[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1016085: marked as done (libqt5network5: depends on libssl3 but loads (wrong) file provided by libssl-dev instead)

Your message dated Thu, 13 Oct 2022 22:07:25 +0200
with message-id <Y0hv/YgU+l+ctnQp@vis.fritz.box>
and subject line Re: Bug#1016085: libqt5network5: depends on libssl3 but loads (wrong) file provided by libssl-dev instead
has caused the Debian Bug report #1016085,
regarding libqt5network5: depends on libssl3 but loads (wrong) file provided by libssl-dev instead
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1016085: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016085
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: libqt5network5
Version: 5.15.4+dfsg-4
Severity: serious
Justification: Policy 3.5

I have libssl 3.0.4-2 (satisfying the dependency of libqt5network5),
but libssl-dev 1.1.1n-0+deb11u3.

Starting QT applications gets on stdout/stderr stuff like

07-26 20:08:33:071 [ warning qt.network.ssl ]:	QSslSocket: cannot resolve SSL_get1_peer_certificate
07-26 20:08:33:071 [ warning qt.network.ssl ]:	QSslSocket: cannot resolve EVP_PKEY_get_base_id
07-26 20:08:33:071 [ warning qt.network.ssl ]:	QSslSocket: cannot resolve SSL_CTX_load_verify_dir
07-26 20:08:46:405 [ warning qt.network.ssl ]:	QSslSocket: cannot call unresolved function SSL_CTX_load_verify_dir
07-26 20:08:46:405 [ warning qt.network.ssl ]:	An error encountered while to set root certificates location: ""
07-26 20:08:46:409 [ warning qt.network.ssl ]:	QSslSocket: cannot call unresolved function SSL_get1_peer_certificate
07-26 20:08:46:409 [ warning qt.network.ssl ]:	QSslSocket: cannot call unresolved function SSL_get1_peer_certificate

and then the application fails to recognise any certificate as valid,
since it doesn't recognise any root CA.

An strace shows that it loads (my guess if with dlopen())
/usr/lib/x86_64-linux-gnu/libssl.so

That file is _not_ provided by _any_ direct or indirect dependency of
libqt5network5 but by libssl-dev.

So from a policy standpoint:

 * libqt5network5 _must_ _not_ require that file to function since it
   does not depend on libssl-dev; formally that is fulfilled since it
   will fallback to libssl.so.3 when libssl.so is not found.

 * libqt5network5 _must_ _not_ be broken by the presence of any
   particular version of that file since it does not conflict with any
   particular version of libssl-dev; that is the policy requirement
   that is not fulfilled.


In my opinion the best solution is to _never_ dlopen("libssl.so"), but
only every dlopen("libssl.so.3") since that is the ABI that you
expect, and what the package depends on.

>From a policy standpoint, it would also be acceptable (as in non-RC
buggy) to instead conflict on any version of libssl-dev that one is
not compatible with, but IMO that would be a pity.


-- System Information:
Debian Release: 11.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (400, 'testing'), (300, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-15-amd64 (SMP w/8 CPU threads)
Locale: LANG=fr_LU.UTF-8, LC_CTYPE=fr_LU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libqt5network5 depends on:
ii  libc6                             2.33-8
ii  libgssapi-krb5-2                  1.18.3-6+deb11u1
ii  libqt5core5a [qtbase-abi-5-15-4]  5.15.4+dfsg-4
ii  libqt5dbus5                       5.15.4+dfsg-4
ii  libssl3                           3.0.4-2
ii  libstdc++6                        12.1.0-7
ii  zlib1g                            1:1.2.11.dfsg-2+deb11u1

libqt5network5 recommends no packages.

libqt5network5 suggests no packages.

-- no debconf information

-- 
Lionel Mamane
Tél: +352 46 67 74
Fax: +352 46 67 76

This message and any attachments may be intended to be confidential,
intended solely for the addressee and/or contain legally privileged
information. Any unauthorised use or dissemination is prohibited.
Unless cryptographically protected, emails are susceptible to
interception, alteration and spoofing, so in case of doubt, please
check by independent means.

We do not make any commitment by email, ever; if this emails appears
to contain a commitment, we will not recognise the latter as valid,
nor as engaging our liability. We make commitments only by a written
paper document signed by at least one person entitled to engage our
liability.

