Reply
Thread Tools
Posts: 638 | Thanked: 1,692 times | Joined on Aug 2009
#11
@freemangordon
also remaining inside 0.9.8 branch?

After 0.9.8n most part of changes are fixes and a few new api.
Are you sure we could break something with 0.9.8za?

https://www.openssl.org/news/openssl-notes.html
http://git.openssl.org/gitweb/?p=ope...s/heads/master
http://upstream-tracker.org/versions/openssl.html
 

The Following User Says Thank You to xes For This Useful Post:
Posts: 3,074 | Thanked: 12,960 times | Joined on Mar 2010 @ Sofia,Bulgaria
#12
http://upstream-tracker.org/compat_r..._Risk_Problems

we have CVE-2010-0742 fix included in CSSU, so the version is effectively 0.9.8o

Sure, someone can check if the above change affects maemo, but I'd consider that it breaks the ABI until shown some evidence of the opposite. Which might not be possible if we have closed source binaries using openssl

EDIT:
IMO the sane way is to find all the stuff like https://www.openssl.org/news/secadv_20101116.txt and include those patches in CSSU openssl
__________________
Never fear. I is here.

720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900

Community SSU developer
kernel-power developer and maintainer


Last edited by freemangordon; 2014-06-08 at 08:30.
 

The Following 2 Users Say Thank You to freemangordon For This Useful Post:
Posts: 2,290 | Thanked: 4,133 times | Joined on Apr 2010 @ UK
#13
Is this helpful?
https://privatepaste.com/81efcde966
Attached Files
File Type: txt cve-list-for-maemo.txt (7.9 KB, 152 views)
__________________

Wiki Admin
sixwheeledbeast's wiki
Testing Squad Subscriber
- mcallerx - tenminutecore - FlopSwap - Qnotted - zzztop - Bander - Fight2048 -


Before posting or starting a thread please try this.

Last edited by sixwheeledbeast; 2014-06-08 at 13:15. Reason: Include .txt file
 

The Following 6 Users Say Thank You to sixwheeledbeast For This Useful Post:
joerg_rw's Avatar
Posts: 2,222 | Thanked: 12,651 times | Joined on Mar 2010 @ SOL 3
#14
definitely useful, thanks sixwheeledbeast!
/j
__________________
Maemo Community Council member [2012-10, 2013-05, 2013-11, 2014-06 terms]
Hildon Foundation Council inaugural member.
MCe.V. foundation member

EX Hildon Foundation approved
Maemo Administration Coordinator (stepped down due to bullying 2014-04-05)
aka "techstaff" - the guys who keep your infra running - Devotion to Duty http://xkcd.com/705/

IRC(freenode): DocScrutinizer*
First USB hostmode fanatic, father of H-E-N

Last edited by joerg_rw; 2014-06-08 at 13:17.
 

The Following User Says Thank You to joerg_rw For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#15
Things I can find that link to libssl or libcrypto and are closed source:
as-daemon (part of the stuff for talking to Microsoft email servers)
browser.launch (main browser binary)
eapd (WiFi security daemon)
intellisyncd (part of nokia messaging)
libconnui_iapsettings.so.0 (related to WiFi security)
libflashplayer.so (Flash player plugin)
libiap_dialog_gtc_challenge.so (related to WiFi security)
libiap_dialog_mschap_challenge.so (related to WiFi security)
libiap_dialog_private_key_pw.so (related to WiFi security)
libiap_dialog_server_cert.so (related to WiFi security)
libiap_dialog_wps.so (related to WiFi security)
libiap_wizzard_wlan.so (related to WiFi security)
libinternetsettings.so (internet settings control panel)
libshareonovi.so (handles sharing to OVI)
libsync4j.so.3 (syncml stuff)
location-proxy (handles GPS SUPL and network related stuff)
osso-backup.launch (backup tool)
ota-settings (handles internet settings sent over-the-air)
signond (single-sign-on daemon)
syncd (part of maesync, whatever that is)

Identifying which of these binaries call potentially-broken functions (i.e. those who's ABI may have changed between the 0.9.8n we have now and the latest 0.9.8za release) should be possible if someone can come up with a list of all such functions.

Some of these binaries may only use bits of openssl that haven't changed between 0.9.8n and 0.9.8za (e.g. crypto stuff like AES or SHA or HMAC) and some may be things we dont need anymore (e.g. nokiamessaging). Some may link to the libraries but not actually import any functions from them.
 

The Following 7 Users Say Thank You to jonwil For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#16
Also things may not be incompatible based on my reading of the openssl stuff.

For example the changes to data types in 0.9.8p listed as being in dtls1.h and ssl3.h only affect the SSL structure which (per my reading of the SSL documentation) is a notionally-opaque structure anyway, never accessed directly only created via SSL_new and accessed via other SSL_xxx functions.
 

The Following 4 Users Say Thank You to jonwil For This Useful Post:
Posts: 254 | Thanked: 509 times | Joined on Nov 2011 @ Canada
#17
Originally Posted by sixwheeledbeast View Post
I wouldn't say "own" it.
More a small dedicated group of devs contribute to it as a team.
A bit off-topic, but what I meant by "own" is that a small group/team decides what goes in CSSU and what doesn't. Things like libssl updates a no-brainer of course.

Too bad that going above 0.9.8n breaks ABI compatibility. I would have thought that updates within a major/minor version wouldn't have done so, but apparently it might? Might just need to be tested after reading above... Throw libssl 0.9.8za into CSSU dev and have some folks test it out? If it doesn't blow up everything, push it into Testing and await bug reports... that's what Testing is for right?

Seems like an easier route than backporting all the patches to 0.9.8n if we don't really need to do so.

Edit: thought I would try it... so I compiled 0.9.8za and running it on my device now, and will test for a couple of days.

Edit2: no problems with HAM, Opera or MicroB.

Last edited by shawnjefferson; 2014-06-10 at 00:54. Reason: gramma
 

The Following 6 Users Say Thank You to shawnjefferson For This Useful Post:
Posts: 254 | Thanked: 509 times | Joined on Nov 2011 @ Canada
#18
I encountered no problems with anything running 0.9.8za, and decided to thumb compile libssl, libcrypto and openssl so am running those now on my device without issue. (Seems like the possible ABI issue may be not relevant.)

I've tested:
Certman
Opera
Microb
HAM
FAM
nmap

anything else specifically I should test?
 

The Following 3 Users Say Thank You to shawnjefferson For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#19
Maybe the answer is to go straight to the horses mouth and ask if 0.9.8za has any ABI-breaking changes vs 0.9.8n.
 

The Following User Says Thank You to jonwil For This Useful Post:
Posts: 2,290 | Thanked: 4,133 times | Joined on Apr 2010 @ UK
#20
What do we think about 0.9.8za?
Is it likely to be stable or is still best to backport them?
__________________

Wiki Admin
sixwheeledbeast's wiki
Testing Squad Subscriber
- mcallerx - tenminutecore - FlopSwap - Qnotted - zzztop - Bander - Fight2048 -


Before posting or starting a thread please try this.
 
Reply

Tags
maemo 5, sarcasm

Thread Tools

 
Forum Jump


All times are GMT. The time now is 06:21.