From mboxrd@z Thu Jan  1 00:00:00 1970
From: johny at neuromancer.sk (Jan Jancar)
Date: Mon, 22 May 2017 22:39:45 +0200
Subject: Bug: SIGSEGV in OPENSSL_cleanse
In-Reply-To: <20170522185128.GF7429@john.keeping.me.uk>
References: <2e8d90dd-1483-9e58-f2e9-51220d0c4a4d@neuromancer.sk>
 <20170522185128.GF7429@john.keeping.me.uk>
Message-ID: <81a1dcd7-0b2c-c1b0-738f-0607473fdd87@neuromancer.sk>

On 05/22/2017 08:51 PM, John Keeping wrote:
> Did you compile CGit yourself or are you using a pre-built package?
> What version of libssl-dev is installed?
> 
> I wouldn't be surprised if compiling against openssl-1.0 headers but
> linking with openssl-1.1 produces the behaviour you describe above.
> 

I am using the distro-provided version:

https://archlinuxarm.org/packages/armv6h/cgit

Name            : cgit
Version         : 1.1-2
Description     : A web interface for git written in plain C
Architecture    : armv6h
URL             : http://git.zx2c4.com/cgit/
Licenses        : GPL2
Groups          : None
Provides        : None
Depends On      : openssl  luajit
Optional Deps   : python-pygments: syntax highlighting support
                  python-markdown: about page formated with markdown
                  mime-types: serve file with correct content-type
header [installed]
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 975.00 KiB
Packager        : Arch Linux ARM Build System <builder+xu6 at archlinuxarm.org>
Build Date      : Wed 26 Apr 2017 01:39:23 AM CEST
Install Date    : Fri 05 May 2017 08:21:33 PM CEST
Install Reason  : Explicitly installed
Install Script  : Yes
Validated By    : Signature


Arch linux doesn't package -dev packages, the headers are part of the
openssl or openssl-1.0 package. So they live in
"/usr/include/openssl/*.h" and "/usr/include/openssl-1.0/openssl/*.h"
respectively.

Currently rebuilding cgit, but that might take a while since it's just a
RaspberryPi so in the meantime, since I run cgit through uWSGI behind
nginx, I fixed this by adding LD_PRELOAD=/usr/lib/libcrypto.so.1.0.0 to
the uWSGI cgit environment. Still don't know how this happened and why
is the coredump reporting a SEGV in the wrong lib(with which in a
LD_PRELOAD it actually works).

Thanks! In the end this is really just a packaging / build bug so not an
upstream problem.

Cheers,
-- 
Jan
______________________________________________________
   /\  # PGP: 362056ADA8F2F4E421565EF87F4A448FE68F329D
  /__\  # https://neuromancer.sk
 /\  /\  # Eastern Seaboard Phishing Authority
/__\/__\  #

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/cgit/attachments/20170522/59f07c3a/attachment.asc>