LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-23-2009, 04:36 PM   #1
malar
LQ Newbie
 
Registered: Feb 2006
Posts: 27

Rep: Reputation: 15
Modify and Rebuild RedHat Source RPM - Wrong Filename


Hello!

Here is the short version:
I need to rebuild the "openssl-0.9.7a-43.17.e14_6.1.src.rpm" source rpm from RedHat. I downloaded that file from RedHat, put it into /usr/src/redhat/SRPMS, and ran "rpmbuild --rebuild openssl-0.9.7a-43.17.e14_6.1.src.rpm". The process seems to have finished successfully, but what I get in /usr/src/RPMS/i386/ is a file named "openssl-0.9.7a-43.17.1.i386.rpm". I am having trouble reinstalling this because the version name is different. What am I doing wrong?

I greatly appreciate your help. Thanks!
 
Old 10-23-2009, 05:23 PM   #2
lazlow
Senior Member
 
Registered: Jan 2006
Posts: 4,363

Rep: Reputation: 172Reputation: 172
1st I hope this is just a typo, but that should be el4 not e14 (small L not 1). If it is a 1 then you probably do not have a real RH rpm(a fake).

It would help a LOT if you would cut and past the errors you are getting.


Usually it is a good idea to post your distro, version, and arch you are using when asking a question. I assume you are running RHEL4.X 32bit.

Quote:
openssl-0.9.7a-43.17.el4_7.2.src.rpm
Might be more current.

Last edited by lazlow; 10-23-2009 at 05:26 PM.
 
Old 10-23-2009, 06:18 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
I think it's due to the .spec's "43.17%{?dist}.1" tag, meaning it should be see a "%define dist" (1, 2) sourced beforehand in some macro file. BTW rebuilding this .src.rpm as root account user isn't a best practice (user an unprivileged account) and rebuilding this particular .src.rpm isn't good (it's obsoleted).
 
Old 10-23-2009, 07:15 PM   #4
lazlow
Senior Member
 
Registered: Jan 2006
Posts: 4,363

Rep: Reputation: 172Reputation: 172
unSpawn

Do not forget that RH back patches older versions of packages with current security patches (and hardware support), assuming you were referring to the 0.9.7a-43.17 part and not the 6.1 part.
 
Old 10-24-2009, 01:54 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Thanks. Maybe I need a second opinion. Am I mistaken that RHSA-2007-1003 (openssl-0.9.7a-43.17.el4_6.1) points to RHSA-2009-0004 (openssl-0.9.8b-10.el5_2.1) which affects EL4 as well?
 
Old 10-24-2009, 09:02 AM   #6
lazlow
Senior Member
 
Registered: Jan 2006
Posts: 4,363

Rep: Reputation: 172Reputation: 172
Not sure. But I if you look in the Centos repo for EL4 (not the el5 rpm you have listed) it has no openssl-0.9.8b rpm listed. As Centos is just rebuilt RHEL and Centos/RHEL4.X is still on a ton of commercial servers, I would be VERY surprised is they were running an insecure version. It would however be a very good question for those that have a RHEL license to ask RH.

Centos 5.4 lists, openssl-0.9.8e-12.el5.src.rpm

 
Old 10-26-2009, 08:55 AM   #7
malar
LQ Newbie
 
Registered: Feb 2006
Posts: 27

Original Poster
Rep: Reputation: 15
Thanks for the fast replies!!

Lazlow, you're right it was a typo, and also sorry for the lack of info:
Red Hat Enterprise Linux ES release 4 (Nahant Update 8)
2.6.9-42.0.10.ELsmp #1 SMP i686 i686 i386 GNU/Linux
You mentioned -(openssl-0.9.7a-43.17.el4_7.2.src.rpm)- I will definitely need to install this at some point

unSpawn - I'm not familiar with the spec file format and what all it should contain. Since this came from RH should it not rebuild back to the same version as the src.rpm file that I downloaded? Do I need to add a command line argument for that to happen? Is there a switch I need to use to tell the rebuild to include all of the patches?

