Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-105518

openssl 3.2.2 has 3_4_0 version in the symbol table

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • openssl-3.2.2-16.el10_0.4
    • Yes
    • Important
    • 1
    • rhel-security-crypto
    • 25
    • 26
    • 2
    • QE ack, Dev ack
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • Crypto25August
    • Hide

      AC1 manual) The openssl-libs package still provides the OPENSSL_3.2.0 symbol, but it does not provide the OPENSSL_3.4.0 symbol

      AC2 manual) libcrypto.so.3 file should still declare the both OPENSSL_3_2_0 and OPENSSL_3_4_0 symbols and openssl executable still declaring need for them

      Show
      AC1 manual) The openssl-libs package still provides the OPENSSL_3.2.0 symbol, but it does not provide the OPENSSL_3.4.0 symbol AC2 manual) libcrypto.so.3 file should still declare the both OPENSSL_3_2_0 and OPENSSL_3_4_0 symbols and openssl executable still declaring need for them
    • Pass
    • Not Needed
    • Manual
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      What were you trying to do that didn't work?

      I was updating opencryptoki on RHEL-10.0 with its version from RHEL-10.1 but the service failed to start.

      /usr/sbin/pkcsslotd: symbol lookup error: /usr/sbin/pkcsslotd: undefined symbol: EVP_MD_CTX_get_size_ex, version OPENSSL_3.4.0

      Further investigation revealed that:

      1. rpm -q openssl openssl-libs
        openssl-3.2.2-16.el10.x86_64
        openssl-libs-3.2.2-16.el10.x86_64
      2. rpm -q --provides openssl-libs
        config(openssl-libs) = 1:3.2.2-16.el10
        libcrypto.so.3()(64bit)
        libcrypto.so.3(OPENSSL_3.0.0)(64bit)
        libcrypto.so.3(OPENSSL_3.0.1)(64bit)
        libcrypto.so.3(OPENSSL_3.0.3)(64bit)
        libcrypto.so.3(OPENSSL_3.0.8)(64bit)
        libcrypto.so.3(OPENSSL_3.0.9)(64bit)
        libcrypto.so.3(OPENSSL_3.1.0)(64bit)
        libcrypto.so.3(OPENSSL_3.2.0)(64bit)
        libcrypto.so.3(OPENSSL_3.4.0)(64bit)
        libssl.so.3()(64bit)
        libssl.so.3(OPENSSL_3.0.0)(64bit)
        libssl.so.3(OPENSSL_3.2.0)(64bit)
        openssl-libs = 1:3.2.2-16.el10
        openssl-libs(x86-64) = 1:3.2.2-16.el10

      Notice that there is libcrypto.so.3(OPENSSL_3.4.0)(64bit) .

       

      per cllang@redhat.com :
      Root cause is https://gitlab.com/redhat/centos-stream/rpms/openssl/-/commit/ce2e7dc60e1f3dac02c5b652e14599cf86223498#8e8ad7a4ef98d596c73e7[…]0519121e131584_0_1002

       
      That backport should not have added the 3_4_0 version in the symbol table (at least not without also importing all other 3_4_0 symbols), but it did.

      What is the impact of this issue to you?

      I have to manually update openssl to its RHEL-10.1 version, otherwise pkcsslotd won't start

      Please provide the package NVR for which the bug is seen:

      openssl-3.2.2-16.el10.x86_64

      How reproducible is this bug?:

      always

      Steps to reproduce

      1. see above
      2.  
      3.  

              dbelyavs@redhat.com Dmitry Belyavskiy
              ksrot@redhat.com Karel Srot
              Dmitry Belyavskiy Dmitry Belyavskiy
              Ganna Starovoytova Ganna Starovoytova
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: