[php-maint] Debian PHP5 source package - static openssl patch has no effect since PHP5.3
Lior Kaplan
kaplan at debian.org
Mon Apr 27 17:30:10 UTC 2015
We should probably understand first the motivation for the original patch.
At the moment (without any digging into the VCS), I would prefer the
dynamic linking for security reasons.
With the patch, we need to binNMU on each security upload, while without it
we only need to binNMU if a header is changed.
Kaplan
On Mon, Apr 27, 2015 at 8:22 PM, Declercq Laurent <l.declercq at nuxwin.com>
wrote:
> Le 26/04/2015 14:07, Lior Kaplan a écrit :
>
>> It seems we can remove the patch, as since 2011 -lcrypto is indeed added
>> later in acinclude.m4.
>>
>> See upstream commit a286fa3523b230fded3204d8b09381675f70d85c
>>
>> Kaplan
>>
>
> Re;
>
> According to my previous mails, I've made some tests and I've refreshed
> the patch to force usage of the static openssl archive.
>
> First, I give you some info about my environment:
>
>
> ##############################################################################
> root at jessie:/usr/local/src/phpswitcher/php-5.6.8# lsb_release -a
> No LSB modules are available.
> Distributor ID: Debian
> Description: Debian GNU/Linux 8.0 (jessie)
> Release: 8.0
> Codename: jessie
>
> root at jessie:/usr/local/src/phpswitcher/php-5.6.8# dpkg-architecture
> DEB_BUILD_ARCH=amd64
> DEB_BUILD_ARCH_BITS=64
> DEB_BUILD_ARCH_CPU=amd64
> DEB_BUILD_ARCH_ENDIAN=little
> DEB_BUILD_ARCH_OS=linux
> DEB_BUILD_GNU_CPU=x86_64
> DEB_BUILD_GNU_SYSTEM=linux-gnu
> DEB_BUILD_GNU_TYPE=x86_64-linux-gnu
> DEB_BUILD_MULTIARCH=x86_64-linux-gnu
> DEB_HOST_ARCH=amd64
> DEB_HOST_ARCH_BITS=64
> DEB_HOST_ARCH_CPU=amd64
> DEB_HOST_ARCH_ENDIAN=little
> DEB_HOST_ARCH_OS=linux
> DEB_HOST_GNU_CPU=x86_64
> DEB_HOST_GNU_SYSTEM=linux-gnu
> DEB_HOST_GNU_TYPE=x86_64-linux-gnu
> DEB_HOST_MULTIARCH=x86_64-linux-gnu
> DEB_TARGET_ARCH=amd64
> DEB_TARGET_ARCH_BITS=64
> DEB_TARGET_ARCH_CPU=amd64
> DEB_TARGET_ARCH_ENDIAN=little
> DEB_TARGET_ARCH_OS=linux
> DEB_TARGET_GNU_CPU=x86_64
> DEB_TARGET_GNU_SYSTEM=linux-gnu
> DEB_TARGET_GNU_TYPE=x86_64-linux-gnu
> DEB_TARGET_MULTIARCH=x86_64-linux-gnu
>
> root at jessie:/usr/local/src/phpswitcher/php-5.6.8# dpkg-buildflags
> CFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security
> CPPFLAGS=-D_FORTIFY_SOURCE=2
> CXXFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security
> FCFLAGS=-g -O2 -fstack-protector-strong
> FFLAGS=-g -O2 -fstack-protector-strong
> GCJFLAGS=-g -O2 -fstack-protector-strong
> LDFLAGS=-Wl,-z,relro
> OBJCFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security
> OBJCXXFLAGS=-g -O2 -fstack-protector-strong -Wformat
> -Werror=format-security
>
> ##############################################################################
>
> Now comes the result with your current patch applied:
>
>
> ##############################################################################
> root at jessie:/var/www/imscp/gui/plugins/PhpSwitcher/PhpCompiler# ldd
> /usr/bin/php
> linux-vdso.so.1 (0x00007ffdfd7fb000)
> libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1
> (0x00007fa7a7f02000)
> libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fa7a7ce7000)
> libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2
> (0x00007fa7a7acf000)
> libonig.so.2 => /usr/lib/x86_64-linux-gnu/libonig.so.2
> (0x00007fa7a7865000)
> libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
> (0x00007fa7a746a000)
> libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
> (0x00007fa7a7209000)
> libdb-5.3.so => /usr/lib/x86_64-linux-gnu/libdb-5.3.so
> (0x00007fa7a6e48000)
> libqdbm.so.14 => /usr/lib/libqdbm.so.14 (0x00007fa7a6bfb000)
> libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0
> (0x00007fa7a69ea000)
> libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fa7a677c000)
> librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fa7a6574000)
> libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fa7a6272000)
> libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa7a606e000)
> libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007fa7a5e56000)
> libxml2.so.2 => /usr/lib/x86_64-linux-gnu/libxml2.so.2
> (0x00007fa7a5aee000)
> libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
> (0x00007fa7a58a4000)
> libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3
> (0x00007fa7a55d0000)
> libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3
> (0x00007fa7a539e000)
> libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2
> (0x00007fa7a519a000)
> libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa7a4df1000)
> libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
> (0x00007fa7a4bd3000)
> /lib64/ld-linux-x86-64.so.2 (0x00007fa7a8145000)
> liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fa7a49b0000)
> libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0
> (0x00007fa7a47a3000)
> libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1
> (0x00007fa7a459f000)
>
> ##############################################################################
>
> As you can see here openssl is still dynamically linked which is bad in
> regard of the expected result.
>
> Now, with my refreshed patch (applied on PHP 5.6.8 (upstream)):
>
>
> ##############################################################################
> jessie:/usr/local/src/phpswitcher/php-5.6.8# ldd cgi-build/sapi/cli/php
> linux-vdso.so.1 (0x00007ffe337f8000)
> libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1
> (0x00007fd2e7428000)
> libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fd2e720d000)
> libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2
> (0x00007fd2e6ff5000)
> libonig.so.2 => /usr/lib/x86_64-linux-gnu/libonig.so.2
> (0x00007fd2e6d8b000)
> libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6
> (0x00007fd2e6a80000)
> libdb-5.3.so => /usr/lib/x86_64-linux-gnu/libdb-5.3.so
> (0x00007fd2e66be000)
> libqdbm.so.14 => /usr/lib/libqdbm.so.14 (0x00007fd2e6471000)
> libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0
> (0x00007fd2e6261000)
> libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fd2e5ff2000)
> librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fd2e5dea000)
> libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fd2e5ae9000)
> libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd2e58e4000)
> libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007fd2e56cc000)
> libxml2.so.2 => /usr/lib/x86_64-linux-gnu/libxml2.so.2
> (0x00007fd2e5365000)
> libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
> (0x00007fd2e511a000)
> libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3
> (0x00007fd2e4e46000)
> libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3
> (0x00007fd2e4c15000)
> libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2
> (0x00007fd2e4a10000)
> libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd2e4667000)
> /lib64/ld-linux-x86-64.so.2 (0x00007fd2e766b000)
> libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1
> (0x00007fd2e4451000)
> libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
> (0x00007fd2e4233000)
> liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fd2e4010000)
> libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0
> (0x00007fd2e3e03000)
> libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1
> (0x00007fd2e3bff000)
>
> ##############################################################################
>
> As you can see here both libssl.so and libcrypto.so are not longer listed
> but openssl is here as it is expected (part of php -i output):
>
> OpenSSL support => enabled
> OpenSSL Library Version => OpenSSL 1.0.1k 8 Jan 2015
> OpenSSL Header Version => OpenSSL 1.0.1k 8 Jan 2015
>
> The patch which is attached to this mail has been done against PHP 5.6.8 (
> upstream ).
>
> Should I create a report and submit the patch officially or not?
>
>
> Thank you for your interest.
>
>
> --
> Laurent Declercq
> iHMS/i-MSCP Project Lead
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20150427/19fc9e82/attachment.html>
More information about the pkg-php-maint
mailing list