[php-maint] Debian PHP5 source package - static openssl patch has no effect since PHP5.3

Ondřej Surý ondrej at debian.org
Tue Apr 28 09:07:06 UTC 2015


The patch was there before me, so I have no clue. But I am all for
removing it.

O.

On Mon, Apr 27, 2015, at 19:30, Lior Kaplan wrote:
> We should probably understand first the motivation for the
> original patch.
>
> At the moment (without any digging into the VCS), I would prefer the
> dynamic linking for security reasons. With the patch, we need to
> binNMU on each security upload, while without it we only need to
> binNMU if a header is changed.
>
> Kaplan
>
> On Mon, Apr 27, 2015 at 8:22 PM, Declercq Laurent
> <l.declercq at nuxwin.com> wrote:
>> Le 26/04/2015 14:07, Lior Kaplan a écrit :
>>
>>>
It seems we can remove the patch, as since 2011 -lcrypto is indeed added
later in acinclude.m4.
>>>
>>>
See upstream commit a286fa3523b230fded3204d8b09381675f70d85c
>>>
>>>
Kaplan
>>
>>
Re;
>>
>>
According to my previous mails, I've made some tests and I've refreshed
the patch to force usage of the static openssl archive.
>>
>>
First, I give you some info about my environment:
>>
>>
##############################################################################

>>
root at jessie:/usr/local/src/phpswitcher/php-5.6.8# lsb_release -a
>>
No LSB modules are available.
>>
Distributor ID: Debian
>>
Description: Debian GNU/Linux 8.0 (jessie)
>>
Release: 8.0
>>
Codename: jessie
>>
>>
root at jessie:/usr/local/src/phpswitcher/php-5.6.8# dpkg-architecture
>>
DEB_BUILD_ARCH=amd64
>>
DEB_BUILD_ARCH_BITS=64
>>
DEB_BUILD_ARCH_CPU=amd64
>>
DEB_BUILD_ARCH_ENDIAN=little
>>
DEB_BUILD_ARCH_OS=linux
>>
DEB_BUILD_GNU_CPU=x86_64
>>
DEB_BUILD_GNU_SYSTEM=linux-gnu
>>
DEB_BUILD_GNU_TYPE=x86_64-linux-gnu
>>
DEB_BUILD_MULTIARCH=x86_64-linux-gnu
>>
DEB_HOST_ARCH=amd64
>>
DEB_HOST_ARCH_BITS=64
>>
DEB_HOST_ARCH_CPU=amd64
>>
DEB_HOST_ARCH_ENDIAN=little
>>
DEB_HOST_ARCH_OS=linux
>>
DEB_HOST_GNU_CPU=x86_64
>>
DEB_HOST_GNU_SYSTEM=linux-gnu
>>
DEB_HOST_GNU_TYPE=x86_64-linux-gnu
>>
DEB_HOST_MULTIARCH=x86_64-linux-gnu
>>
DEB_TARGET_ARCH=amd64
>>
DEB_TARGET_ARCH_BITS=64
>>
DEB_TARGET_ARCH_CPU=amd64
>>
DEB_TARGET_ARCH_ENDIAN=little
>>
DEB_TARGET_ARCH_OS=linux
>>
DEB_TARGET_GNU_CPU=x86_64
>>
DEB_TARGET_GNU_SYSTEM=linux-gnu
>>
DEB_TARGET_GNU_TYPE=x86_64-linux-gnu
>>
DEB_TARGET_MULTIARCH=x86_64-linux-gnu
>>
>>
root at jessie:/usr/local/src/phpswitcher/php-5.6.8# dpkg-buildflags
>>
CFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security
>>
CPPFLAGS=-D_FORTIFY_SOURCE=2
>>
CXXFLAGS=-g -O2 -fstack-protector-strong -Wformat
-Werror=format-security
>>
FCFLAGS=-g -O2 -fstack-protector-strong
>>
FFLAGS=-g -O2 -fstack-protector-strong
>>
GCJFLAGS=-g -O2 -fstack-protector-strong
>>
LDFLAGS=-Wl,-z,relro
>>
OBJCFLAGS=-g -O2 -fstack-protector-strong -Wformat
-Werror=format-security
>>
OBJCXXFLAGS=-g -O2 -fstack-protector-strong -Wformat
-Werror=format-security
>>
##############################################################################

>>
>>
Now comes the result with your current patch applied:
>>
>>
##############################################################################

