[Pkg-openssl-devel] Bug#571810: Bug#571810: New version breaks encfs containers (maybe other software related too!)

Klaus Ethgen Klaus at Ethgen.de
Sun Feb 28 12:57:26 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

Am So den 28. Feb 2010 um 13:28 schrieb Kurt Roeckx:
> On Sun, Feb 28, 2010 at 09:18:11AM +0100, Klaus Ethgen wrote:
> > Package: openssl
> > Version: 0.9.8m-1
> > Severity: critical
> > 
> > The newest update of openssl breaks encryption software like encfs to
> > shred data on the end of many files.
> > 
> > This is a serious data lost!
> 
> Can you provide more information about this?

Sorry, I have no idea.

I just downgraded back to release 0.9.8k-8 and pinned the version
0.9.8m-1 as bad.

As I wrote the error happens at the end of some files on a encfs
encrypted filesystem. The file just have garbage  there. I have no idea
what might trigger the bug but the reproducing should be easy:
- - install openssl and libssl0.9.8 before version 0.9.8m-1
- - Create a encfs dir (I use ssl/blowfish as cipher)
- - Put some files from several bytes to several kilobytes into that
  directory
- - Upgrade to version 0.9.8m-1 of openssl
- - Mount and verify the files in the encfs container

Some errors I remember:
- - File length 362, just text was corrupted after around byte 320.
- - File length 3134, secring.gpg from gpg was corrupted at unknown
  position.
- - The rtorrent cache and some torrent files as well as some of the
  files therein was corrupted.

I hope that will help to reproduce the bug. Maybe you can bisect it.

Regards
   Klaus
- -- 
Klaus Ethgen                            http://www.ethgen.de/
pub  2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus at Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE  EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEVAwUBS4poNp+OKpjRpO3lAQqFdAf/fBRcXm4r9BLr8PhMdkQ9gMsZH4namoZc
IfhS/a83LTJHcy/CFMDgTr//tU4gsWtumtauJ9M8IYon1HxDn5XczVcWMq85MZg4
JQ3jWanLHswymptHnT7P731OUIy0IdtGvtlFp+Jk61ZVOja5i5XNtlM5bEn/E8Ca
rgoxZ5QH8NUCwYLA39FS2mr0LCfyUlnbyu7OLrkwBJq4XQLnfjHmpICRjY7vj0Ak
OOA4hB2ZwL+MGwqDwnq28ekSDGvh4bdWjJfZRAEtBPtnyo9U6t2TEB0JTnO+H5NV
mdRpzIl4+paJQc489ZBNdKAoy6FM5/uCxCPrdcdVOBoj6ovxiC560g==
=98eZ
-----END PGP SIGNATURE-----

More information about the Pkg-openssl-devel mailing list