[pkg-cryptsetup-devel] Bug#963721: Bug#963721: libcryptsetup12 v2:2.3.3-1 seems to be breaking libssl somehow

Guilhem Moulin guilhem at debian.org
Sat Jun 27 18:46:57 BST 2020


Control: reassign -1 libmount1
Control: found -1 2.35.2-6
Control: retitle -1 libmount1 pulls in libssl 1.1 and breaks software statically linked against libcrypto 1.0

On Sat, 27 Jun 2020 at 01:08:49 -0400, Christian Weeks wrote:
>> Unless there is a reproducer involving a targeted libcryptsetup12
>> upgrade I don't think this belong here :-P  Aside from documentation
>> files, the only thing libcryptsetup12 (2:2.1.0-5+deb10u2 and 2:2.3.3-1)
>> ships is libcryptsetup.so.12*.  It doesn't touch libssl.
> 
> It seems that libcryptsetup + the new libmount1 dependency on same are
> the root cause somehow. Sorry for the confusion.

To the util-linux maintainers: the following link from #message26 appears
relevant: https://github.com/ValveSoftware/steam-for-linux/issues/6861#issuecomment-584379611

Starting with 2.1 cryptsetup upstream started using libssl as
cryptographic backend for LUKS header processing; this is already the
case in Buster and while other backends are supported I'm very reluctant
to diverge from upstream's sane defaults here.

So software dynamically linked against libmount ≥2.35.2-5 will
transitively pull in libssl.so.1.1, which due to symbol clashes appears
to crash software statically linked against libssl1.0.  Unfortunately
I've not been able to find a standalone reproducer using a PoC
executable and I didn't look further.

I'm not sure this bug should be RC, or if it's even valid in the first
place (it's arguably a steam bug).  Reassigning to libmount1 anyway as
the regression follows #951048.

Cheers,
-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20200627/774015fd/attachment.sig>


More information about the pkg-cryptsetup-devel mailing list