>>
root at jessie:/var/www/imscp/gui/plugins/PhpSwitcher/PhpCompiler# ldd
/usr/bin/php
>>
linux-vdso.so.1 (0x00007ffdfd7fb000)
>>
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1
(0x00007fa7a7f02000)
>>
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fa7a7ce7000)
>>
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2
(0x00007fa7a7acf000)
>>
libonig.so.2 => /usr/lib/x86_64-linux-gnu/libonig.so.2
(0x00007fa7a7865000)
>>
libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007fa7a746a000)
>>
libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007fa7a7209000)
>> libdb-5.3.so => /usr/lib/x86_64-linux-gnu/libdb-5.3.so
>> (0x00007fa7a6e48000)
>>
libqdbm.so.14 => /usr/lib/libqdbm.so.14 (0x00007fa7a6bfb000)
>>
libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0
(0x00007fa7a69ea000)
>>
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fa7a677c000)
>>
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fa7a6574000)
>>
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fa7a6272000)
>>
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa7a606e000)
>>
libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007fa7a5e56000)
>>
libxml2.so.2 => /usr/lib/x86_64-linux-gnu/libxml2.so.2
(0x00007fa7a5aee000)
>>
libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
(0x00007fa7a58a4000)
>>
libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3
(0x00007fa7a55d0000)
>>
libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3
(0x00007fa7a539e000)
>>
libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2
(0x00007fa7a519a000)
>>
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa7a4df1000)
>>
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007fa7a4bd3000)
>>
/lib64/ld-linux-x86-64.so.2 (0x00007fa7a8145000)
>>
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fa7a49b0000)
>>
libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0
(0x00007fa7a47a3000)
>>
libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1
(0x00007fa7a459f000)
>>
##############################################################################

>>
>>
As you can see here openssl is still dynamically linked which is bad in
regard of the expected result.
>>
>>
Now, with my refreshed patch (applied on PHP 5.6.8 (upstream)):
>>
>>
##############################################################################

>>
jessie:/usr/local/src/phpswitcher/php-5.6.8# ldd cgi-build/sapi/cli/php
>>
linux-vdso.so.1 (0x00007ffe337f8000)
>>
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1
(0x00007fd2e7428000)
>>
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fd2e720d000)
>>
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2
(0x00007fd2e6ff5000)
>>
libonig.so.2 => /usr/lib/x86_64-linux-gnu/libonig.so.2
(0x00007fd2e6d8b000)
>>
libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6
(0x00007fd2e6a80000)
>> libdb-5.3.so => /usr/lib/x86_64-linux-gnu/libdb-5.3.so
>> (0x00007fd2e66be000)
>>
libqdbm.so.14 => /usr/lib/libqdbm.so.14 (0x00007fd2e6471000)
>>
libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0
(0x00007fd2e6261000)
>>
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fd2e5ff2000)
>>
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fd2e5dea000)
>>
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fd2e5ae9000)
>>
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd2e58e4000)
>>
libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007fd2e56cc000)
>>
libxml2.so.2 => /usr/lib/x86_64-linux-gnu/libxml2.so.2
(0x00007fd2e5365000)
>>
libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
(0x00007fd2e511a000)
>>
libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3
(0x00007fd2e4e46000)
>>
libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3
(0x00007fd2e4c15000)
>>
libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2
(0x00007fd2e4a10000)
>>
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd2e4667000)
>>
/lib64/ld-linux-x86-64.so.2 (0x00007fd2e766b000)
>>
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1
(0x00007fd2e4451000)
>>
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007fd2e4233000)
>>
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fd2e4010000)
>>
libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0
(0x00007fd2e3e03000)
>>
libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1
(0x00007fd2e3bff000)
>>
##############################################################################

>>
>>
As you can see here both libssl.so and libcrypto.so are not longer
listed but openssl is here as it is expected (part of php -i output):
>>
>>
OpenSSL support => enabled
>>
OpenSSL Library Version => OpenSSL 1.0.1k 8 Jan 2015
>>
OpenSSL Header Version => OpenSSL 1.0.1k 8 Jan 2015
>>
>>
The patch which is attached to this mail has been done against PHP 5.6.8
( upstream ).
>>
>>
Should I create a report and submit the patch officially or not?
>>
>>
>>
Thank you for your interest.
>>
>>
>>
--
>>
Laurent Declercq
>>
iHMS/i-MSCP Project Lead
>>
>

--
Ondřej Surý <ondrej at sury.org> Knot DNS (https://www.knot-dns.cz/) – a
high-performance DNS server


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20150428/87483122/attachment-0001.html>


More information about the pkg-php-maint mailing list