a best practice (user an unprivileged account) and rebuilding this particular .src.rpm isn't good (it's obsoleted).
Do not forget that RH back patches older versions of packages with current security patches (and hardware support), assuming you were referring to the 0.9.7a-43.17 part and not the 6.1 part.
Thanks. Maybe I need a second opinion. Am I mistaken that RHSA-2007-1003 (openssl-0.9.7a-43.17.el4_6.1) points to RHSA-2009-0004 (openssl-0.9.8b-10.el5_2.1) which affects EL4 as well?
Not sure. But I if you look in the Centos repo for EL4 (not the el5 rpm you have listed) it has no openssl-0.9.8b rpm listed. As Centos is just rebuilt RHEL and Centos/RHEL4.X is still on a ton of commercial servers, I would be VERY surprised is they were running an insecure version. It would however be a very good question for those that have a RHEL license to ask RH.
Lazlow, you're right it was a typo, and also sorry for the lack of info:
Red Hat Enterprise Linux ES release 4 (Nahant Update 8)
2.6.9-42.0.10.ELsmp #1 SMP i686 i686 i386 GNU/Linux
You mentioned -(openssl-0.9.7a-43.17.el4_7.2.src.rpm)- I will definitely need to install this at some point
unSpawn - I'm not familiar with the spec file format and what all it should contain. Since this came from RH should it not rebuild back to the same version as the src.rpm file that I downloaded? Do I need to add a command line argument for that to happen? Is there a switch I need to use to tell the rebuild to include all of the patches?
The long version:
I actually need to edit the ssl.h file, then recompile and rebuild the package and install it. I am trying to move one step at at a time and first verify that I can rebuild and install the source package before editing it. Once I know that I can do that, then I will edit it and verify that I can do the same thing. And then, once I understand the process, I was going to upgrade with a newer version of the package. I'm not really opposed to going through this process with the _7.2 version of the package, I'm just kind of stuck on how to edit and rebuild this src.rpm where it ends up with the right version name. I tried rebuilding the _7.2 version with the same result that the resulting RPM file did not include the patch version in the name.
I followed this article - linuxweblog.com/patch-rebuild-rpm
1) I created a file named /home/username/.rpmmacros that contained only the line: %_topdir /home/username/src/rpm
2) I built the directories that were needed (/home/username/src/rpm/BUILD,SOURCES,SRPMS,RPMS,SPECS)
3) I installed the source rpm file: rpm -ihv openssl-0.9.7a-43.17.el4_7.2.src.rpm
4) I moved and unpacked the ~/src/rpm/SOURCES/openssl-0.9.7a-usa.tar.bz2 to ~/src/rpm/BUILD, edited the ssl.h file, then repacked it and moved it back
5) Edited the SPECS/openssl.spec file, changed the "Release: 43.17%{?dist}.2" to read ""Release: 43.17.el4_7.2"
6) I did a build from the spec file: rpmbuild -ba ~/src/rpm/SPECS/openssl.spec
7) I did a force upgrade with the new package: rpm -Uhv --force ~/src/rpm/RPMS/openssl-0.9.7a-43.17.el4_7.2.i386.rpm
So far everything seems to be working. I am doing this to pass a penetration test requirement so it remains to be seen if the change I made will be effective. Thank you for pointing me in the right direction, and I would be grateful to read your thoughts on my likelihood of success.
Thanks for posting back your steps. That you chose to build the RPM as unprivileged user really was a good choice. I just wish more people would adhere to best practices.
Quote:
Originally Posted by malar
likelihood of success.
I don't know if modifying ssl.h will satisfy requirements: if the goal is to just present falsified information then it's "security by obscurity" (which is not security at all). It's hard to say what the penetration test will yield since I don't know which CVE you're combatting. More information please!
Hey! I am taking your comment to mean that you didn't see any obvious errors in how I went about it, so that is great! The finding is from a Qualys scan, and it didn't include a CVE number but the QID is "38284 - Netscape/OpenSSL Cipher Forcing Bug". In the ssl.h file I had to change this line:
I am taking your comment to mean that you didn't see any obvious errors in how I went about it
Yes. Looks good to me. However the proof is in the pudding...
Quote:
Originally Posted by malar
The finding is from a Qualys scan, and it didn't include a CVE number but the QID is "38284 - Netscape/OpenSSL Cipher Forcing Bug".
I had a look at 1 and 2 and 'man SSL_CTX_set_options' but this looks like a SSL / Netscape compatibility issue, not a "real" vulnerability. Of course I'm no guru.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.