On Sun, Feb 28, 2010 at 03:15:51PM +0100, Kurt Roeckx wrote: > On Sun, Feb 28, 2010 at 01:57:26PM +0100, Klaus Ethgen wrote: > > Hi, > > > > Am So den 28. Feb 2010 um 13:28 schrieb Kurt Roeckx: > > > On Sun, Feb 28, 2010 at 09:18:11AM +0100, Klaus Ethgen wrote: > > > > Package: openssl > > > > Version: 0.9.8m-1 > > > > Severity: critical > > > > > > > > The newest update of openssl breaks encryption software like encfs to > > > > shred data on the end of many files. > > > > > > > > This is a serious data lost! > > > > > > Can you provide more information about this? > > > > Sorry, I have no idea. > > > > I just downgraded back to release 0.9.8k-8 and pinned the version > > 0.9.8m-1 as bad. > > > > As I wrote the error happens at the end of some files on a encfs > > encrypted filesystem. The file just have garbage there. I have no idea > > what might trigger the bug but the reproducing should be easy: > > - install openssl and libssl0.9.8 before version 0.9.8m-1 > > - Create a encfs dir (I use ssl/blowfish as cipher) > > - Put some files from several bytes to several kilobytes into that > > directory > > - Upgrade to version 0.9.8m-1 of openssl > > - Mount and verify the files in the encfs container > > > > Some errors I remember: > > - File length 362, just text was corrupted after around byte 320. > > - File length 3134, secring.gpg from gpg was corrupted at unknown > > position. > > - The rtorrent cache and some torrent files as well as some of the > > files therein was corrupted. > > > > I hope that will help to reproduce the bug. Maybe you can bisect it. > > I can't find anything obvious wrong in the changes between the 2 > versions. There was no changes to the blowfish code for instance, > and the regression tests should have found that something broke. > > Can you try and build encfs against the newest libssl-dev and see > if that fixes it? In that case it's some ABI breakage that I > missed.
I just ran the regression tests against the old library, can't find an error in that case, so that's probably not the problem ... Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
