Control: reassign -1 libmount1 Control: found -1 2.35.2-6 Control: retitle -1 libmount1 pulls in libssl 1.1 and breaks software statically linked against libcrypto 1.0
On Sat, 27 Jun 2020 at 01:08:49 -0400, Christian Weeks wrote: >> Unless there is a reproducer involving a targeted libcryptsetup12 >> upgrade I don't think this belong here :-P Aside from documentation >> files, the only thing libcryptsetup12 (2:2.1.0-5+deb10u2 and 2:2.3.3-1) >> ships is libcryptsetup.so.12*. It doesn't touch libssl. > > It seems that libcryptsetup + the new libmount1 dependency on same are > the root cause somehow. Sorry for the confusion. To the util-linux maintainers: the following link from #message26 appears relevant: https://github.com/ValveSoftware/steam-for-linux/issues/6861#issuecomment-584379611 Starting with 2.1 cryptsetup upstream started using libssl as cryptographic backend for LUKS header processing; this is already the case in Buster and while other backends are supported I'm very reluctant to diverge from upstream's sane defaults here. So software dynamically linked against libmount ≥2.35.2-5 will transitively pull in libssl.so.1.1, which due to symbol clashes appears to crash software statically linked against libssl1.0. Unfortunately I've not been able to find a standalone reproducer using a PoC executable and I didn't look further. I'm not sure this bug should be RC, or if it's even valid in the first place (it's arguably a steam bug). Reassigning to libmount1 anyway as the regression follows #951048. Cheers, -- Guilhem.
signature.asc
Description: PGP signature
