Ubuntu
openssl package

Either the changelog.gz is missing or there is an erroneous link in the libssl1.0.0 package

Bug #1297025 reported by Tobin Davis
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Fix Released
Medium
Adrien Nader
Ubuntu ubuntu-24.10

Bug Description

In libssl-dev for both Precise and Saucy packages for libssl-dev, there is a broken link:
# ls -l /usr/share/doc/libssl-dev/changelog.gz
lrwxrwxrwx 1 root root 27 Jan 8 12:48 /usr/share/doc/libssl-dev/changelog.gz -> ../libssl1.0.0/changelog.gz
# ls -l /usr/share/doc/libssl1.0.0/changelog.gz
ls: cannot access /usr/share/doc/libssl1.0.0/changelog.gz: No such file or directory

I have verified this in both releases while trying to debug a failing build of a 3rd party library that links against these. Build works in Precise, fails in Saucy. Was looking to see what changed.

Tags: precise saucy

CVE References

Brian Murray (brian-murray)
tags: added: saucy
tags: added: precise
Changed in openssl (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Hans Joachim Desserud (hjd) wrote :

(See also similar issue in bug 1489207)

Revision history for this message
Adrien Nader (adrien) wrote :

I'm going to mark #1489207 as a duplicate of this bug because they're very close to each other and possibly actually completely related. I'm copying below the details from that bug:

$ zcat /usr/share/doc/openssl/changelog.gz
gzip: /usr/share/doc/openssl/changelog.gz: No such file or directory
$ ls -l /usr/share/doc/openssl/changelog.gz
lrwxrwxrwx 1 root root 27 Jul 9 10:06 /usr/share/doc/openssl/changelog.gz -> ../libssl1.0.0/changelog.gz
$ ls -l /usr/share/doc/libssl1.0.0/changelog.gz
ls: cannot access /usr/share/doc/libssl1.0.0/changelog.gz: No such file or directory

Adrien Nader (adrien)
Changed in openssl (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Adrien Nader (adrien) wrote :

This seems to be caused by #1895799 which would be a bug in pkgstripfiles.

Revision history for this message
Adrien Nader (adrien) wrote :

I plan to work on this during the OO cycle. It's an issue inherited from Debian AFAIU.

Adrien Nader (adrien)
Changed in openssl (Ubuntu):
milestone: none → ubuntu-24.10
Adrien Nader (adrien)
Changed in openssl (Ubuntu):
status: In Progress → Triaged
Adrien Nader (adrien)
Changed in openssl (Ubuntu):
status: Triaged → In Progress
Adrien Nader (adrien)
Changed in openssl (Ubuntu):
assignee: nobody → Adrien Nader (adrien)
Revision history for this message
Adrien Nader (adrien) wrote :

I had misunderstood the actual issue. I thought the changelog.gz files was never there but it turns out it's created and installed in the directories to package but then pkgbinarymangler's pkgstripfiles runs and deletes them.

Resolution is the same: don't create the symlinks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 3.2.2-1ubuntu1

---------------
openssl (3.2.2-1ubuntu1) oracular; urgency=medium

  * Merge 3.2.2-1 from Debian unstable
    - Remaining changes:
      + Symlink changelog.Debian.gz and copyright.gz from libssl-dev and
        openssl to the ones in libssl3t64
      + Use perl:native in the autopkgtest for installability on i386.
      + Disable LTO with which the codebase is generally incompatible
        (LP: #2058017)
      + Add fips-mode detection and adjust defaults when running in fips mode
  * The changelog.gz symlink was broken (LP: #1297025)
  * The copyright symlink was broken (LP: #2067672)
  * Default configuration includes two paths:
    - /var/lib/crypto-config/profiles/current/openssl.conf.d
    - /etc/ssl/openssl.conf.d
    First one is to read configuration through the crypto-config framework.
    Second one is for customization by sysadmin.

openssl (3.2.2-1) unstable; urgency=medium

  * Import 3.2.2
    - CVE-2024-2511 (Unbounded memory growth with session handling in
      TLSv1.3). (Closes: #1068658).
    - CVE-2024-4603 (Excessive time spent checking DSA keys and parameters)
      (Closes: #1071972).
    - CVE-2024-4741 (Use After Free with SSL_free_buffers)
      (Closes: #1072113).

 -- Adrien Nader <email address hidden> Mon, 01 Jul 2024 17:04:32 +0200

Changed in openssl (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.