--- End Message ---
--- Begin Message --- 
Hi,
I can't reproduce this. Tested with minitube where libqt5network5 is loaded by ld. Also I can't find dlopen("libssl.so") in Debian: 

https://codesearch.debian.net/search?q=dlopen%28%22libssl.so%22%29

Given:


 APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (400, 'testing'), (300, 'unstable'), (1, 'experimental')
This looks like a mix of stable and unstable which is not supported an where such errors are expected: 

https://wiki.debian.org/DontBreakDebian#Don.27t_make_a_FrankenDebian

So closing. Please reopen if you can reproduce this in a clean system.

Cheers Jochen

* Lionel Elie Mamane <lionel@mamane.lu> [2022-07-26 20:31]:

Package: libqt5network5
Version: 5.15.4+dfsg-4
Severity: serious
Justification: Policy 3.5

I have libssl 3.0.4-2 (satisfying the dependency of libqt5network5),
but libssl-dev 1.1.1n-0+deb11u3.

Starting QT applications gets on stdout/stderr stuff like

07-26 20:08:33:071 [ warning qt.network.ssl ]:	QSslSocket: cannot resolve SSL_get1_peer_certificate
07-26 20:08:33:071 [ warning qt.network.ssl ]:	QSslSocket: cannot resolve EVP_PKEY_get_base_id
07-26 20:08:33:071 [ warning qt.network.ssl ]:	QSslSocket: cannot resolve SSL_CTX_load_verify_dir
07-26 20:08:46:405 [ warning qt.network.ssl ]:	QSslSocket: cannot call unresolved function SSL_CTX_load_verify_dir
07-26 20:08:46:405 [ warning qt.network.ssl ]:	An error encountered while to set root certificates location: ""
07-26 20:08:46:409 [ warning qt.network.ssl ]:	QSslSocket: cannot call unresolved function SSL_get1_peer_certificate
07-26 20:08:46:409 [ warning qt.network.ssl ]:	QSslSocket: cannot call unresolved function SSL_get1_peer_certificate

and then the application fails to recognise any certificate as valid,
since it doesn't recognise any root CA.

An strace shows that it loads (my guess if with dlopen())
/usr/lib/x86_64-linux-gnu/libssl.so

That file is _not_ provided by _any_ direct or indirect dependency of
libqt5network5 but by libssl-dev.

So from a policy standpoint:

* libqt5network5 _must_ _not_ require that file to function since it
  does not depend on libssl-dev; formally that is fulfilled since it
  will fallback to libssl.so.3 when libssl.so is not found.

* libqt5network5 _must_ _not_ be broken by the presence of any
  particular version of that file since it does not conflict with any
  particular version of libssl-dev; that is the policy requirement
  that is not fulfilled.


In my opinion the best solution is to _never_ dlopen("libssl.so"), but
only every dlopen("libssl.so.3") since that is the ABI that you
expect, and what the package depends on.


From a policy standpoint, it would also be acceptable (as in non-RC

buggy) to instead conflict on any version of libssl-dev that one is
not compatible with, but IMO that would be a pity.


-- System Information:
Debian Release: 11.4
 APT prefers stable-updates
 APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (400, 'testing'), (300, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-15-amd64 (SMP w/8 CPU threads)
Locale: LANG=fr_LU.UTF-8, LC_CTYPE=fr_LU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libqt5network5 depends on:
ii  libc6                             2.33-8
ii  libgssapi-krb5-2                  1.18.3-6+deb11u1
ii  libqt5core5a [qtbase-abi-5-15-4]  5.15.4+dfsg-4
ii  libqt5dbus5                       5.15.4+dfsg-4
ii  libssl3                           3.0.4-2
ii  libstdc++6                        12.1.0-7
ii  zlib1g                            1:1.2.11.dfsg-2+deb11u1

libqt5network5 recommends no packages.

libqt5network5 suggests no packages.

-- no debconf information

--
Lionel Mamane
Tél: +352 46 67 74
Fax: +352 46 67 76

This message and any attachments may be intended to be confidential,
intended solely for the addressee and/or contain legally privileged
information. Any unauthorised use or dissemination is prohibited.
Unless cryptographically protected, emails are susceptible to
interception, alteration and spoofing, so in case of doubt, please
check by independent means.

We do not make any commitment by email, ever; if this emails appears
to contain a commitment, we will not recognise the latter as valid,
nor as engaging our liability. We make commitments only by a written
paper document signed by at least one person entitled to engage our
liability.


* Johannes Sebastian Lade <johannes.lade@yahoo.com> [2022-09-27 11:41]:

I just wanted to ask if there is any progress on this bug?

Attachment: signature.asc
Description: PGP signature


--- End Message ---
Reply to: