[oe] [meta-python][jethro][PATCH][V2] python-m2crypto: fix SSLv2 symbol issue

Pushpal Sidhu psidhu at gateworks.com
Thu Mar 17 22:58:57 UTC 2016 

On Thu, Mar 17, 2016 at 2:54 PM, Martin Jansa <martin.jansa at gmail.com> wrote:
> On Mon, Mar 14, 2016 at 03:21:33PM -0700, Pushpal Sidhu wrote:
>> Hi,
>>
>> On Wed, Mar 9, 2016 at 11:18 AM, akuster808 <akuster808 at gmail.com> wrote:
>> >
>> >
>> >
>> > On 03/09/2016 11:11 AM, Martin Jansa wrote:
>> > > On Wed, Mar 09, 2016 at 09:06:57AM -0800, Armin Kuster wrote:
>> > >> From: Armin Kuster <akuster at mvista.com>
>> > >>
>> > >> missed using "-D"  for OPENSSL_NO_SSL2 swig_features.
>> > >
>> > > fido version:
>> > > http://patchwork.openembedded.org/patch/117291/
>> > > needed -D as well, right?
>> >
>> > yes.
>> >
>> >
>> > >
>> > > I've pushed both to fido-next and jethro-next
>>
>> When will this be merged into fido/jethro? I've been running into this
>> build breakage for about a week now and if I patch it myself, I'll
>> only run into a conflict again later, causing more build issues.
>
> I'm still seeing multiple issues caused by last openssl upgrade, e.g.
> ruby, pywbem, crda
>
> Are they all supposed to be fixed by this?

Good point, it doesn't seem like they are because these tools haven't
been updated to stop supporting SSLv2. We either need to patch every
broken package or update them (which may or may not fix them). For
example, I bumped the crda package from 3.13 -> 3.18 (fido), but I
still run into this problem.

Another approach we can try is by updating m2crypto as Armin did here:
http://patchwork.openembedded.org/patch/117217/. This would have to be
backported all the way back to fido (unless openssl was updated for
other branches as well). Apparently, this fixes crda, might be a fix
for other packages as well?

- Pushpal

>> > thanks
>> > -armin
>> > >
>> > >>
>> > >> ERROR: Failed to import the "M2Crypto" module: .../usr/lib/python2.7/site-packages/M2Crypto/__m2crypto.so: undefined symbol: SSLv2_method
>> > >>
>> > >> disable using SSLv2_method if not supported in openssl. This is now the case
>> > >> with the advent of CVE-2016-0800
>> > >>
>> > >> Signed-off-by: Armin Kuster <akuster at mvista.com>
>> > >> ---
>> > >>  ...y_build_with_SSLv2_when_it_is_not_available.patch | 20 ++++++++++++++++++++
>> > >>  .../python/python-m2crypto_0.21.1.bb                 |  4 +++-
>> > >>  2 files changed, 23 insertions(+), 1 deletion(-)
>> > >>  create mode 100644 meta-python/recipes-devtools/python/python-m2crypto/dont_try_build_with_SSLv2_when_it_is_not_available.patch
>> > >>
>> > >> diff --git a/meta-python/recipes-devtools/python/python-m2crypto/dont_try_build_with_SSLv2_when_it_is_not_available.patch b/meta-python/recipes-devtools/python/python-m2crypto/dont_try_build_with_SSLv2_when_it_is_not_available.patch
>> > >> new file mode 100644
>> > >> index 0000000..526c23f
>> > >> --- /dev/null
>> > >> +++ b/meta-python/recipes-devtools/python/python-m2crypto/dont_try_build_with_SSLv2_when_it_is_not_available.patch
>> > >> @@ -0,0 +1,20 @@
>> > >> +Upstream-Status: Backport
>> > >> +https://gitlab.com/m2crypto/m2crypto/commit/ac01b38302474920288c1a9eb63fd35fa8d1db5b
>> > >> +
>> > >> +Signed-off-by: Armin Kuster <akuster at mvista.com>
>> > >> +
>> > >> +Index: M2Crypto-0.21.1/SWIG/_ssl.i
>> > >> +===================================================================
>> > >> +--- M2Crypto-0.21.1.orig/SWIG/_ssl.i
>> > >> ++++ M2Crypto-0.21.1/SWIG/_ssl.i
>> > >> +@@ -48,8 +48,10 @@ extern const char *SSL_alert_desc_string
>> > >> + %rename(ssl_get_alert_desc_v) SSL_alert_desc_string_long;
>> > >> + extern const char *SSL_alert_desc_string_long(int);
>> > >> +
>> > >> ++#ifndef OPENSSL_NO_SSL2
>> > >> + %rename(sslv2_method) SSLv2_method;
>> > >> + extern SSL_METHOD *SSLv2_method(void);
>> > >> ++#endif
>> > >> + %rename(sslv3_method) SSLv3_method;
>> > >> + extern SSL_METHOD *SSLv3_method(void);
>> > >> + %rename(sslv23_method) SSLv23_method;
>> > >> diff --git a/meta-python/recipes-devtools/python/python-m2crypto_0.21.1.bb b/meta-python/recipes-devtools/python/python-m2crypto_0.21.1.bb
>> > >> index ff6203f..9daea5e 100644
>> > >> --- a/meta-python/recipes-devtools/python/python-m2crypto_0.21.1.bb
>> > >> +++ b/meta-python/recipes-devtools/python/python-m2crypto_0.21.1.bb
>> > >> @@ -8,7 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=b0e1f0b7d0ce8a62c18b1287b991800e"
>> > >>
>> > >>  SRC_URI = "http://pypi.python.org/packages/source/M/M2Crypto/M2Crypto-${PV}.tar.gz \
>> > >>             file://0001-setup.py-link-in-sysroot-not-in-host-directories.patch \
>> > >> -           file://0001-M2Crypto-Error-fix.patch"
>> > >> +           file://0001-M2Crypto-Error-fix.patch \
>> > >> +           file://dont_try_build_with_SSLv2_when_it_is_not_available.patch"
>> > >>
>> > >>  SRC_URI[md5sum] = "f93d8462ff7646397a9f77a2fe602d17"
>> > >>  SRC_URI[sha256sum] = "25b94498505c2d800ee465db0cc1aff097b1615adc3ac042a1c85ceca264fc0a"
>> > >> @@ -19,6 +20,7 @@ inherit setuptools
>> > >>
>> > >>  SWIG_FEATURES_x86-64 = "-D__x86_64__"
>> > >>  SWIG_FEATURES ?= ""
>> > >> +SWIG_FEATURES += "-DOPENSSL_NO_SSL2"
>> > >>  export SWIG_FEATURES
>> > >>
>> > >>  # Get around a problem with swig, but only if the
>> > >> --
>> > >> 2.3.5
>> > >>
>> > >> --
>> > >> _______________________________________________
>> > >> Openembedded-devel mailing list
>> > >> Openembedded-devel at lists.openembedded.org
>> > >> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
>> > >
>> > --
>> > _______________________________________________
>> > Openembedded-devel mailing list
>> > Openembedded-devel at lists.openembedded.org
>> > http://lists.openembedded.org/mailman/listinfo/openembedded-devel
>
> --
> Martin 'JaMa' Jansa     jabber: Martin.Jansa at gmail.com

More information about the Openembedded-devel mailing list