On 2019-02-02 14:46:54 [+0100], Andreas Beckmann wrote: > I'm not going to touch that package, please go ahead with preparing a > NMU (or probably rather QA upload if it is gone from sid) to stretch, > since you seem to know how to properly fix this bug once and for all :-)
I'm proposing this attached debdiff. For testing I compiled it against libssl1.0-dev 1.0.2j-5 and then upgraded to the version provided by the security repository. No error message. I expect it work - it would be awesome if the reporter could confirm this (I can provided the binary packages if required). > Andreas Sebastian
diff -Nru ckermit-302/debian/changelog ckermit-302/debian/changelog --- ckermit-302/debian/changelog 2017-01-12 09:18:27.000000000 +0100 +++ ckermit-302/debian/changelog 2019-02-14 23:35:55.000000000 +0100 @@ -1,3 +1,11 @@ +ckermit (302-5.3+deb9u1) stretch; urgency=medium + + * Non-maintainer upload. + * Drop check openssl compile time version vs runtime version + (Closes: #917485). + + -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Thu, 14 Feb 2019 23:35:55 +0100 + ckermit (302-5.3) unstable; urgency=medium * Non-maintainer upload. diff -Nru ckermit-302/debian/patches/ckermit-drop-the-version-for-openssl.patch ckermit-302/debian/patches/ckermit-drop-the-version-for-openssl.patch --- ckermit-302/debian/patches/ckermit-drop-the-version-for-openssl.patch 1970-01-01 01:00:00.000000000 +0100 +++ ckermit-302/debian/patches/ckermit-drop-the-version-for-openssl.patch 2019-02-14 23:31:55.000000000 +0100 @@ -0,0 +1,110 @@ +From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> +Date: Thu, 14 Feb 2019 22:13:40 +0100 +Subject: [PATCH] ckermit: drop the version for openssl + +ckermit checks at runtime the version of the libssl it was compiled +against the libssl library it is running. The comment says that it is +required because the ABI is not stable at the 1.0.0 version and may +change so it is better to abort. +Meanwhile, openssl has a stable ABI and if something changes in a +non-compatible way then the so name changes. + +Remove the check if the version of libssl changed between compile time +and run time because it is outdated / not required anymore. + +BTS: https://bugs.debian.org/917485 + +Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> +--- + ck_ssl.c | 68 +------------------------------------------------------- + 1 file changed, 1 insertion(+), 67 deletions(-) + +diff --git a/ck_ssl.c b/ck_ssl.c +index 3640d8f07fa86..75e2875c7fe91 100644 +--- a/ck_ssl.c ++++ b/ck_ssl.c +@@ -1362,15 +1362,7 @@ ssl_once_init() + + if ( !ck_ssleay_is_installed() ) + return; +-/* +- OpenSSL does not provide for ABI compatibility between releases prior +- to version 1.0.0. If the version does not match, it is not safe to +- assume that any function you call takes the same parameters or does +- the same thing with them. Removing this test prior to the OpenSSL 1.0.0 +- release will result in an increase in unexplained or incorrect behaviors. +- The test should be revised once OpenSSL 1.0.0 is released and we see what +- its claims are as to ABI compatibility. +-*/ ++ + debug(F111,"Kermit built for OpenSSL",OPENSSL_VERSION_TEXT,SSLEAY_VERSION_NUMBER); + #ifndef OS2ONLY + debug(F111,"OpenSSL Library",SSLeay_version(SSLEAY_VERSION), +@@ -1380,64 +1372,6 @@ ssl_once_init() + debug(F110,"OpenSSL Library",SSLeay_version(SSLEAY_PLATFORM),0); + + /* The following test is suggested by Richard Levitte */ +- if (((OPENSSL_VERSION_NUMBER ^ SSLeay()) & 0xffffff0f) +-#ifdef OS2 +- || ckstrcmp(OPENSSL_VERSION_TEXT,(char *)SSLeay_version(SSLEAY_VERSION),-1,1) +-#endif /* OS2 */ +- ) { +- ssl_installed = 0; +- debug(F111,"OpenSSL Version does not match. Built with", +- SSLeay_version(SSLEAY_VERSION),SSLEAY_VERSION_NUMBER); +- printf("?OpenSSL libraries do not match required version:\r\n"); +- printf(" . C-Kermit built with %s\r\n",OPENSSL_VERSION_TEXT); +- printf(" . Version found %s\r\n",SSLeay_version(SSLEAY_VERSION)); +- printf(" OpenSSL versions prior to 1.0.0 must be the same.\r\n"); +- +- s = "R"; +-#ifdef SOLARIS +- printf(" Set CD_LIBRARY_PATH for %s.\r\n",OPENSSL_VERSION_TEXT); +- s = " Or r"; +-#endif /* SOLARIS */ +- +-#ifdef HPUX +- printf(" Set SHLIB_PATH for %s.\r\n",OPENSSL_VERSION_TEXT); +- s = " Or r"; +-#endif /* HPUX */ +- +-#ifdef AIX +- printf(" Set LIBPATH for %s.\r\n",OPENSSL_VERSION_TEXT); +- s = " Or r"; +-#endif /* AIX */ +- +-#ifdef LINUX +- printf(" Set LD_LIBRARY_PATH for %s.\r\n",OPENSSL_VERSION_TEXT); +- s = " Or r"; +-#endif /* LINUX */ +- +- printf(" %sebuild C-Kermit from source on this computer to make \ +-versions agree.\r\n",s); +- +-#ifdef KTARGET +- { +- char * s; +- s = KTARGET; +- if (!s) s = ""; +- if (!*s) s = "(unknown)"; +- printf(" C-Kermit makefile target: %s\r\n",s); +- } +-#endif /* KTARGET */ +- printf(" Or if that is what you did then try to find out why\r\n"); +- printf(" the program loader (image activator) is choosing a\r\n"); +- printf(" different OpenSSL library than the one specified in \ +-the build.\r\n\r\n"); +- printf(" All SSL/TLS features disabled.\r\n\r\n"); +- bleep(BP_FAIL); +-#ifdef SSLDLL +- ck_ssl_unloaddll(); +- ck_crypto_unloaddll(); +-#endif /* SSLDLL */ +- return; +- } + #endif /* OS2ONLY */ + + /* init things so we will get meaningful error messages +-- +2.20.1 + diff -Nru ckermit-302/debian/patches/series ckermit-302/debian/patches/series --- ckermit-302/debian/patches/series 2016-04-19 23:15:56.000000000 +0200 +++ ckermit-302/debian/patches/series 2019-02-14 23:32:28.000000000 +0100 @@ -4,3 +4,4 @@ 040_fix_types.patch 050-consider-OPENSSL_NO_SSL3.patch 900_ck_patch.patch +ckermit-drop-the-version-for-openssl.patch