DevHeads.net

libssl-dev 1.0.2g is 1.0.0

Hi

distribution : artful (ubuntu 17.10)
package libssl-dev [1.0.2g]

the package libssl-dev claims to be 1.0.2g, but it seems to be older
header-version 1.0.0, as it lacks the constant

./crypto/x509/x509_vfy.h:# define X509_V_ERR_INVALID_CALL
65

It seems libssl binary package is also 1.0.0

ii libssl-dev:amd64 1.0.2g-1ubuntu13.3
amd64 Secure Sockets Layer toolkit -
development files
ii libssl-doc 1.0.2g-1ubuntu13.3
all Secure Sockets Layer toolkit -
development documentation
ii libssl1.0.0:amd64 1.0.2g-1ubuntu13.3
amd64 Secure Sockets Layer toolkit - shared
libraries

This could be a security issue, shipping a library 1.0.0 claiming to be
1.0.2g

Comments

Re: libssl-dev 1.0.2g is 1.0.0

By Dmitrijs Ledkovs at 03/12/2018 - 10:01

Hello,

On 11 March 2018 at 09:05, Frank Rehberger < ... at gmail dot com> wrote:
Ubuntu has patched openssl1.0 to retain ABI compatibility with 1.0.0
by introducing stub functions, and thus not requiring to recompile
software that was compiled against 1.0.0, as it remains usable with
newer Ubuntu releases that ship 1.0.2 series of OpenSSL. Thus the
version numbers you see are correct - 1.0.2g release with 1.0.0 ABI.

About the following defines:
X509_V_ERR_INVALID_CALL 65
X509_V_ERR_STORE_LOOKUP 66

They appear to have been introduced in
5553a12735e11bc9aa28727afe721e7236788aab upstream on
OpenSSL_1_0_2-stable branch.
Which is shipped in:

$ git tag --contains 5553a12735e11bc9aa28727afe721e7236788aab
OpenSSL_1_0_2i
OpenSSL_1_0_2j
OpenSSL_1_0_2k
OpenSSL_1_0_2l
OpenSSL_1_0_2m
OpenSSL_1_0_2n

1.0.2g pre-dates above, and thus these defines are not available.
Bionic, to become 18.04 LTS, ships openssl1.0 1.0.2n and has above
mentioned defines.

W.R.T. security updates - ubuntu does not use upstream version numbers
to rectify security issues, and instead all security vulnerabilities
are patched as distro patches and an USN (Ubuntu Security Notice) is
issued reverencing full package upload numbers and the matching CVEs
these fix. Please see <a href="https://usn.ubuntu.com/" title="https://usn.ubuntu.com/">https://usn.ubuntu.com/</a> for more details.