openssl and bash libcrypto

Pierre Guinoiseau pierre at guinoiseau.eu
Fri Apr 10 22:26:43 UTC 2015 

On 4/10/2015 9:07 AM, Dewayne Geraghty wrote:
> 
> 
> On 10/04/2015 11:47 AM, Aristedes Maniatis wrote:
>> Dewayne Geraghty wrote:
>>> Most likely there was a port build that required openssl port, and also required
>>> something like libarchive or libfetch (for example), both require openssl base
>>> (I've found net-mgmt/net-snmp does this).  Your bt reveals that the symbol table
>>> is confused, as expected. 
>> Ah, that's a good help. So I can easily core dump /usr/bin/vi by trying to edit any file. Forgive my ignorance of C debugging, but I'll stumble through this:
>>
>> 1. I attach gdb to the application and load the core dump.
>> 2. It tries to read symbols from a bunch of system libraries.
>> 3. In amongst all those libraries are some located in /usr/local:
>>
>>   /usr/local/lib/nss_ldap.so.1
>>   /usr/local/lib/libldap-2.4.so.2
>>   /usr/local/lib/liblber-2.4.so.2
>>   /usr/local/lib/libssl.so.8
>>   /usr/local/lib/libcrypto.so.8
>>
>> So the whole chain of problems originates from nss_ldap. But I'm confused about what I'm looking at here..
>>
>> Did vi try to load some access control library when it tried to write a file out to disk, and then that loaded nsswitch which in turn I've tied into the nss_ldap port, and then from there it was a slippery slope to disaster of conflicting libraries?
>>
>> I'll try building nss_ldap against base openssl and see if that helps, but can someone help explain the naming here. Why do we have /usr/local/lib/libcrypto.so.8 but lib/libcrypto.so.7. Was this done when the openssl port moved from 1.0.1 to 1.0.2? Isn't there usually a warning in UPDATING when we need to rebuild all ports for that reason?
>>
>> If all ports move to only use openssl from ports, then how does my example above get fixed? Doesn't it make it all worse?
>>
>>
>> So many questions! Thanks for all the help in understanding this.
>>
>> Ari
>>
>>
> Ari,
> Anything under /usr/local/ should be regarded as coming from /usr/ports
> - that is, it is *not* part of the base system.  /lib and /usr/lib are
> part of the base system.  If your system is crashing due to /usr/bin/vi
> which is part of the base system, then something is very wrong with the
> system.  I'm guessing but is it possible that you've installed 32 libs
> onto a 64 base system, or the other way around?
> 
> I can't see how vi needs anything under /usr/local, as its from the
> "base" system - so I guess others may need to step up to assist.
> Regards, Dewayne
> 

As he said, he's using nss_ldap, which is dynamically loaded by almost
everything from the ports _and_ the base system if ldap is enabled in
/etc/nsswitch.conf, that's why /usr/bin/vi crashes too. I have the same
problem in jails with nss_ldap installed and configured, even a simple
ls -l would segfault. As a result, I have downgraded openssl to 1.0.1
and wait until a fix comes out.

-- 
Pierre Guinoiseau <pierre at guinoiseau.eu>
http://segmentationfau.lt/ | +PierreGuinoiseau | @peikk00

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20150411/1939f46f/attachment.sig>

More information about the freebsd-ports mailing list