Re: OpenSSL 1.1.0
On Thu, 24 Nov 2016, Adrian Bunk wrote:
> On Wed, Nov 23, 2016 at 11:50:12PM -0200, Henrique de Moraes Holschuh wrote:
> > On Thu, 24 Nov 2016, Kurt Roeckx wrote:
> >...
> > > > So, if Qt *ever* exposes its use of openssl anywere in its APIs, it
> > > > might not be safe. If it doesn't (i.e. at most you have a qt flag that
> > > > says "use SSL", etc), then it should be fine.
> > >
> > > It seems to be doing this in qtbase5-private-dev. Not sure if
> > > there are actually any users of it.
> >
> > If it does, all reverse *build* dependencies would need to be inspected,
> > then.
> >
> > AFAIK, that means they must not link to anything that could link to a
> > different libssl than the one used by qt5. If they do, everything needs
> > to be inspected down to the details to ensure nothing will ever leak
> > openssl contextes and data structures across a library boundary
> > (including the application).
>
> If inspection is not easily possible, then adding a dependency on
> libssl1.0-dev to qtbase5-private-dev should be sufficient to
> ensure that this is not leaked to a different OpenSSL version.
How so?
Consider the flattened tree (app is the root, - denotes a branch).
A - B - App - C - D
Where A and D are two versions of openssl. B and C are libs (suppose B
comes from qtbase5-private-dev) from different source packages.
--
Henrique Holschuh
Reply to: