[Pkg-openssl-devel] Bug#571810: Bug#571810: New version breaks encfs containers (maybe other software related too!)

Kurt Roeckx kurt at roeckx.be
Sun Feb 28 15:10:31 UTC 2010


On Sun, Feb 28, 2010 at 03:15:51PM +0100, Kurt Roeckx wrote:
> On Sun, Feb 28, 2010 at 01:57:26PM +0100, Klaus Ethgen wrote:
> > Hi,
> > 
> > Am So den 28. Feb 2010 um 13:28 schrieb Kurt Roeckx:
> > > On Sun, Feb 28, 2010 at 09:18:11AM +0100, Klaus Ethgen wrote:
> > > > Package: openssl
> > > > Version: 0.9.8m-1
> > > > Severity: critical
> > > > 
> > > > The newest update of openssl breaks encryption software like encfs to
> > > > shred data on the end of many files.
> > > > 
> > > > This is a serious data lost!
> > > 
> > > Can you provide more information about this?
> > 
> > Sorry, I have no idea.
> > 
> > I just downgraded back to release 0.9.8k-8 and pinned the version
> > 0.9.8m-1 as bad.
> > 
> > As I wrote the error happens at the end of some files on a encfs
> > encrypted filesystem. The file just have garbage  there. I have no idea
> > what might trigger the bug but the reproducing should be easy:
> > - install openssl and libssl0.9.8 before version 0.9.8m-1
> > - Create a encfs dir (I use ssl/blowfish as cipher)
> > - Put some files from several bytes to several kilobytes into that
> >   directory
> > - Upgrade to version 0.9.8m-1 of openssl
> > - Mount and verify the files in the encfs container
> > 
> > Some errors I remember:
> > - File length 362, just text was corrupted after around byte 320.
> > - File length 3134, secring.gpg from gpg was corrupted at unknown
> >   position.
> > - The rtorrent cache and some torrent files as well as some of the
> >   files therein was corrupted.
> > 
> > I hope that will help to reproduce the bug. Maybe you can bisect it.
> 
> I can't find anything obvious wrong in the changes between the 2
> versions.  There was no changes to the blowfish code for instance,
> and the regression tests should have found that something broke.
> 
> Can you try and build encfs against the newest libssl-dev and see
> if that fixes it?  In that case it's some ABI breakage that I
> missed.

I just ran the regression tests against the old library, can't
find an error in that case, so that's probably not the problem ...


Kurt






More information about the Pkg-openssl-devel mailing list