The long version:
I actually need to edit the ssl.h file, then recompile and rebuild the package and install it. I am trying to move one step at at a time and first verify that I can rebuild and install the source package before editing it. Once I know that I can do that, then I will edit it and verify that I can do the same thing. And then, once I understand the process, I was going to upgrade with a newer version of the package. I'm not really opposed to going through this process with the _7.2 version of the package, I'm just kind of stuck on how to edit and rebuild this src.rpm where it ends up with the right version name. I tried rebuilding the _7.2 version with the same result that the resulting RPM file did not include the patch version in the name.

Thanks for your help!! I really appreciate it.
 
Old 10-26-2009, 04:19 PM   #8
malar
LQ Newbie
 
Registered: Feb 2006
Posts: 27

Original Poster
Rep: Reputation: 15
An update on what I've done:

I followed this article - linuxweblog.com/patch-rebuild-rpm
1) I created a file named /home/username/.rpmmacros that contained only the line: %_topdir /home/username/src/rpm
2) I built the directories that were needed (/home/username/src/rpm/BUILD,SOURCES,SRPMS,RPMS,SPECS)
3) I installed the source rpm file: rpm -ihv openssl-0.9.7a-43.17.el4_7.2.src.rpm
4) I moved and unpacked the ~/src/rpm/SOURCES/openssl-0.9.7a-usa.tar.bz2 to ~/src/rpm/BUILD, edited the ssl.h file, then repacked it and moved it back
5) Edited the SPECS/openssl.spec file, changed the "Release: 43.17%{?dist}.2" to read ""Release: 43.17.el4_7.2"
6) I did a build from the spec file: rpmbuild -ba ~/src/rpm/SPECS/openssl.spec
7) I did a force upgrade with the new package: rpm -Uhv --force ~/src/rpm/RPMS/openssl-0.9.7a-43.17.el4_7.2.i386.rpm

So far everything seems to be working. I am doing this to pass a penetration test requirement so it remains to be seen if the change I made will be effective. Thank you for pointing me in the right direction, and I would be grateful to read your thoughts on my likelihood of success.
 
Old 10-26-2009, 05:01 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by malar View Post
An update on what I've done
Thanks for posting back your steps. That you chose to build the RPM as unprivileged user really was a good choice. I just wish more people would adhere to best practices.


Quote:
Originally Posted by malar View Post
likelihood of success.
I don't know if modifying ssl.h will satisfy requirements: if the goal is to just present falsified information then it's "security by obscurity" (which is not security at all). It's hard to say what the penetration test will yield since I don't know which CVE you're combatting. More information please!
 
Old 10-28-2009, 12:37 PM   #10
malar
LQ Newbie
 
Registered: Feb 2006
Posts: 27

Original Poster
Rep: Reputation: 15
Hey! I am taking your comment to mean that you didn't see any obvious errors in how I went about it, so that is great! The finding is from a Qualys scan, and it didn't include a CVE number but the QID is "38284 - Netscape/OpenSSL Cipher Forcing Bug". In the ssl.h file I had to change this line:

#define SSL_OP_ALL 0x00000FFFL

to this line:

#define SSL_OP_ALL (0x00000FFFL^SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)

I guess I'll find out how successful I was when we get scanned again. Thanks for your help!
 
Old 10-28-2009, 04:49 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by malar View Post
I am taking your comment to mean that you didn't see any obvious errors in how I went about it
Yes. Looks good to me. However the proof is in the pudding...


Quote:
Originally Posted by malar View Post
The finding is from a Qualys scan, and it didn't include a CVE number but the QID is "38284 - Netscape/OpenSSL Cipher Forcing Bug".
I had a look at 1 and 2 and 'man SSL_CTX_set_options' but this looks like a SSL / Netscape compatibility issue, not a "real" vulnerability. Of course I'm no guru.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Rebuild A Server Installation Disk from RHEL of CentOS Source RPm kenwee Red Hat 2 05-09-2006 04:36 AM
FC4: How to rebuild kernel and modify stack size stingrayon Linux - Wireless Networking 1 04-01-2006 07:17 AM
rpmdb-redhat-4-0.20050525.src.rpm/rebuild error louisb Linux - Enterprise 0 07-12-2005 10:19 AM
How to rebuild rpm database to include source installs abrb220 Linux - Software 3 03-18-2004 09:35 AM
Trouble finding kernel source RPM for 2.4.20-20.9 (Redhat) dkaplowitz Linux - General 1 08-20-2003 09:35 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 02:08 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration