Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#53996 - [c-client] Not linked to libssl/libcrypto ?

Attached to Project: Arch Linux
Opened by mickael9 (mickael9) - Tuesday, 09 May 2017, 22:56 GMT
Last edited by Doug Newgard (Scimmia) - Tuesday, 16 May 2017, 04:17 GMT
Task Type Bug Report
Category Packages: Extra
Status Assigned
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No


Description: c-client uses OpenSSL functions but doesn't actually link to it

This doesn't seem to be a problem with the only two packages currently using it (php-imap and imap itself) because those directly link to libssl 1.1.

However, as a maintainer of PHP 5.6 on AUR (which uses openssl 1.0) I got report of crashes using php56-imap.
Since both libssl versions are loaded, and because libc-client doesn't link to them at all, it seems to call some functions from openssl 1.1 and others from 1.0 which ultimately causes a segfault.

Adding -lssl -lcrypto to the 'make' command line in the imap PKGBUILD fixes the issue:

make lnp EXTRAAUTHENTICATORS=gss PASSWDTYPE=pam SPECIALAUTHENTICATORS=ssl SSLTYPE=unix EXTRACFLAGS="${CFLAGS} -fPIC -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lpam -lssl -lcrypto"

I'll try to workaround this on the php56 side but I still believe that it isn't normal for a library to use symbols without linking to them (unless dlopen is involved of course).

Additional info:
* package version: 2007f-7
This task depends upon

Comment by Jan de Groot (JGC) - Friday, 12 May 2017, 11:28 GMT
imap should provide shared library. Debian has patches for that.

The only reason imap is static is because lack of ABI stability. Given the fact that imap hasn't seen a release for several years and probably will not see new releases in the future, I assume the ABI can be considered stable.
Comment by mickael9 (mickael9) - Friday, 12 May 2017, 16:18 GMT
I'm not talking about the static libc-client.a but the dynamic /usr/lib/

It uses openssl but isn't linked to openssl.
You can check by doing "ldd /usr/lib/" you'll see that it doesn't include libssl.
Yet "objdump -T /usr/lib/ | grep SSL" will show you that a bunch of openssl symbols are imported.

I downloaded the deb for amd64 from Debian and it is correctly linked with openssl