[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#754513: ITP: libressl -- SSL library, forked from OpenSSL

On Sun, Jul 13, 2014 at 02:02:18PM +0200, Matthias Urlichs wrote:
> Hi,
> Bernhard R. Link:
> > * Mike Hommey <mh@glandium.org> [140713 12:55]:
> > > Contrary to what you seem to believe, this only really works if *both*
> > > libraries have versioned symbols. Otherwise, you can end up with
> > > libraries linked against the unversioned one using symbols from the
> > > versioned one at run time when both are loaded in the same address
> > > space.
> > 
> > Actually, "both having versioned symbols" is not enough.
> > It is either "both must always have had versioned symbols" or
> > "both must have versioned symbols now and every binary linked against
> > either must have been built (or rebuilt) after the symbols got
> > versioned".
> > 
> Bah. Thanks for the correction.
> However, it seems that the current OpenSSL package _does_ have
> fully-versioned symbols, at least if I understand "objdump -T"
> correctly.
> So the situation may not be as dire as this thread suggests.

Well, it kind of is. Because those versioned symbols in openssl come
from a debian patch, afaict. So while debian may be fine (as long as all
build-rdeps have been rebuilt since openssl got those versioned
symbols), other distros aren't covered, as well as binaries not
compiled on debian.


Reply to: