OpenSSL conundrum

andrixnet · 02-11-2023, 05:28 AM

Considering the recent problems discovered in OpenSSL (and in general) one may be faced with the prospect of upgrading OpenSSL version to a newer one then the distro default.

Today this is applicable to Slackware-14.2 (which I know, it's old, but I have many migration details to solve before I can make the full distro upgrade), but later in 2023 it will apply to Slackware-15.0 as well (openssl-1.1.1 support ends in september).

Can Slackware-14.2 (maybe even 14.1) be upgraded to openssl-1.1.1 series?
What packages need to be rebuilt when doing such an upgrade, assuming there aren't many in the way of incompatibilities at source level.

Of course this is meant as a short term fix against the published security problems until a full migration can be perfected.

Thank you.

Petri Kaukasoina · 02-11-2023, 05:55 AM

Quote:

Originally Posted by andrixnet

Can Slackware-14.2 (maybe even 14.1) be upgraded to openssl-1.1.1 series?
What packages need to be rebuilt when doing such an upgrade, assuming there aren't many in the way of incompatibilities at source level.

I guess there are lots of incompatibilities at source level. But anyway, in Slackware64-14.2, let's check directories /lib64, /usr/lib64, /usr/sbin, /bin, /usr/bin, /usr/libexec for files linked to libcrypto.so.1 of openssl. (There could be stuff elsewhere, too)

Code:

$ (cd /;for f in lib64/*.so* usr/lib64/*.so* usr/sbin/* bin/* usr/bin/* usr/libexec/*; do objdump -x $f 2>/dev/null|grep NEEDED|grep -q libcrypto.so.1$ && echo $f ; done)|sed -e 's/^/^/' -e 's/$/$/'> ~/libcrypto.list
$ (cd /var/adm/packages;grep -lf ~/libcrypto.list *)|sed 's/-[^-]*-[^-]*-[^-]*$//'

prints this output:

Code:

NetworkManager
aaa_elflibs
alpine
apr-util
bind
curl
epic5
fetchmail
gftp
gkrellm
gvfs
hexchat
hplip
htdig
httpd
imapd
irssi
lftp
libarchive
libevent
libgpod
libimobiledevice
libmsn
libssh2
libvncserver
links
lynx
mailx
mariadb
moc
mutt
neon
net-snmp
netatalk
nmap
ntp
openldap-client
openssh
openssl
openssl-solibs
openvpn
php
pidentd
popa3d
ppp
proftpd
pulseaudio
rdesktop
rsync
sendmail
serf
slrn
snownews
stunnel
subversion
sudo
tcpdump
usbmuxd
virtuoso-ose
vsftpd
wget
wpa_supplicant
x3270

andrixnet · 02-11-2023, 12:39 PM

That is a good starting point. Thank you.

Petri Kaukasoina · 02-11-2023, 12:49 PM

There are 14 more packages with files in other directories. I wrote a script to check all the executable files of every installed package:

Code:

#!/bin/sh
LIB='libcrypto.so.1$|libssl.so.1$'
cd /var/adm/packages
for pkg in *; do
( cd /
  while read line; do
    [ "$line" == "FILE LIST:" ] && break
  done
  while read f; do
    [ -x "$f" ] && objdump -x "$f" 2>/dev/null|grep NEEDED|grep -Eq $LIB && echo $pkg && break
  done 
) < $pkg
done | sed -u 's/-[^-]*-[^-]*-[^-]*$//'

And the output:

Code:

GConf
M2Crypto
NetworkManager
aaa_elflibs
alpine
apr-util
bind
curl
cyrus-sasl
epic5
fetchmail
gftp
git
gkrellm
gvfs
hexchat
hplip
htdig
httpd
imapd
irssi
lftp
libarchive
libevent
libgpod
libimobiledevice
libmsn
libssh2
libvncserver
links
lynx
mailx
mariadb
moc
mutt
neon
net-snmp
netatalk
nmap
ntp
openldap-client
openssh
openssl
openssl-solibs
openvpn
perl
php
pidentd
popa3d
ppp
proftpd
pulseaudio
pycurl
python
qca
qt
rdesktop
redland
rsync
ruby
sane
sendmail
serf
slrn
snownews
stunnel
subversion
sudo
tcpdump
tumbler
ulogd
usbmuxd
virtuoso-ose
vsftpd
wget
wpa_supplicant
x3270

allend · 02-13-2023, 08:25 AM

Just for fun, I built the parallel package from Slackware 15.0 in a clean, up to date Slackware 14.2 install, so that I could try the script originally posted by our BDFL. (There is a now a later version.)

After the initial hiccups of needing to run parallel on it's own to do the 'will cite' acceptance, and adapting the script to the previous package log location (sed -i 's:/var/lib/pkgtools/packages:/var/log/packages:g' find-whatlinksagainst.sh),
I ran './find-whatlinksagainst.sh openssl-1.0.2u-x86_64-4_slack14.2 | tee packagelist.txt' to generate the attached output.

Comments - The immediately interesting stuff is towards the end.
The UNKNOWN package mentioned in the output is sendmail, triggered by /usr/bin/sendmail being a symlink to /usr/sbin/sendmail.
Because I did not set up a PKGSOURCE, the package Series is not reported.

Petri Kaukasoina · 02-13-2023, 09:40 AM

I compared the package list against mine in https://www.linuxquestions.org/quest...0/#post6410612. The difference is 23 packages that you have and I don't. But I can't see why they are included:

Code:

gawk
gcc
gcc-g++
gcc-gfortran
gcc-gnat
gcc-go
gcc-java
gcc-objc
glib-networking
gmp
gnu-cobol
gnutls
gtk+2
gtk+3
guile
gutenprint
kcalc
libktorrent
libmpc
lxc
mpfr
nettle
nftables

Oh, I see it now. I guess all (?) of these were false positives because they link to /usr/lib64/libgmp.so.10 and openssl contains a totally different /usr/lib64/engines/libgmp.so.

Petri Kaukasoina · 02-13-2023, 09:53 AM

By the way, here is another version of my script. Now printing the names of the individual files linking to openssl, as was in the beginning of your output.

Code:

#!/bin/sh
LIB='libcrypto.so.1$|libssl.so.1$'
cd /var/adm/packages
for pkg in *; do
( cd /
  while read line; do
    [ "$line" == "FILE LIST:" ] && break
  done
  while read f; do
    [ -x "$f" ] && objdump -x "$f" 2>/dev/null|grep NEEDED|grep -Eq $LIB && echo "$pkg": /"$f"
  done 
) < $pkg
done

allend · 02-13-2023, 09:53 AM

Just goes to show that this is not a trivial exercise.

Petri Kaukasoina · 02-13-2023, 10:02 AM

Quote:

Originally Posted by allend

The UNKNOWN package mentioned in the output is sendmail, triggered by /usr/bin/sendmail being a symlink to /usr/sbin/sendmail.

I think that's because it found /usr/sbin/sendmail which does not exist in /var/adm/packages/sendmail-8.15.2-x86_64-2 because it is originally /usr/sbin/sendmail.new and the install script moves it to /usr/sbin/sendmail. My script does not notice it at all, because it tries to check /usr/sbin/sendmail.new which does not exist. (But it finds several other binaries in the sendmail package.)