Bug 15391 - hiawatha incorrectly provides libpolarssl.so.7
Summary: hiawatha incorrectly provides libpolarssl.so.7
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: High major
Target Milestone: ---
Assignee: QA Team
QA Contact:
Whiteboard: has_procedure advisory MGA4-32-OK MGA...
Keywords: validated_update
Depends on:
Reported: 2015-03-01 18:12 CET by Alex Loginov
Modified: 2015-05-05 15:37 CEST (History)
9 users (show)

See Also:
Source RPM: hiawatha
Status comment:


Description Alex Loginov 2015-03-01 18:12:55 CET
Description of problem:

[user@localhost ~]$ linphone
linphone: error while loading shared libraries: libpolarssl.so.7: cannot open shared object file: No such file or directory

Version-Release number of selected component (if applicable): linphone-3.7.0-1.mga5.i586.rpm

How reproducible: always

Steps to Reproduce:
1. install linphone
2. run linphone


Steps to Reproduce:
Comment 1 David Walser 2015-03-07 03:09:15 CET
OK, there don't appear to be any packaging problems with linphone.

linphone requires liblinphone.so.6, provided by liblinphone6.

liblinphone6 requires libbellesip.so.0, provided by libbellesip0.

libbellesip0 requires libpolarssl.so.7, provided by libpolarssl7.

So, if you have libpolarssl7 installed, this should work fine.

The problem is, libpolarssl.so.7 is also provided by hiawatha, which has:

So there's two problems there.  One, it's bundling it when it should be linked to the system one.  Two, it's providing it, when it's not in the standard lib location, so your system's urpmi installed hiawatha to satisfy the dependency, and now belle-sip can't find the library.

hiawatha needs to be rebuilt against the system polarssl.

CC: (none) => luigiwalser
Assignee: bugsquad => bersuit.vera
Severity: normal => major

David Walser 2015-03-07 03:09:21 CET

Source RPM: linphone/belle-sip => hiawatha

David Walser 2015-03-07 03:09:42 CET

Summary: linphone does not start without libpolarssl7 => hiawatha incorrectly provides libpolarssl.so.7

Comment 2 David Walser 2015-03-07 03:11:05 CET
This needs to be fixed before the release, otherwise this invalid provide may break things requiring libpolarssl7 indefinitely.

Priority: Normal => release_blocker

Comment 3 Jani Välimaa 2015-03-07 09:48:21 CET
Hiawatha is now fixed in SVN:

CC: (none) => jani.valimaa

Comment 4 Jani Välimaa 2015-03-07 10:00:51 CET
Hiawatha build with system polarssl throws following warning:

  Make sure the PolarSSL library has been built with the
  PolarSSL library may crash the Hiawatha webserver.

Someone should check if those are enabled in polarssl.
Comment 5 Jani Välimaa 2015-03-07 10:22:41 CET

From include/polarssl/config.h:
 * Enable the threading abstraction layer.
 * By default PolarSSL assumes it is used in a non-threaded environment or that
 * contexts are not shared between threads. If you do intend to use contexts
 * between threads, you will need to enable this layer to prevent race
 * conditions.
 * Module:  library/threading.c
 * This allows different threading implementations (self-implemented or
 * provided).
 * You will have to enable either POLARSSL_THREADING_ALT or
 * Enable this layer to allow use of mutexes within PolarSSL

Enabled them locally and polarssl builds and passes all checks. However I don't know how this change affects to pkgs needing polarssl, but I'll commit my changes also to polarssl.
Comment 6 David Walser 2015-03-07 17:38:25 CET
OK, I'll CC Oden (polarssl maintainer).

CC: (none) => oe

Comment 7 Oden Eriksson 2015-03-09 09:57:40 CET
Fixed here:

r817959 | wally | 2015-03-07 09:42:59 +0100 (lör  7 mar 2015) | 1 rad

- make sure system libpolarssl is used (SILENT)
r817958 | wally | 2015-03-07 09:39:19 +0100 (lör  7 mar 2015) | 1 rad

- build against system libpolarssl (mga#15391)

Needs submision.
Comment 8 David Walser 2015-03-09 15:35:17 CET
(In reply to Oden Eriksson from comment #7)
> Fixed here:

Yes, but there's also this for polarssl.  Is this change OK?

r817960 | wally | 2015-03-07 04:26:59 -0500 (Sat, 07 Mar 2015) | 3 lines

- build with POLARSSL_THREADING_PTHREAD and POLARSSL_THREADING_C flags enabled (mga#15391)
- add BuildRequires for graphviz
Comment 9 Oden Eriksson 2015-03-09 15:36:55 CET
Go ahead. Just test that pdns still builds.
Comment 10 Anne Nicolas 2015-03-09 21:56:01 CET
Fixed with commit #817959 and  hiawatha-9.9-2.mga5

CC: (none) => ennael1
Resolution: (none) => FIXED

Comment 11 David Walser 2015-03-09 21:58:31 CET
Thanks Anne.

So I checked Mageia 4 and this issue exists there.  This is no longer a Cauldron release_blocker of course, but it's still a Mageia 4 bug, so reopening.  We should issue an update to fix this.

On Mageia 4 this would also be a security update, since we've issued security fixes in the system polarssl.

Priority: release_blocker => High
Component: RPM Packages => Security
Version: Cauldron => 4
Resolution: FIXED => (none)

Comment 12 Sander Lepik 2015-04-25 21:37:47 CEST
Ping. Is someone going to fix it for mga4?

CC: (none) => mageia
Assignee: bersuit.vera => juan.baptiste

Comment 13 Sander Lepik 2015-05-03 16:55:58 CEST
Ping #2. If no one is interested in maintaining it then we can also just drop it..
Comment 14 David GEIGER 2015-05-03 17:47:07 CEST
Before the fix of hiawatha-9.3-1.mga4, polarssl-1.3.9-1.1.mga4 must be first fixed with the same change as the comment 4:


After that, hiawatha can be built against system libpolarssl with same fix as Cauldron:


CC: (none) => geiger.david68210

Comment 15 David GEIGER 2015-05-04 13:11:22 CEST
So, new updates with fixes of polarssl and hiawatha are now submitted and uploaded in mga4/Core-Updates_Testing.
Comment 16 David Walser 2015-05-04 13:34:36 CEST
The pdns and pdns-recursor packages should also be tested with this polarssl rebuild.  Fortunately, we are testing updates for those packages as well in Bug 15754.


Updated hiawatha package fixes security vulnerabilities:

The hiawatha package included a bundled copy of PolarSSL 1.3.2, which was
vulnerable to several security issues that had already been fixed in the
system polarssl package.  These issues were CVE-2014-4911, CVE-2014-8627,
CVE-2014-8628, and CVE-2015-1182, which were fixed in MGASA-2014-0315,
MGASA-2014-0481, and MGASA-2015-0055.

The polarssl package has been adjusted so that hiawatha can use it, and
hiawatha has been rebuilt to use the updated system polarssl, fixing these


Updated packages in core/updates_testing:

from SRPMS:

CC: (none) => juan.baptiste
Assignee: juan.baptiste => qa-bugs

Comment 17 David GEIGER 2015-05-04 13:47:10 CEST
Note that you can simply follow these instructions to test Hiawatha:

David GEIGER 2015-05-04 13:47:58 CEST

Whiteboard: (none) => has_procedure

Comment 18 Shlomi Fish 2015-05-04 17:24:07 CEST
(In reply to David GEIGER from comment #17)
> Note that you can simply follow these instructions to test Hiawatha:
> http://www.servermom.org/install-hiawatha-centos-7/1936/

Testing complete on an MGA4-x86-64 VBox VM . Seems to be working fine.

CC: (none) => shlomif
Whiteboard: has_procedure => MGA4-64-OK has_procedure

Comment 19 Shlomi Fish 2015-05-04 17:33:03 CEST
And tested fine on a 32-bit i586 MGA 4 VBox VM. MGA4-32-OKing it.

Whiteboard: MGA4-64-OK has_procedure => MGA4-64-OK has_procedure MGA4-32-OK

Comment 20 claire robinson 2015-05-05 12:40:17 CEST
pdns tested with polarssl from updates testing - bug 15754 - also polarssl itself tested with polarssl-selftest https://bugs.mageia.org/show_bug.cgi?id=11459#c7 
[ All tests passed ].

Validating. Advisory uploaded.

Please push to 4 updates


Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 21 Mageia Robot 2015-05-05 15:37:29 CEST
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.