[Pkg-openssl-devel] Bug#571810: Bug#571810: New version breaks encfs containers (maybe other software related too!)

[Kurt Roeckx]

On Sun, Feb 28, 2010 at 01:57:26PM +0100, Klaus Ethgen wrote:
> Hi,
> 
> Am So den 28. Feb 2010 um 13:28 schrieb Kurt Roeckx:
> > On Sun, Feb 28, 2010 at 09:18:11AM +0100, Klaus Ethgen wrote:
> > > Package: openssl
> > > Version: 0.9.8m-1
> > > Severity: critical
> > > 
> > > The newest update of openssl breaks encryption software like encfs to
> > > shred data on the end of many files.
> > > 
> > > This is a serious data lost!
> > 
> > Can you provide more information about this?
> 
> Sorry, I have no idea.
> 
> I just downgraded back to release 0.9.8k-8 and pinned the version
> 0.9.8m-1 as bad.
> 
> As I wrote the error happens at the end of some files on a encfs
> encrypted filesystem. The file just have garbage  there. I have no idea
> what might trigger the bug but the reproducing should be easy:
> - install openssl and libssl0.9.8 before version 0.9.8m-1
> - Create a encfs dir (I use ssl/blowfish as cipher)
> - Put some files from several bytes to several kilobytes into that
>   directory
> - Upgrade to version 0.9.8m-1 of openssl
> - Mount and verify the files in the encfs container
> 
> Some errors I remember:
> - File length 362, just text was corrupted after around byte 320.
> - File length 3134, secring.gpg from gpg was corrupted at unknown
>   position.
> - The rtorrent cache and some torrent files as well as some of the
>   files therein was corrupted.
> 
> I hope that will help to reproduce the bug. Maybe you can bisect it.

I can't find anything obvious wrong in the changes between the 2
versions.  There was no changes to the blowfish code for instance,
and the regression tests should have found that something broke.

Can you try and build encfs against the newest libssl-dev and see
if that fixes it?  In that case it's some ABI breakage that I
missed.


Kurt