[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

OpenSSL 0.9.6/0.9.7, LDAP, SSH, friends

Hey all,

  There are quite a few bugs that are probably because of the problem
  I'm about to describe (177868, 178061, 173821, probably others..) so
  it was felt that this might be something to make other developers
  aware of.

  Currently in Debian there are quite a few packages which still link
  against OpenSSL 0.9.6 (libldap2-tls, ssh-krb5, others).  Newer
  packages are being linked against OpenSSL 0.9.7 (ssh, etc).  The
  problem happens when these two end up getting linked into the same
  running program.  An example of how this can happen is this:

  ssh starts up and brings in 0.9.7.
  A user connects and PAM is configured to use libpam-ldap.
  libpam-ldap loads and brings in libldap2-tls.
  libldap2-tls loads and brings in 0.9.6.

  After this point basically anything involving SSL is questionable at
  best and very likely to give you a segfault.

  Methods to detect this include:
  strace the binary and see if it's loading 0.9.6 and 0.9.7
  set LD_DEBUG=files and run the binary and watch the output
  gdb the program, run it and when it segfaults run:
  info sharedlibrary

  gdb worked best for me since it gives a nice short list without lots
  of other information you don't need.  The specific library file I've
  seen is: 

  For the record I've heard of similar potential problems with libsasl7
  vs. libsasl2 which involves things like sendmail, slapd, etc.

  I don't have an overall solution to this, though I've heard much about
  versioned symbols perhaps being an answer.  I know that's been
  discussed on d-d some already though and don't know where that went.

  Trying to keep this short, just be on alert for these issues when you
  see bug reports come in about segfaults with these and related

	Good luck,


Attachment: pgpgGasoXucYL.pgp
Description: PGP signature

Reply to: