[Pkg-openssl-devel] Bug#571810: Bug#571810: New version breaks encfs containers (maybe other software related too!)
Kurt Roeckx
kurt at roeckx.be
Sun Feb 28 15:10:31 UTC 2010
On Sun, Feb 28, 2010 at 03:15:51PM +0100, Kurt Roeckx wrote:
> On Sun, Feb 28, 2010 at 01:57:26PM +0100, Klaus Ethgen wrote:
> > Hi,
> >
> > Am So den 28. Feb 2010 um 13:28 schrieb Kurt Roeckx:
> > > On Sun, Feb 28, 2010 at 09:18:11AM +0100, Klaus Ethgen wrote:
> > > > Package: openssl
> > > > Version: 0.9.8m-1
> > > > Severity: critical
> > > >
> > > > The newest update of openssl breaks encryption software like encfs to
> > > > shred data on the end of many files.
> > > >
> > > > This is a serious data lost!
> > >
> > > Can you provide more information about this?
> >
> > Sorry, I have no idea.
> >
> > I just downgraded back to release 0.9.8k-8 and pinned the version
> > 0.9.8m-1 as bad.
> >
> > As I wrote the error happens at the end of some files on a encfs
> > encrypted filesystem. The file just have garbage there. I have no idea
> > what might trigger the bug but the reproducing should be easy:
> > - install openssl and libssl0.9.8 before version 0.9.8m-1
> > - Create a encfs dir (I use ssl/blowfish as cipher)
> > - Put some files from several bytes to several kilobytes into that
> > directory
> > - Upgrade to version 0.9.8m-1 of openssl
> > - Mount and verify the files in the encfs container
> >
> > Some errors I remember:
> > - File length 362, just text was corrupted after around byte 320.
> > - File length 3134, secring.gpg from gpg was corrupted at unknown
> > position.
> > - The rtorrent cache and some torrent files as well as some of the
> > files therein was corrupted.
> >
> > I hope that will help to reproduce the bug. Maybe you can bisect it.
>
> I can't find anything obvious wrong in the changes between the 2
> versions. There was no changes to the blowfish code for instance,
> and the regression tests should have found that something broke.
>
> Can you try and build encfs against the newest libssl-dev and see
> if that fixes it? In that case it's some ABI breakage that I
> missed.
I just ran the regression tests against the old library, can't
find an error in that case, so that's probably not the problem ...
Kurt
More information about the Pkg-openssl-devel
mailing list