FS#53996 - [c-client] Not linked to libssl/libcrypto ?

Attached to Project: Arch Linux
Opened by mickael9 (mickael9) - Tuesday, 09 May 2017, 22:56 GMT
Last edited by Toolybird (Toolybird) - Friday, 09 June 2023, 23:43 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description: c-client uses OpenSSL functions but doesn't actually link to it

This doesn't seem to be a problem with the only two packages currently using it (php-imap and imap itself) because those directly link to libssl 1.1.

However, as a maintainer of PHP 5.6 on AUR (which uses openssl 1.0) I got report of crashes using php56-imap.
Since both libssl versions are loaded, and because libc-client doesn't link to them at all, it seems to call some functions from openssl 1.1 and others from 1.0 which ultimately causes a segfault.

Adding -lssl -lcrypto to the 'make' command line in the imap PKGBUILD fixes the issue:

make lnp EXTRAAUTHENTICATORS=gss PASSWDTYPE=pam SPECIALAUTHENTICATORS=ssl SSLTYPE=unix EXTRACFLAGS="${CFLAGS} -fPIC -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lpam -lssl -lcrypto"

I'll try to workaround this on the php56 side but I still believe that it isn't normal for a library to use symbols without linking to them (unless dlopen is involved of course).

Additional info:
* package version: 2007f-7
This task depends upon

Closed by  Toolybird (Toolybird)
Friday, 09 June 2023, 23:43 GMT
Reason for closing:  Won't fix
Additional comments about closing:  No longer in the repos.
Comment by Jan de Groot (JGC) - Friday, 12 May 2017, 11:28 GMT
imap should provide shared library. Debian has patches for that.

The only reason imap is static is because lack of ABI stability. Given the fact that imap hasn't seen a release for several years and probably will not see new releases in the future, I assume the ABI can be considered stable.
Comment by mickael9 (mickael9) - Friday, 12 May 2017, 16:18 GMT
I'm not talking about the static libc-client.a but the dynamic /usr/lib/libc-client.so

It uses openssl but isn't linked to openssl.
You can check by doing "ldd /usr/lib/libc-client.so" you'll see that it doesn't include libssl.
Yet "objdump -T /usr/lib/libc-client.so | grep SSL" will show you that a bunch of openssl symbols are imported.

I downloaded the deb for amd64 from Debian and it is correctly linked with openssl

https://packages.debian.org/jessie/libc-client2007e

Loading...