On Sun, Feb 28, 2010 at 01:57:26PM +0100, Klaus Ethgen wrote: > Hi, > > Am So den 28. Feb 2010 um 13:28 schrieb Kurt Roeckx: > > On Sun, Feb 28, 2010 at 09:18:11AM +0100, Klaus Ethgen wrote: > > > Package: openssl > > > Version: 0.9.8m-1 > > > Severity: critical > > > > > > The newest update of openssl breaks encryption software like encfs to > > > shred data on the end of many files. > > > > > > This is a serious data lost! > > > > Can you provide more information about this? > > Sorry, I have no idea. > > I just downgraded back to release 0.9.8k-8 and pinned the version > 0.9.8m-1 as bad. > > As I wrote the error happens at the end of some files on a encfs > encrypted filesystem. The file just have garbage there. I have no idea > what might trigger the bug but the reproducing should be easy: > - install openssl and libssl0.9.8 before version 0.9.8m-1 > - Create a encfs dir (I use ssl/blowfish as cipher) > - Put some files from several bytes to several kilobytes into that > directory > - Upgrade to version 0.9.8m-1 of openssl > - Mount and verify the files in the encfs container > > Some errors I remember: > - File length 362, just text was corrupted after around byte 320. > - File length 3134, secring.gpg from gpg was corrupted at unknown > position. > - The rtorrent cache and some torrent files as well as some of the > files therein was corrupted. > > I hope that will help to reproduce the bug. Maybe you can bisect it.
I can't find anything obvious wrong in the changes between the 2 versions. There was no changes to the blowfish code for instance, and the regression tests should have found that something broke. Can you try and build encfs against the newest libssl-dev and see if that fixes it? In that case it's some ABI breakage that I missed. Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
